Professional Documents
Culture Documents
OBJECTIVES Deliver timely advice to Government. Implement quality risk management advice and support to clients.
Protect Enable
Tailored and Appropriate Insurance Products and Services. Ensure that client needs are understood and addressed. Establish and retain an internal capability.
Disclaimer This Risk Insight communication provides general information, current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information. VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk. Acknowledgments VMIA would like to acknowledge the contribution of Australian Risk Services Pty Ltd in the development of this document. Version SPO RI-1 1107
Introduction
During the 2006 Risk Framework Quality Review it was identified that many organisations were unclear on the concept of what their risk profile was or how to accurately define one. This edition of Risk Insights seeks to clarify the role, function and development of a Risk Profile.
Risk management is a comprehensive process, supported by appropriate strategies and frameworks that are designed to identify, analyse, evaluate, treat, monitor and communicate those risks that could prevent a department or agency from achieving its objectives. It covers strategic as well as operational, financial and compliance risks. The Victorian public sector and the private sector use the term enterprise-wide risk management to describe this comprehensive approach.
This document is intended to provide an overview of the key elements of establishing a risk profile. It is not a how to guide. For more information on how the Australian New Zealand Risk Management Standard AS:NZS:4360 can be applied to the risk management needs of a Victorian public sector agency please contact your VMIA Risk Management Advisor.
Establish the context Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Communication
The risk management strategy describes the principles that underpin an organisations approach to risk and should be supported by risk management policies and procedures that describe the processes that will establish identification, analysis, evaluation, treatment and reporting framework for risk. The purpose of the Strategy is to define how risk management will evolve.
Management of risk is an integral part of good business practice and quality management. Learning how to manage risk effectively enables managers to improve outcomes by identifying and analysing the wider range of issues and providing a systematic way to make informed decisions. A structured risk management approach also enhances and encourages the identification of greater opportunities for continuous improvement through innovation. This will assist to identify the risks you face and prioritise them according to the likelihood of them occurring and the resulting impact on the business.
It must be emphasised that effective risk management involves more than merely creating a risk profile, all the stages of the process described in Australian New Zealand Risk Management Standard AS:NZS:4360 are equally important.
For a risk management program to be effective it needs to demonstrate a number of key principles:
It is systematic, structured and evidence based where practicable. It explicitly addresses uncertainty and the causes of uncertainty. It is a core organisation process and an integral part of decision making. It leads to the optimisation of control and maximisation of net benefit. It is specific to the organisation, applied enterprise wide and tailored to its external and internal context. It forms part of the organisational culture, is transparent and understood by all interested parties through their inclusion and involvement in the process. It is dynamic, iterative and responsive to change.
It involves continuous communications and highly visible comprehensive and frequent reporting of risk
This document will however allow you to begin your risk management journey.
Organisations take stock of their operating environment, identify key risks, and review the organisation's capacity to deal with these risks. The Australian Standard in Risk Management AS4360 best represents this process. The stages of Risk Identification, Risk Analysis, Risk Evaluation and Treatment of that standard describe the processes that lead to describing the Risk Profile of an organisation.
Criteria may be affected by the perceptions of stakeholders and by legal or regulatory requirements. It is important that appropriate criteria be determined at the outset. Although the broad criteria for making decisions are initially developed as part of establishing the risk management context, they may be further developed and refined subsequently as particular risks are identified and risk analysis techniques are chosen. The risk criteria must correspond to the type of risks and the way in which risk levels are expressed.
Consequence
E Extreme risk detailed action plan required H - High risk needs senior management attention M Medium risk specify management responsibility L Low risk manage by routine procedures High or Extreme risks must be reported to Senior Management and require detailed treatment plans to reduce the risk to Low or Medium.
People
Minor injury or First Aid Treatment Case. Scrutiny required by internal committees or internal audit to prevent escalation. Policy procedural rule occasionally not met or services do not fully meet needs. 2.5% of Budget or <$50K
Internal Review
Serious injury causing hospitalisation or multiple medical treatment cases. Scrutiny required by external committees or ACT Auditor Generals Office, or inquest, etc. One or more key accountability requirements not met. Inconvenient but not client welfare threatening. > 5% of Budget or <$500K
Life threatening injury or multiple serious injuries causing hospitalisation. Intense public, political and media scrutiny. Eg: front page headlines, TV, etc. Strategies not consistent with Governments agenda. Trends show service is degraded. > 10% of Budget or <$5M
Death or multiple life threatening injuries. Assembly inquiry or Commission of inquiry or adverse national media. Critical system failure, bad policy advice or ongoing non-compliance. Business severely affected. >25% of Budget or >$5M
Minor errors in systems or processes requiring corrective action, or minor delay without impact on overall schedule. 1% of Budget or <$5K
Insignificant
Probability:
>1 in 10 1 in 10 - 100
Minor
Moderate
Major
Catastrophic
Historical:
Is expected to occur in most circumstances Will probably occur Might occur at some time in the future Could occur but doubtful May occur but only in exceptional circumstances
1 5 4 3 2 1
Almost Certain Likely Possible Unlikely Rare
M M L L L
H M M M L
H H M M M
E H H H M
E E E H H
Likelihood
Risk Tolerance/Appetite
An organisation's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. An organisation's risk tolerance and that of its key stakeholders must be understood, because both will influence and guide decision-making. Management must determine which risks the organisation should accept at which levels, then re-evaluate these choices as circumstances change.
Risk tolerance and performance expectations should be linked directly at the corporate level. Organisations should understand the correlation between the degree and duration of unfavourable variances from established performance expectations or targets and the level of risk exposure
Risk identification will generally be unproductive if an attempt is made to consider the organisation or activity as a whole. It is much more effective to disaggregate the activity into categories or key elements. This concept is sometimes referred to as the risk universe.
Each topic is somewhat narrower than the activity as a whole, allowing those performing the identification to focus their thoughts and go into more depth than they would if they tried to deal with everything at once. A well-designed set of key elements will stimulate creative thought, and ensure that all-important issues are put before those responsible for identifying risks. Risk Universe: Ernst & Young
Identify risks
The Australian Standard refers to risk categories to prompt risk identification. Prompt lists include (but are not limited to):
Property Operational Compliance Public Liability Business Continuity / Disasters Legal Occupational Health & Safety Environmental Technology Transaction Processing Human Resources Fraud Security
Where resources available for risk identification and analysis are constrained, the structure and approach may have to be adapted to achieve efficient outcomes within resource
limitations. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used. Building upon this over time will allow you to further develop the framework into a more
The analysis can be conducted at various points, such as at the outset of a new project, as part of ongoing management, or as a study of what may occur after risks have been treated. Usually the analysis looks at the consequences of the event, should it occur and the likelihood of the event and its associated consequences are assessed in the context of the effectiveness of the existing controls / strategies. During the risk identification step, many risks have been identified and it is often not possible to try to address all those identified. The risk analysis step will assist in determining which risks have a greater consequence or impact than others. This will assist in providing a better understanding of the possible impact of a risk, or the likelihood of it occurring, in order to make a decision about committing resources to control the risk.
Risk analysis involves combining the possible consequences, or impact, of an event, with the likelihood of that event occurring. The result is a level of risk. The risk criteria and matrix shown above describes how this is done for qualitatively rated risks. When accurate quantified risk measures are available, the level of risk may be calculated: e.g.
For each risk, you are required to define its Level of Risk using likelihood and consequences criteria.
Methods of analysis
There are two primary types of analysis. Qualitative methods include, evaluation using multi-
disciplinary groups; specialist and expert judgment; and structured interviews and questionnaires. Quantitative methods of risk analysis include, statistical analysis of historical data; simulation and computer modelling; and statistical and numerical analysis.
Risk Evaluation
The purpose of risk evaluation is to enable more informed decision-making, based upon an analysis of risk, treatments and priorities. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered.
Risk treatment
Knowing the risks of an organisation will not of itself reduce the risk exposure. Improvement in the risk environment stems only from the implementation of effective risk controls or treatments. Risk evaluation provides a list of risks requiring treatment, often with associated ratings or priorities. Risk treatment involves identifying a range of options for treating these risks, evaluating those options, preparing treatment plans and implementing them.
Before appropriate treatment actions can be determined, the analysis of each risk may need to be revisited and extended to draw out the information needed to identify and explore different treatment options.
The design of risk treatment measures should be based on a comprehensive understanding of the risks concerned; this understanding comes from an appropriate level of risk analysis. It is particularly important to identify the causes of the risks, control effectiveness and gaps so that preventative risk treatments can be applied as well as mitigating treatments that will reduce the consequences, likelihood or the symptoms of risk events. The treatment plan should include: Proposed action Resource requirements Responsibilities Timing Performance measures and Reporting and monitoring requirements
It will usually not be cost-effective or even desirable to implement all possible risk treatments. It is, however, necessary to choose, prioritise and implement the most appropriate combination of risk treatments. Treatment options, or more usually combinations of options, are selected by considering factors such as costs and benefits, effectiveness and other criteria of relevance to the organisation. Factors such as legal, social, political and economic considerations may need to be taken into account.
Treatment of individual risks will seldom occur in isolation and should be part of an overall treatment strategy. Having a clear understanding of a complete treatment strategy is important to ensure that critical dependencies and linkages are not compromised. For this reason development of an overall treatment strategy should be a top-down process, driven jointly by the need to achieve business objectives while controlling uncertainty to the extent that is desirable.
It is prudent to be flexible and consult broadly about risk treatment with stakeholders and perhaps the wider community as well as peers and specialists. Many treatments need to be acceptable to stakeholders or those who are involved in implementation if they are to be effective and sustainable. If after treatment there is residual risk, a decision should be taken about whether to retain this risk or repeat the risk process.
The corporate risk profile is updated annually and approved by senior management. A risk profile may be represented in the form below which is known as a heat map.
Actual progress against risk treatment plans provide an important performance measure and should be incorporated into the organisations performance management, measurement and reporting system
along with the Key Risk Indicators. Monitoring and review also involves learning lessons from the risk management process, by reviewing events, the treatment plans and their outcomes. e.g. Treatment Report
10
Our Focus In order to enhance the service we offer, VMIA have introduced a new client centric business model. Corporate wide we have established three centres of excellence in the areas of client service, insurance/ risk management products and services and corporate governance. A greater focus and emphasis is being placed on meeting our clients needs through a team of specialists focused on providing strategic risk management consulting services in addition to insurance advice and coverage.
Risk Management Services The VMIA develop and tailor its Risk Management and Insurance Services to clients needs. If you would like to know more about our risk services contact your Risk Management Advisor or access the VMIA website at www.vmia.vic.gov.au
Training The Training Essentials program consists of training sessions, in-house training, seminars and networking events throughout the year. The aim of the Risk Management and Insurance training programs is to equip VMIA clients with the knowledge and skills to understand and plan for risk, and have in place the appropriate insurance policies. The VMIA launched its new look Risk Leadership In Government seminar in mid July 2007. The series, consisting of workshops and seminars, presents the latest topics in Risk Management and Insurance and provide great opportunity for participants to engage with leading professionals in the Risk Management and Insurance field. For more information visit our website at: www.vmia.vic.gov.au
11
Level 30, 35 Collins Street Melbourne, Victoria, 3000. Phone: 03 99116900 Fax: 03 92706803 Email: strategicrisk@vmia.vic.gov.au Website: www.vmia.vic.gov.au