Risk Insight Series

Developing a Risk Profile

Developing A Risk Profile

Front Cover taken from the VMIA Corporate objectives

THEMES Alert Prevent

OBJECTIVES Deliver timely advice to Government. Implement quality risk management advice and support to clients.

Protect Enable

Tailored and Appropriate Insurance Products and Services. Ensure that client needs are understood and addressed. Establish and retain an internal capability.

Disclaimer This Risk Insight communication provides general information, current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information. VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk. Acknowledgments VMIA would like to acknowledge the contribution of Australian Risk Services Pty Ltd in the development of this document. Version SPO RI-1 1107

Developing A Risk Profile

Introduction
During the 2006 Risk Framework Quality Review it was identified that many organisations were unclear on the concept of what their risk profile was or how to accurately define one. This edition of Risk Insights seeks to clarify the role, function and development of a Risk Profile.

Risk Management Background

The Australian and New Zealand Risk Management Standard, AS/NZS 4360:2004, defines risk as: ...the chance of something happening that will have an impact on objectives.
Corporate governance can be defined as the system by which organisations are directed and controlled. It is concerned with improving the performance of companies for the benefit of stakeholders. Risk management contributes to good corporate governance by providing reasonable assurance to boards and senior managers that the organisational objectives will be achieved within a tolerable degree of residual risk (defined by AS4306 as risk remaining after implementation of risk treatment).

Risk management is a comprehensive process, supported by appropriate strategies and frameworks that are designed to identify, analyse, evaluate, treat, monitor and communicate those risks that could prevent a department or agency from achieving its objectives. It covers strategic as well as operational, financial and compliance risks. The Victorian public sector and the private sector use the term enterprise-wide risk management to describe this comprehensive approach.

This document is intended to provide an overview of the key elements of establishing a risk profile. It is not a how to guide. For more information on how the Australian New Zealand Risk Management Standard AS:NZS:4360 can be applied to the risk management needs of a Victorian public sector agency please contact your VMIA Risk Management Advisor.

Risk Management Process

The first step is ensuring that you have a sound risk management framework, consistent with the Australian and New Zealand Risk Management Standard, AS/NZS 4360:2004. The key elements of which are noted below:

Developing A Risk Profile

Establish the context Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Communication

The risk management strategy describes the principles that underpin an organisations approach to risk and should be supported by risk management policies and procedures that describe the processes that will establish identification, analysis, evaluation, treatment and reporting framework for risk. The purpose of the Strategy is to define how risk management will evolve.

Management of risk is an integral part of good business practice and quality management. Learning how to manage risk effectively enables managers to improve outcomes by identifying and analysing the wider range of issues and providing a systematic way to make informed decisions. A structured risk management approach also enhances and encourages the identification of greater opportunities for continuous improvement through innovation. This will assist to identify the risks you face and prioritise them according to the likelihood of them occurring and the resulting impact on the business.

It must be emphasised that effective risk management involves more than merely creating a risk profile, all the stages of the process described in Australian New Zealand Risk Management Standard AS:NZS:4360 are equally important.

For a risk management program to be effective it needs to demonstrate a number of key principles:

It is systematic, structured and evidence based where practicable. It explicitly addresses uncertainty and the causes of uncertainty. It is a core organisation process and an integral part of decision making. It leads to the optimisation of control and maximisation of net benefit. It is specific to the organisation, applied enterprise wide and tailored to its external and internal context. It forms part of the organisational culture, is transparent and understood by all interested parties through their inclusion and involvement in the process. It is dynamic, iterative and responsive to change.

Developing A Risk Profile

It involves continuous communications and highly visible comprehensive and frequent reporting of risk

This document will however allow you to begin your risk management journey.

Establishing a Risk Profile for your Organisation

The risk profile is a snapshot of the organisation's operating environment and its capacity to deal with key high-level risks and opportunities linked to the achievement of corporate objectives and results. There are three outcomes as a result of developing the risk profile: Threats and Opportunities are identified. Current status of risk management within the organisation is assessed and recognised in order to plan risk management strategies. The organisations risk profile is defined key risk areas, risk tolerance, ability and capacity to mitigate as well as learning needs.

Organisations take stock of their operating environment, identify key risks, and review the organisation's capacity to deal with these risks. The Australian Standard in Risk Management AS4360 best represents this process. The stages of Risk Identification, Risk Analysis, Risk Evaluation and Treatment of that standard describe the processes that lead to describing the Risk Profile of an organisation.

Develop risk criteria (Likelihood & Consequence)

Decide the criteria against which risk is to be evaluated. Decisions concerning whether risk treatment is required may be based on operational, technical, financial, legal, social, environmental, humanitarian or other criteria. The criteria should reflect the context initially established.

Criteria may be affected by the perceptions of stakeholders and by legal or regulatory requirements. It is important that appropriate criteria be determined at the outset. Although the broad criteria for making decisions are initially developed as part of establishing the risk management context, they may be further developed and refined subsequently as particular risks are identified and risk analysis techniques are chosen. The risk criteria must correspond to the type of risks and the way in which risk levels are expressed.

Developing A Risk Profile

Sample risk criteria and matrix

Consequence
E Extreme risk detailed action plan required H - High risk needs senior management attention M Medium risk specify management responsibility L Low risk manage by routine procedures High or Extreme risks must be reported to Senior Management and require detailed treatment plans to reduce the risk to Low or Medium.

People

Injuries or ailments not requiring medical treatment.

Minor injury or First Aid Treatment Case. Scrutiny required by internal committees or internal audit to prevent escalation. Policy procedural rule occasionally not met or services do not fully meet needs. 2.5% of Budget or <$50K

Reputation Business Process & Systems Financial

Internal Review

Serious injury causing hospitalisation or multiple medical treatment cases. Scrutiny required by external committees or ACT Auditor Generals Office, or inquest, etc. One or more key accountability requirements not met. Inconvenient but not client welfare threatening. > 5% of Budget or <$500K

Life threatening injury or multiple serious injuries causing hospitalisation. Intense public, political and media scrutiny. Eg: front page headlines, TV, etc. Strategies not consistent with Governments agenda. Trends show service is degraded. > 10% of Budget or <$5M

Death or multiple life threatening injuries. Assembly inquiry or Commission of inquiry or adverse national media. Critical system failure, bad policy advice or ongoing non-compliance. Business severely affected. >25% of Budget or >$5M

Minor errors in systems or processes requiring corrective action, or minor delay without impact on overall schedule. 1% of Budget or <$5K

Insignificant
Probability:
>1 in 10 1 in 10 - 100

Minor

Moderate

Major

Catastrophic

Historical:
Is expected to occur in most circumstances Will probably occur Might occur at some time in the future Could occur but doubtful May occur but only in exceptional circumstances

1 5 4 3 2 1
Almost Certain Likely Possible Unlikely Rare

M M L L L

H M M M L

H H M M M

E H H H M

E E E H H

Likelihood

1 in 100 1,000 1 in 1,000 10,000 1 in 10,000 100,000

Developing A Risk Profile

Risk Tolerance/Appetite
An organisation's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. An organisation's risk tolerance and that of its key stakeholders must be understood, because both will influence and guide decision-making. Management must determine which risks the organisation should accept at which levels, then re-evaluate these choices as circumstances change.

Risk tolerance and performance expectations should be linked directly at the corporate level. Organisations should understand the correlation between the degree and duration of unfavourable variances from established performance expectations or targets and the level of risk exposure

Define the structure for the rest of the process

This involves subdividing the activity, process, project or change into a set of elements or steps in order to provide a logical framework that helps ensure significant risks are not overlooked. The structure chosen depends on the nature of the risks and the scope of the project, process or activity being assessed.

Risk identification will generally be unproductive if an attempt is made to consider the organisation or activity as a whole. It is much more effective to disaggregate the activity into categories or key elements. This concept is sometimes referred to as the risk universe.

Each topic is somewhat narrower than the activity as a whole, allowing those performing the identification to focus their thoughts and go into more depth than they would if they tried to deal with everything at once. A well-designed set of key elements will stimulate creative thought, and ensure that all-important issues are put before those responsible for identifying risks. Risk Universe: Ernst & Young

Developing A Risk Profile

Identify risks
The Australian Standard refers to risk categories to prompt risk identification. Prompt lists include (but are not limited to):
Property Operational Compliance Public Liability Business Continuity / Disasters Legal Occupational Health & Safety Environmental Technology Transaction Processing Human Resources Fraud Security

Where resources available for risk identification and analysis are constrained, the structure and approach may have to be adapted to achieve efficient outcomes within resource

limitations. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used. Building upon this over time will allow you to further develop the framework into a more

comprehensive enterprise wide profile.

Analyse the risks

The process of analysis will often commence with a simple qualitative approach that gives a general understanding. Where greater detail or understanding is required, more focused and robust investigation may be needed as well. It is inappropriate to assume that quantitative is superior to qualitative analysis. It is more appropriate to ensure the best approach to fit the situation at hand.

The analysis can be conducted at various points, such as at the outset of a new project, as part of ongoing management, or as a study of what may occur after risks have been treated. Usually the analysis looks at the consequences of the event, should it occur and the likelihood of the event and its associated consequences are assessed in the context of the effectiveness of the existing controls / strategies. During the risk identification step, many risks have been identified and it is often not possible to try to address all those identified. The risk analysis step will assist in determining which risks have a greater consequence or impact than others. This will assist in providing a better understanding of the possible impact of a risk, or the likelihood of it occurring, in order to make a decision about committing resources to control the risk.

Risk analysis involves combining the possible consequences, or impact, of an event, with the likelihood of that event occurring. The result is a level of risk. The risk criteria and matrix shown above describes how this is done for qualitatively rated risks. When accurate quantified risk measures are available, the level of risk may be calculated: e.g.

Level of Risk = consequence x likelihood

Developing A Risk Profile

For each risk, you are required to define its Level of Risk using likelihood and consequences criteria.

Methods of analysis
There are two primary types of analysis. Qualitative methods include, evaluation using multi-

disciplinary groups; specialist and expert judgment; and structured interviews and questionnaires. Quantitative methods of risk analysis include, statistical analysis of historical data; simulation and computer modelling; and statistical and numerical analysis.

Risk Evaluation
The purpose of risk evaluation is to enable more informed decision-making, based upon an analysis of risk, treatments and priorities. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered.

Risk treatment
Knowing the risks of an organisation will not of itself reduce the risk exposure. Improvement in the risk environment stems only from the implementation of effective risk controls or treatments. Risk evaluation provides a list of risks requiring treatment, often with associated ratings or priorities. Risk treatment involves identifying a range of options for treating these risks, evaluating those options, preparing treatment plans and implementing them.

Before appropriate treatment actions can be determined, the analysis of each risk may need to be revisited and extended to draw out the information needed to identify and explore different treatment options.

The design of risk treatment measures should be based on a comprehensive understanding of the risks concerned; this understanding comes from an appropriate level of risk analysis. It is particularly important to identify the causes of the risks, control effectiveness and gaps so that preventative risk treatments can be applied as well as mitigating treatments that will reduce the consequences, likelihood or the symptoms of risk events. The treatment plan should include: Proposed action Resource requirements Responsibilities Timing Performance measures and Reporting and monitoring requirements

Developing A Risk Profile

It will usually not be cost-effective or even desirable to implement all possible risk treatments. It is, however, necessary to choose, prioritise and implement the most appropriate combination of risk treatments. Treatment options, or more usually combinations of options, are selected by considering factors such as costs and benefits, effectiveness and other criteria of relevance to the organisation. Factors such as legal, social, political and economic considerations may need to be taken into account.

Treatment of individual risks will seldom occur in isolation and should be part of an overall treatment strategy. Having a clear understanding of a complete treatment strategy is important to ensure that critical dependencies and linkages are not compromised. For this reason development of an overall treatment strategy should be a top-down process, driven jointly by the need to achieve business objectives while controlling uncertainty to the extent that is desirable.

It is prudent to be flexible and consult broadly about risk treatment with stakeholders and perhaps the wider community as well as peers and specialists. Many treatments need to be acceptable to stakeholders or those who are involved in implementation if they are to be effective and sustainable. If after treatment there is residual risk, a decision should be taken about whether to retain this risk or repeat the risk process.

The Risk Register

A key step is to produce a document depicting the organisational risk profile. This usually flows from the risk register. The objective of the risk register is To capture, rank and report on risk. Therefore you: Need a database/spreadsheet/specialist system to capture & report Scoring mechanism for risks & controls to enable ranking of risk usually the Level of Risk described above is used for this purpose The register captures the results of the environmental scans, risk assessment, and analysis and identifies areas requiring corporate decisions or direction regarding risk management strategies. Organisations have developed various ways to present results, including matrices, risk maps, and reports with summaries by risk area.

Developing A Risk Profile

Use of a Risk Profile

The corporate risk profile is also intended to inform staff and stakeholders about the following: (Sample of risk profile) risks emerging from the changing operating environment; priority risks and how such risks are to be mitigated and managed; risk tolerances and how they are to be communicated; current capacity of the department to manage and mitigate significant risks; and learning and support needs, structures, and actions to sustain integrated management of risk within the organisation.

The corporate risk profile is updated annually and approved by senior management. A risk profile may be represented in the form below which is known as a heat map.

Developing A Risk Profile

Monitoring and review

Ongoing review is essential to ensure that the risk management plan remains relevant. Factors that may affect the likelihood and consequences of an outcome may change, as may the factors that affect the suitability or cost of the treatment options. It is therefore necessary to repeat the risk management cycle regularly. Periodic reviews of risks and treatment strategies are particularly useful when they are associated with business and strategic plan development and change management.

Actual progress against risk treatment plans provide an important performance measure and should be incorporated into the organisations performance management, measurement and reporting system

along with the Key Risk Indicators. Monitoring and review also involves learning lessons from the risk management process, by reviewing events, the treatment plans and their outcomes. e.g. Treatment Report

10

Developing A Risk Profile

How VMIA can assist

Who We Are / What We Do The Victorian Managed Insurance Authority (VMIA) is a statutory body established to provide risk management services to Victorian State Government departments and agencies. The VMIA provides risk management advisory services, insurance products and support and site risk surveys. These services are benchmarked against commercial equivalent practices and organisations. Insurance products provide coverage at levels equivalent to best market coverage with the value added risk management services costed within market competitive premiums.

Our Focus In order to enhance the service we offer, VMIA have introduced a new client centric business model. Corporate wide we have established three centres of excellence in the areas of client service, insurance/ risk management products and services and corporate governance. A greater focus and emphasis is being placed on meeting our clients needs through a team of specialists focused on providing strategic risk management consulting services in addition to insurance advice and coverage.

Risk Management Services The VMIA develop and tailor its Risk Management and Insurance Services to clients needs. If you would like to know more about our risk services contact your Risk Management Advisor or access the VMIA website at www.vmia.vic.gov.au

Training The Training Essentials program consists of training sessions, in-house training, seminars and networking events throughout the year. The aim of the Risk Management and Insurance training programs is to equip VMIA clients with the knowledge and skills to understand and plan for risk, and have in place the appropriate insurance policies. The VMIA launched its new look Risk Leadership In Government seminar in mid July 2007. The series, consisting of workshops and seminars, presents the latest topics in Risk Management and Insurance and provide great opportunity for participants to engage with leading professionals in the Risk Management and Insurance field. For more information visit our website at: www.vmia.vic.gov.au

11

Level 30, 35 Collins Street Melbourne, Victoria, 3000. Phone: 03 99116900 Fax: 03 92706803 Email: strategicrisk@vmia.vic.gov.au Website: www.vmia.vic.gov.au