Risk Guideline

WA Government RISK MANAGEMENT GUIDELINES
SECOND EDITION
A Division of the
August 2011
WA GOVERNMENT RISK MANAGEMENT GUIDELINES

SECOND EDITION
A Division of the
Acknowledgement
RiskCover has produced the Risk management guidelines to assist the Western Australian State Government Agencies to implement their risk management programs.
First edition January 2007 Second edition August 2011
Please direct all enquiries or comments on the contents of this document to: Risk management Services RiskCover Insurance Commission of WA The Forrest Centre 221 St Georges Terrace Perth Western Australia 6000 (08) 9264 3806 riskmanagement@icwa.wa.gov.au
Table of Contents
PUBLIC SECTOR COMMISSIONERS CIRCULAR ................................................................................................ i 1. INTRODUCTION .................................................................................................................................................. 1 1.1 1.2 1.3 2. 3. WHAT IS RISK MANAGEMENT? ....................................................................................................................... 1 WHY MANAGE RISK? ...................................................................................................................................... 2 HOW DO WE MANAGE RISKS? ........................................................................................................................ 2
COMMUNICATION AND CONSULTATION .................................................................................................. 4 RISK MANAGEMENT PROCESS ..................................................................................................................... 6 3.1 STEP 1: ESTABLISH THE FRAMEWORK AND CONTEXT .................................................................................... 6 3.1.1 Risk management Framework.................................................................................................................... 6 3.1.2 Methodology of Assessing Risk .................................................................................................................. 9 3.2 Specific Risk Assessment Context ............................................................................................................ 10 3.3 Summary .................................................................................................................................................. 11 3.2 STEP 2: RISK IDENTIFICATION ....................................................................................................................... 12 3.2.1 What is a Risk? ........................................................................................................................................ 12 3.2.2 Causes of Risk .......................................................................................................................................... 12 3.2.3 Summary .................................................................................................................................................. 13 3.3 STEP 3: RISK ASSESSMENT - ANALYSIS & EVALUATION ............................................................................... 13 3.3.1 Existing Controls & Controls Assurance ................................................................................................. 13 3.3.2 Risk Analysis ............................................................................................................................................ 15 3.3.3 Risk Evaluation ........................................................................................................................................ 16 3.3.4 Risk Ownership & Risk Decision ............................................................................................................. 17 3.3.5 Risk Acceptance Decision ........................................................................................................................ 18 3.3.6 Summary .................................................................................................................................................. 18 3.4 STEP 4: RISK TREATMENT ............................................................................................................................ 19 3.4.1 Identify, Evaluate and Select Treatment Options..................................................................................... 19 3.4.2 Prepare & Implement Treatment Plans ................................................................................................... 20 3.4.3 Summary .................................................................................................................................................. 20 3.5 USING RISK INFORMATION ............................................................................................................................ 21 3.5.1 Categorisation of Risk ................................................................................................................................... 21
4. MONITOR AND REVIEW ...................................................................................................................................... 23 4.1 4.2 4.3 FOCUS AREAS ............................................................................................................................................... 23 RISK MANAGEMENT PERFORMANCE MEASURES........................................................................................... 24 ROLES AND RESPONSIBILITIES ...................................................................................................................... 24
5. RISK MANAGEMENT IMPLEMENTATION .................................................................................................... 26 1. 2. 3. 4. 5. 6. EXECUTIVE AWARENESS AND COMMITMENT..................................................................................................... 26 DEVELOPMENT OF THE RISK MANAGEMENT FRAMEWORK ................................................................................. 26 COMMUNICATION / EDUCATION ......................................................................................................................... 27 MANAGING RISKS AT THE STRATEGIC LEVEL .................................................................................................... 27 MANAGING RISKS AT THE BUSINESS UNIT LEVEL ............................................................................................. 27 MONITOR AND REVIEW ...................................................................................................................................... 28
Appendix I ...................................................................................................................................................................... 29 GLOSSARY ................................................................................................................................................................... 29 Appendix II .................................................................................................................................................................... 36 SAMPLE RISK MANAGEMENT POLICY.......................................................................................................................... 36 Appendix III ................................................................................................................................................................... 39 SAMPLE RISK REFERENCE TABLES .............................................................................................................................. 39 Appendix IV ................................................................................................................................................................... 55 SAMPLE RISK REGISTER .............................................................................................................................................. 55 Appendix V..................................................................................................................................................................... 57
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Table of Contents
SAMPLE RISK MANAGEMENT IMPLEMENTATION SCHEDULE ....................................................................................... 57 Appendix VI ................................................................................................................................................................... 60 STRATEGIC RISK MANAGEMENT FRAMEWORK ........................................................................................................... 60 Appendix VII.....................................................................................................................................................................66 PROJECT LIFE CYCLE........................................................................................................................................................66
PUBLIC SECTOR COMMISSIONERS CIRCULAR

Number: Issue Date: Review Date: 2009/19 08/05/2006 23/03/2011
TITLE
RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING
POLICY
All public sector bodies must practise risk management, regularly undertake a structured risk assessment process to identify the risks facing organisations, be able to demonstrate the management of risks, and where appropriate, have continuity plans to ensure they can respond to and recover from any business disruption. Public sector bodies must submit details of their risk management policy, assessment processes and continuity plans to RiskCover. Public sector bodies must ensure that risk management policies and continuity plans are maintained and reviewed on a regular basis.
BACKGROUND
Risk management has been a feature of the operation of the public sector for many years, with such requirements included in the Treasurers Instructions. The Insurance Commission of Western Australia through its RiskCover Division has a mandate to manage and administer risk management arrangements on behalf of public authorities and to provide advice to the Government on matters relating to risk management. Planning for major risk events, such as natural disasters, often receives special focus with a great deal of planning and mitigation work undertaken to deal with potential issues. However, it is a matter of good corporate governance that risk assessment and continuity planning are subject to continual review at the highest levels of an organisation. In more recent times the threat of terrorism and the possibility of an influenza pandemic have reinforced the need for government agencies to be prepared and able to continue to deliver services no matter the circumstances. The proclamation of the Emergency Management Act 2005 together with other State initiatives such as the Western Australian Management Plan for Pandemic Influenza, are parts of the process of ensuring that the public sector and the community are well prepared for emergencies of any kind.
Page i
Many agencies will already have well developed risk management processes while others may be less well prepared. RiskCover consultants will continue to be available to guide and assist agencies to enable them to meet the requirements (contact Mr Jim Hodges, Risk management Services Manager, RiskCover 9264 3702). Education and training in risk management and business continuity planning is also available through RiskCover.
MC Wauchope Public Sector Commissioner
For enquiries contact:
Don Williams 9264 3400 Manager RiskCover Division Insurance Commission of WA Premiers Circular 2006/03
Other relevant Circulars: Circular/s replaced by this Circular:
Page ii
Introduction
1. INTRODUCTION
These guidelines have been produced by RiskCover to assist State Government agencies in developing and implementing effective risk management processes. They should be read in conjunction with the WA Government Business Continuity Guidelines, as the management of critical incidents and emergencies is just one aspect of an agencys overall approach to managing risk.
The purpose of these guidelines is to provide an overview and explanation of the risk management process, some hints to the application of the process and includes sample documents for you to use. Please contact RiskCover Risk Management Services on Tel: 9264 3806 or email riskmanagement@icwa.wa.gov.au should you require any further information or assistance in implementing risk management within your agency.
1.1 What is Risk Management?

The management of risk is an integral part of good management practice. There is a direct relationship between risk and opportunity in all business activities, and as such, an agency needs to be able to identify, measure and manage its risks in order to be able to capitalise on those opportunities and achieve its goals and objectives.
A risk can be defined as any internal or external situation or event that has the potential to impact upon an agency, preventing the agency from successfully achieving its objectives, delivering its services, capitalising on its opportunities or carrying out its projects or events.
Risk management is simply the practice of systematically identifying and understanding risks and the controls that are in place to manage them. Ultimately the process gets you to a point of deciding whether, in the context of a particular strategy, activity or function, a risk is acceptable or requires further action.
The risk management process does not encourage managers to be risk averse. In fact, it is designed to provide managers with a degree of confidence to be able to manage risk to an acceptable level and to take a level of risk commensurate with the opportunity. The key element in managing risk is correctly balancing risk and reward. A culture which is risk averse will create inflexibility in the business and erect barriers to the achievement of the organisations goals. Alternatively, the acceptance of disproportionately high risk can have significant impacts on the business.
Page 1
Introduction
1.2 Why Manage Risk?

The primary reason for managing risk is to enable agencies to successfully achieve their goals. With the growing need for transparent decision-making, a structured, systematic risk management process demonstrates the due diligence that is required and provides an audit trail for decision making. A
comprehensive understanding of the risk exposures facing an agency also facilitates effective planning and resource allocation, and encourages a proactive management culture, with flow-on benefits for every aspect of an agencys operation.
1.3 How Do We Manage Risks?

Risk management is most successful when it becomes fully integrated into normal operating procedures, processes and systems. Like all good management practices, it should be driven from the top down and be recognised as the responsibility of everyone. Executives and Senior Managers have a particular responsibility in demonstrating commitment to the implementation and use of the risk management process and the information it generates.
These guidelines will take you through the process, which comprises of the following steps: 1. Establish the context 2. Identification of the risks 3. Analysis and evaluation of the risks 4. Where necessary, treatment of the risks
In addition, there are two important concepts Communication and Consultation, and Monitor and Review that apply to every aspect of risk management. These are discussed at the beginning and end of the guidelines, respectively.
Page 2
Introduction
Implementing risk management involves a logical and structured way of thinking and it requires the development and use of a consistent language to support the process. It is important to use precise, common terminology to ensure the effective communication and unambiguous description of the risks within your agency and across the whole of government.
Refer to the Glossary of Terms provided in Appendix I.
Page 3
Communication and Consultation
2. COMMUNICATION AND CONSULTATION

Communication and consultation are essential to the overall risk management process. The effectiveness of your risk management process depends upon, amongst other things, involving the right people at the right time and ensuring they understand, are involved in, and contribute to the process.
Communication is the sharing of information and viewpoints. Effective communication has the following attributes: It is multi-directional. Information, ideas and perspectives are shared across functional areas, and senior management are receptive to the views of their subordinates. It involves information and opinions. Other peoples perspectives are understood and acknowledged. Factual information is gathered from all relevant sources. No individual or department has a monopoly on the facts. It is interactive. Listening is as important as talking. Good communication involves the sharing of information, opinions and experiences. It is respectful. It focuses on ideas and information, not personalities. Communication is most effective in an environment where people are valued and their viewpoints are respected. It engages the participants, promoting their understanding and ownership of the outcomes.
Consultation is a process that uses communication to make effective decisions. Importantly, consultation is not an outcome or an end in itself but a means by which outcomes are achieved. Consultation gives stakeholders the opportunity to influence decisions, however, it is not joint decision making, but rather an effective way to receive useful input and ensure that all relevant viewpoints are taken into account in identifying and evaluating risks.
A well-structured approach to communication and consultation can provide the following benefits:
Organisational coherence and a positive culture for risk management implementation Trust and understanding, resulting in better internal and external relationships The risk management process becomes tangible: people know what it is and how it works Integration of multiple perspectives Risk management is embedded as an ongoing part of management and organisational practice
Each step of the risk management process relies on communication and consultation to achieve its purpose. For instance, in setting the context, consultation with internal and external stakeholders is essential to reach a thorough understanding of the operating environment and to define the purpose and scope of the exercise. In risk identification, a diversity of input can prevent important risks being overlooked and ensure that risks are accurately described. In the risk assessment process, communication and consultation allows all perspectives to be considered in arriving at a realistic level of risk. Risk treatment is more effective
Page 4
because treatment plans are better understood and the monitor and review process depends upon effective communication to ensure risk information is in use and current.
Communication and consultation does not mean asking everybody their opinion about everything. When developing a strategy to implement a formal risk management process within your organisation, you may wish to consider the following in relation to communication and consultation requirements:
Objectives What are the specific aims and goals of involving different parties in the process? Participants Who are the appropriate parties to be involved at each step of the process? Perspectives What particular contribution or viewpoint is anticipated and required from each participant? Methods How will consultation take place? It may not always be practical to get all the parties together in one place. How do we integrate risk thinking into all aspects of our business?
Hint: When agencies plan their communication and consultation for the risk management process, frequently they fail to adequately consider the needs and viewpoints of all stakeholders. Obviously, risk management involves the discussion of some matters that cannot be shared with external parties. However, if we fail to incorporate the needs and viewpoints of all stakeholders, the full benefit of risk management may not be realised.
A successful means of embedding the management of risks into an organisations culture is to integrate the risk management process into existing management processes. Avoid having risk management as a standalone process outside of our normal management activities as this reinforces the message that the management of risk is part of managing the business.
Page 5
Risk management Process
3. RISK MANAGEMENT PROCESS

3.1 Step 1: Establish the Framework and Context
There are two elements to this step: (1) Setting the Risk management Framework and (2) Establishing the specific risk assessment context.
3.1.1 Risk management Framework

An agencys risk management program should be aligned to its strategic goals and objectives and is most effective when it is integrated with the overall planning and management functions of the organisation.
In developing a framework for managing risk, an agency needs to consider the following: Core purpose, vision, mission and values - why does it exist? Strategic direction, goals, required outcomes and deliverables. These may be defined by legislation, ministerial directive, charter, etc. Internal and external environments, often assessed using a SWOT analysis. Internal and external stakeholders - who are they, what are their needs and expectations? Organisational planning, reporting & management processes Roles, responsibilities and communication strategies A program of review to ensure the framework continues to align with the organisations management practices Organisational Governance structures and the integration of the management of risk into these structures
Based on the outcome of this analysis, an agency will then be in a position to define how risks are to be managed across the organisation, through the development of: A Risk Management Policy Risk Management Procedures, which clearly define how the risk management process is undertaken and integrated into the planning, delivery, monitoring and reporting activities of an agency Risk Reference Tables - Are the agencys language which define consequence and likelihood. They also include a definition of the acceptance and reporting criteria for specific levels of risk. Risk management Implementation Strategy a plan of how the policy and procedures are to be communicated and implemented Risk Register Tool an electronic tool to facilitate the recording, managing, reporting and use of risk information
Page 6
Integration of the management of risk into the organisational structure, roles and responsibilities
Section 5 of these guidelines discusses the implementation of the risk management process in more detail.
Risk Reference Tables Risk Reference Tables are developed by an agency for the purpose of establishing guidance as to how risks are to be evaluated, assessed, measured, accepted and reported. As well as establishing a common language, the use of semi-quantitative measures removes some of the subjectivity of the assessment process and allows risks from any part of the agency to be compared with any other, and hence prioritised. There are commonly four different tables used: a) Controls Rating Table b) Consequence Rating Table c) Likelihood Rating Table d) Risk Acceptance Criteria Table.
Refer to the samples of risk reference tables in Appendix III. Note that these tables are samples only and need to be customised for each agency to reflect their own organisational context and tolerance for risk.
a) Existing Controls Rating Table This table is used to rate the adequacy of the collective existing controls that are in place at the time of the assessment to manage a particular risk. It is usually qualitative in nature and it can be rated on three levels e.g. Excellent, Adequate and Inadequate. A Control is an established mechanism, procedure, process or practice that is currently in place to manage a risk. It controls the risk by reducing its consequences, likelihood, or both. A control should be tangible and in place at the time of an assessment
Hint: This is a reasonableness test. Is the agency doing what is reasonable in the circumstances to reduce the likelihood and/or consequences of this risk? There may be several controls, each of which contributes some way towards reducing the risk. What we are rating is the adequacy of those
combined measures. This is not an assessment of the effectiveness of each individual control. Effectiveness should be looked at in the control assessment process and be reflected in the rating of the likelihood.
b) Consequence Rating Table
Consequence Categories Consequence categories are based upon the individual agencys criteria for measurement of success and should reflect the agencys economic, social and in some cases, environmental responsibility. The categories should include those key areas, which, if impacted upon, would have a significant
Page 7
affect on the ability of the agency to achieve its goals. In government, these consequence categories may include; Financial, Injury, Service Interruption, Reputation and Image, Operational Effectiveness, Community, Legal & Compliance and Environment.
Consequence Scale Consequences are usually rated on a scale of 1 to 5, 1 being insignificant and 5 being catastrophic. This is generally referred to as the level of consequence. For each of the consequence categories defined, an agency needs to define criteria for each of the levels specified. Care must be taken to ensure that criteria relating to different categories are equivalent at the same level of consequence i.e. the definition of a catastrophic Financial consequence needs to be equivalent in terms of priority as the definition of, say, a catastrophic Reputation & Image consequence.
Refer to Appendix III for examples of Consequence Tables
Hints:
Be aware however, that when applying these scales, each consequence category is assessed on its own merit. For example a catastrophic Reputation and Image consequence does not automatically mean it is catastrophic across any or all other consequence categories.
When establishing the scale, avoid using subjective words such as significant when defining levels of consequence, as this will lead to ambiguity. Where possible use quantitative measures such as A financial loss of $25,000 - $50.000.
c) Likelihood Rating Table The other measure of risk is likelihood, and this is also commonly measured on a scale of 1 to 5, with 1 being rare and 5 being almost certain. Likelihood can be considered in two aspects. In one sense, you can base the scale on how frequently a given consequence will (or is likely to) happen, e.g. more than twice per year, every year, every three years, etc. Alternatively, you can consider the probability of something happening in a defined forward timeframe, e.g. in the next five years a consequence is almost certain or expected to occur in most circumstances. In either case, each level of the scale should be quantified.
Refer to Appendix III for examples of Likelihood Tables
Hint: The Consequence and Likelihood Tables become part of your agencys common risk language and reflect the agencys level of risk tolerance. The language used in these tables must be relevant to your agency not generic descriptions taken from samples.
Page 8
3.1.2 Methodology of Assessing Risk

Each risk is first analysed and evaluated in terms of the potential consequences resulting from a particular risk scenario. Then the consequences of the scenario are rated in terms of how likely the risk is to occur with the identified consequence. Using the 1 to 5 scales for Consequence and Likelihood this results in a Level of Risk scale ranging from 1 to 25 (1 being the low consequence/low likelihood risks and 25 being the almost certain catastrophic risks).
The level of a risk varies as you consider the context of how that risk is being managed. All risks will have an Inherent Level of Risk this is defined as the level of risk with no formal controls in place, or the level of risk in the event of a breakdown of all controls. Some organisations choose to assess and document this level of risk prior to considering the effectiveness of existing controls. Having information available which relates to this inherent risk level means that, when considering the adequacy of controls, the inherent or worst-case scenario is known.
Once the existing controls have been identified, documented and assessed for effectiveness, the Assessed Level of Risk can be evaluated. This is the Level of Risk with current controls in place.
Should the Assessed Level of Risk be unacceptable, then additional controls or improvements to existing controls, in the form of Treatments, are put in place. In order to evaluate the cost benefit of these proposed actions, a Predicted Level of Risk is estimated. This is the predicted Level of Risk after the Treatment Plan has been implemented.
Finally, once a risk Treatment Plan has been implemented, the risk is once again evaluated and a Residual Level of Risk is calculated. This is the remaining level of risk exposure and should now be in a range that is acceptable to the agency.
a) Risk Acceptance Criteria Table This table defines the agencys risk tolerance, or risk appetite and gives guidance as to the acceptability of risk. For a given level of risk, the table defines how that risk is perceived (e.g. low, moderate, high, or extreme) and may specify the level of controls rating (i.e. Inadequate, Adequate, Excellent) that is necessary to accept the risk. The criteria can often define how risks are to be reported, reviewed and who is the acceptance decision-maker.
Refer to Appendix III for sample Risk Acceptance Criteria Tables.
Hint: Once the tables are established, run through a couple of examples. Do they make sense? How do the examples fit with your instincts and past experience? This acceptance criteria should be periodically reviewed to ensure it is still in line with the agencys risk appetite.
Page 9
3.2
Specific Risk Assessment Context
Once the Risk Management Framework is established, the requirements for a specific risk assessment exercise can be defined. For instance, you may be embarking on a new strategic planning cycle and need to integrate the identification, assessment and management of risks as part of your strategic plan. Alternatively you may be reviewing/developing your business plans and want to identify the risks for your agency to inform this planning process. For each individual risk assessment exercise, it is important to set the following:
The parameters: What is the specific subject of the assessment (e.g. the specific strategy, activity, function)? Identify the essential stakeholders who need to be involved in the assessment Ensure all participants in the assessment exercise are clear about the purpose of the assessment prior to the exercise.
The specific risk assessment context can be categorised as Strategic, Operational, or Project:
Strategic Level Strategic risks concern the whole of the agency. They are the risks associated with long-term organisational objectives and the means by which those objectives will be achieved. Strategic risk assessment is normally conducted at a Board or Executive level and is most effective when integrated with the strategic planning process.
Operational Level Operational risks are associated with the development and implementation of operational plans or the processes, functions or activities of the agency. They are the risks associated with your normal business functions. Operational risks should be assessed by the parties familiar with the particular function or service with which the risks are associated.
Project Level Project risks are associated with specific projects or discreet initiatives. All projects will go through a life cycle, i.e. conception to planning, scoping, contracting, design, construction,
testing/commissioning, hand-over and operation. Project risks exist at every stage, and they need to be identified and managed to ensure the successful completion of the project. (Refer Appendix VII)
Once the context for a particular risk assessment has been specified, and the particular strategy, activity or project defined, the next step is to identify the critical success factors (CSFs) and key dependencies associated with it. This is the basis of the structured approach to identifying risk: anything that has an impact upon the CSFs constitutes a risk.
Page 10
A CSF is defined as any essential resource, expertise, input, or other factor, which is critical to the success of that particular strategy, activity or function. The strategy, activity or function should define what it is you do, the CSF is what is critical to enable you to perform this. CSFs can be outcome focused or input focused.
Hint: There may be more than one CSF per strategy, activity or function depending on the level at which the agency wants to capture the risk information
There is no right or wrong way to identify a CSF. Whether you take an outcome based or input based approach will depend on the focus of the agencys management. The risk information which flows from this will still capture the important aspects. Using the outcomes based approach will simply capture this information with a direct and obvious connection to the agency outcomes or deliverables. Some agencies are outcome focused in that their plans and activities to achieve the plans are directly linked to the outcomes desired. In this case the risk assessment should also be linked to the outcomes, whether they are strategic, operational or project outcomes. These outcomes may be clearly stated in the agencys plans. The risks will then be the things that will prevent you from successfully achieving the desired outcomes.
3.3
Summary
Step 1 of the risk management process is establishing the framework and context, in terms of how the agency will manage risks language, criteria and methodology and the context for each specific risk assessment. Risk management policies and procedures are established, and specific roles are assigned. Then a set of tools, known collectively as the Risk Reference Tables are developed, to measure and evaluate risks and controls. These tables establish a common language to manage risk and define the agencys risk tolerance. Once the overall agency Framework is established, the context for a specific risk assessments can be developed. Key strategies, activities or functions are defined, as are the associated CSFs and dependencies.
For those agencies who are not as outcome focused or where the activity or project is further distanced from the outcomes and there is not an easily identified link, it may be easier to focus on key dependencies or the critical inputs required to enable the agency to deliver the identified service, function or project. These inputs will be the things essential to enabling the service, function or project to be completed, ie. resources, budgets, specific equipment or skills.
Page 11
3.2 Step 2: Risk Identification

3.2.1 What is a Risk?
ISO 31000 defines risk as the effect of uncertainty on objectives. It is measured in terms of consequence and likelihood. To ensure that all key risks within an organisation are being addressed, a structured, systematic approach to identifying risks is essential. The identification process considers; each strategy, activity or function, as defined by the context set in Step 1, looks at what is critical to the success of that strategy, activity or function, and then considers what may go wrong. This is defined as the risk. For example, looking at a part of an operation that provides advice to clients one could identify a risk as follows:
Key Activity Providing advice to clients
Critical Success Factor Accuracy of information
Risk Incomplete or inaccurate information provided to clients
Hint: Do not mistake risks with consequences. Injuries, Financial Loss and Reputation Damage are not risks but consequences of a risk - i.e. if your risk was to eventuate, it could result in injuries, financial loss and/or reputation damage.
For each risk, you should identify possible causes of the risk event. Each risk may have one or more causal factors which can either directly or indirectly contribute to the risk event occurring. Identifying the range of causes will assist in understanding the risk, identify controls, evaluate the adequacy of existing controls and design effective risk treatments.
3.2.2 Causes of Risk

The causes of a risk are identified to gain a better understanding of the risk and assist in identifying controls. There are often a number of contributing factors which lead to a risk occurring. There may be both internal and external causes of a risk. Identified causes assist in the process of identifying controls later on in the risk management process. A well managed risk will have effective controls for each identified cause. The absence of controls for identified causes highlights gaps in management of the risk and thus areas for improvement.
Page 12
3.2.3 Summary
Step 2 is about identifying your risks in a systematic fashion The causes of risks need to be identified, so that existing controls can be appropriately evaluated.
HINT: Identified risk can then be categorised to assist with reporting based upon like type risks. Avoid using generic risk categories as context for risk identification, as this can seriously limit the thoroughness of your risk assessment and can result in key risks being missed.
3.3 Step 3: Risk Assessment - Analysis & Evaluation

In general, agencies already have a broad range of public sector procedures and systems in place that act as risk controls. As a result, the assessment process used by most State Government agencies takes into account the effectiveness of these existing controls. Therefore, in this context, risk assessment involves: Identifying and evaluating any existing controls Analysing the risk in terms of Consequences and Likelihood Evaluating the level of risk against a pre-defined acceptance criteria.
3.3.1 Existing Controls & Controls Assurance

Controls are the measures that are currently in place i.e. at the time of the risk assessment, that reduce the consequences and/or likelihood of the risk.
Hint: It is useful to cross-reference your controls with the identified causes. Are there controls in place for each potential cause of a risk?
a) Overall Control Rating All controls are looked at as a whole in terms of their adequacy in managing the risk. The adequacy of the controls is assessed on a common sense, qualitative basis. This can be viewed as a reasonableness test: are you doing what is reasonable under the circumstances to manage i.e. prevent or minimise the risk? The recommended rating scale is as follows: Excellent Doing more than what a reasonable person would be expected to do in the circumstances. Adequate Doing only what is a reasonable person would be expected to do in the circumstances. Inadequate Doing less than what a reasonable person would be expected to do in the circumstances
Page 13
If it is reasonably foreseeable that a risk may impact on the agency, then agencies should ensure controls are in place to manage the risk. These controls should be in line with what a reasonable person would do to avoid the unwanted effects of the risk. To assist in determining what is reasonable, the following should be considered;
1. the likelihood of the unwanted consequence/s occurring if no action was taken 2. the likely severity of the consequence 3. the availability, suitability and cost (financial and other) associated with implementing the control 4. the overall need to engage in a risk creating activity 5. the extent of knowledge about the risk, its elimination or mitigation
The above five points should be equally considered and guide agencys in implementing controls that would be expected of a reasonable person.
It is important to remember that the adequacy of controls are considered in terms of doing all things reasonable to manage a risk rather than all things possible. If budgets, resources and time where unlimited then doing all things possible is achievable. However in reality, budgets are capped and resources are limited.
b) Individual Control Assessment While controls have been assessed as a group, each control needs to be looked at to ensure those controls are effective and being used. This is what is commonly referred to as the controls assurance process. It is a means to confirm the existence and effectiveness of an individual control and in doing so, consideration should be given to factors such as:
Is the Control relevant? Is the Control documented? Is the Control in use? Is the Control up to date? Is the Control effective?
If an existing control is identified as being ineffective, then the necessary improvements should be incorporated into a Treatment Action Plan.
The review and sign off of existing controls is an integral part of the management of the risk; responsibility needs to be assigned to control owners to ensure there is accountability for and ownership of this important aspect of the risk management process.
Hint: You might not be responsible for the management of all controls and as such some controls may not be managed by the risk owner. For example Human Resources may be responsible for specific policies. Page 14
The policy control would then be delegated for assessment to the appropriate and responsible Human Resource staff member.
3.3.2 Risk Analysis

This is the process of considering the consequences and likelihood of a particular risk scenario to determine the Level of Risk, using the Risk Reference Tables developed as part of setting the overall organisational framework. Refer to Appendix III for sample Risk Reference Tables
Consequence Rating A risk that eventuates may impact an agency across a number of different areas, to a greater or lesser extent. When analysing the consequences of a risk event, an agency needs to consider the level of impact (1 to 5) in relation to each of the consequence categories defined in the Consequence Rating Table. For example, a risk may have an impact of 5 for Financial Loss and 4 for Reputation and Image and little or no impact in the other areas. Both ratings may be recorded, as this demonstrates that your consideration of the risk has been thorough. When selecting the consequence rating, this must be done taking into account the existing controls for the particular risk.
Hint: Only select the consequence categories that are relevant to that risk. You do not have to rate every consequence category for each risk. Some consequences will not be applicable to a specific risk.
Likelihood Rating This describes how likely it is that a risk will eventuate with the defined consequences. Likelihood can be defined in terms of probability or frequency, depending on what is most convenient for the agencys purposes.
Hints: When you are rating the likelihood of a risk, ask yourself How likely is it for this risk to occur, given the existing controls, to the level of consequence identified. Past experience is an important guide to likelihood, but do not fall into the trap of thinking it is the only guide. There may be internal or external factors that may increase or decrease the likelihood of such an event occurring in the future.
Calculating the Level of Risk The Level of Risk, or Risk Rating, is calculated by multiplying the consequence and likelihood ratings. For any risk, there may be a number of different consequence/ likelihood scenarios. Within each category there may be multiple scenarios ranging from minor but likely to catastrophic but rare. It is important to rate what is the realistic worst-case scenario, which is the worst-case level of risk considering both
Page 15
consequences and likelihood. In these instances, it may be appropriate to rate the same consequence category more than once. Where there are multiple ratings for a risk, the highest combination of consequence/likelihood is taken as the level of risk.
In the example below, the assessor has considered two different scenarios in relation to Injuries; one with a potential catastrophic consequences and the other a moderate consequence. However, because of the difference in likelihood of these two scenarios, the highest level of risk (9 in this example) relates to the moderate consequence/moderate likely scenario, and as such determines the level of this risk.
Consequence Category Injuries Injuries
Consequence Rating 5 3
Likelihood Rating 1 3
Level Of Risk 5 9
Explanation Multiple deaths very rarely happen. Injuries only requiring medical attention are more common. It is unlikely that services could be interrupted for more than three weeks.
Service Interruption
Hints: For risks that have a rating of 4 or 5 for consequence or likelihood this identifies a particular need to focus on the overall controls rating for those risks.
When dealing with risks that result in a Service Interruption, the agency may need to formulate a Business Continuity Plan (BCP) to address risks with major and/or catastrophic consequences (irrespective of likelihood rating). If you do identify a risk that will interrupt your services, you should determine what would be a maximum acceptable outage. That is, how long can you afford to have that service interrupted before the consequences become unacceptable? Once implemented the BCP is a risk control to facilitate the provision of critical services in a less than perfect operating environment until operations can be restored to normal. Refer to the Western Australian Government Business Continuity Management Guidelines for more detail.
3.3.3 Risk Evaluation

Once the Level of Risk has been determined, the next step is to evaluate the risk and see where the risk fits against the agencys overall risk criteria. An example Risk Acceptance Criteria Table is shown below. The table gives guidance as to the acceptability of the risk and who is responsible for the acceptance decision for that risk.
Page 16
LEVEL OF RISK
CRITERIA FOR MANAGEMENT OF RISK Acceptable With adequate controls With adequate controls
REPORTING TO
WHO IS RESPONSIBLE Risk Owner
13
Annual reporting to Audit & RM Committee Annual reporting to Audit & RM Committee
45 (excluding risk with consequence of 4 or 5) 6 9 (excluding risk with consequence of 4 or 5) 10 14 (including any risk with consequence of 4 or 5 and LOR <15) 15 25
Low
Risk Owner
Moderate
With adequate controls
Quarterly Reporting to Audit & RM Committee/Director Quarterly Reporting to Audit & RM Committee and Executive Immediate Reporting to Executive and Director General
Director if not already the Risk Owner Executive Director
Significant
Only acceptable with excellent controls
Critical
Director General
3.3.4 Risk Ownership & Risk Decision

Each risk that is identified needs to be allocated a Risk Owner. This is the person responsible for managing the risk, and is usually the person who is directly responsible for the strategy, activity or function that relates to the risk. Some of the key responsibilities of the Risk Owner include: Sign-off on acceptance of the risk Responsible for the regular review of the risk Responsible for the regular reporting on the risk Monitoring of controls Monitoring/implementation of any risk treatments
Assigning risk ownership ensures a specific person is responsible and accountable for a particular risk. It is usually impractical and ineffective for risk ownership to be assigned to a body, such as a business unit or committee.
Where a risk meets the criteria for acceptance as defined by an agencys Risk Acceptance Criteria Table, then the risk owner is capable of accepting the risk. Where a risk does not meet the criteria for acceptance, the risk must be managed by the position identified as having responsibility for that particular level of risk, as indicated by the Risk Acceptance Criteria Table. Similarly a risk should also be transferred to the appointed authority for acceptance when risks are defined as critical.
Page 17
3.3.5 Risk Acceptance Decision

Once a risk has been analysed and evaluated, the Risk Owner makes an informed decision to do one of the following: Accept the risk the opportunity outweighs the risk and the existing controls meet the criteria specified in the Risk Acceptance Criteria Table Avoid the risk do not carry on with the activity that is associated with the risk Treat the risk reduce the consequence, likelihood or both and/or improve the controls rating by strengthening existing controls or developing new controls, so that the risk can be accepted
The risk decision balances the issues of risk and opportunity. Should an opportunity be passed over because of the risks associated with it? Should more be done to manage the risk so as not to miss out on the opportunity? These are questions that the agency needs to address. An organisation cannot progress or improve without capitalising on opportunities, and opportunities will always have associated risks. The risk management process allows you to optimise these decisions and demonstrate you are effectively managing the risks.
Hint: In some circumstances, it may be necessary for an agency to accept a high level risk. Government agencies can be the provider of last resort in some instances or the only provider of specialised services. As such they may have no option but to continue to provide those services and assume the risk associated with them. In these circumstances it is important to ensure that the agency, for their own part, is doing all things reasonable to manage the risk.
3.3.6 Summary
In this step, we have assigned values risk ratings to individual risks and made decisions based on those ratings. We started by evaluating existing controls and subjecting them to an assurance process. Then, taking those controls into account, rankings were assigned to each risk for consequences, likelihood and level of risk, based on the measures established in Step 1. The rated risks are then evaluated against the risk acceptance criteria to determine how to manage the risk. There are three basic choices: Accept the risk as is, accept the risk after treatment, or do not accept the risk. Finally, we discussed the importance of risk ownership to ensure that the risk is monitored and the controls remain in place.
Page 18
3.4 Step 4: Risk Treatment

In the previous step, risks were assessed and decisions were made to accept them or not. In practical terms, risk avoidance, i.e. ceasing the activity that creates the risk, is rarely a practical option. Government agencies normally have their activities define by a higher authority and if there are risks associated with those activities, a way must be found to manage them.
In some cases, existing controls will be deemed to be adequate and effective, and the risk will be accepted as it stands. In other instances, the risk will need to be more effectively managed before it can be accepted. This latter case requires the formulation of risk treatments. Risk treatment involves identifying a range of options to reduce the consequences and/or likelihood of a risk, or improve the controls rating, evaluating those options, preparing treatment plans, and implementing them.
3.4.1 Identify, Evaluate and Select Treatment Options

Each unacceptable risk will have a number of treatments. Other than the option of avoiding the risk entirely, treatment options will do one or all of the following: Reduce the consequences of the risk if it eventuates Reduce the likelihood of the risk eventuating Improve the controls rating to Adequate or Excellent
Hints: You may see alternative treatment options in other texts such as transfer the risk and share the risk. However, the treatment resulting from transferring or sharing the risk will fit in the above categories: they reduce consequences and/or likelihood.
Managing risk is about doing all things reasonable, not all things possible. To evaluate the treatment options a number of selection criteria can be applied: How will the treatment impact the Level of Risk and/or Controls Rating? For each treatment option, a predicted level of risk and controls rating should be calculated, considering the impact of adding this option as a new control. Treatment options, which reduce the level of risk to an acceptable level and/or improve the controls rating, should be considered. Cost of implementation versus benefits derived Selecting appropriate options involves balancing the cost against the benefits derived. An option may appear to be the best option from a risk reduction perspective, but the cost of implementation may be prohibitive. Compatible with agencies objectives The options selected need to be compatible with the overall objectives of the agency. Treatments
Page 19
that are incompatible with existing objectives, culture, or policies are obviously unacceptable, no matter how effective they might prove.
3.4.2 Prepare & Implement Treatment Plans

The purpose of the treatment action plans is to document how the chosen options will be implemented. These plans should include the following: Proposed actions What is the selected treatment? Resource requirements What is required to implement the treatment? Responsibility Who has responsibility to implement the treatment i.e. Treatment Owner? Timing What are the timeframes for treatment implementation? Performance measures What are the key indicators that will demonstrate the progress of implementation and ultimately the effectiveness of the treatment option? Reporting and monitoring requirements Who needs to be informed during and at completion of the implementation of the treatment? How will the implementation be monitored?
A treatment becomes a control only when it has been 100% implemented and signed off by the Treatment Owner. It is then subject to controls assurance and the regular monitoring and review process. Following the implementation of the treatment options, the level of risk needs to be re-evaluated to determine if the treatment brings the risk to an acceptable level for the agency. If not, further treatment options may need to be selected.
3.4.3 Summary
Formulating and implementing Treatment Action Plans is the final step in the risk management process, but it is only the beginning of fully integrating risk management into your agency. If the process stops once it becomes a set of documents, it will generate minimal benefit, and the time you spent on Steps 1 4 will be wasted.
Page 20
3.5
Using Risk Information
Risk management does not end once risks have been identified, assessed and documented. The risk information generated should be used to inform the agencys strategic and/or operational plans, to guide budgets or financial statements. Risk information thus becomes part of everyday thinking. How risk information is extracted and used, is facilitated by how risk information is categorised, sorted and reported.
3.5.1 Categorisation of Risk

a) Source of Risk A useful approach to help identify any common causes of risks across different areas of an organisation is to categorise the risks by source of risk. This facilitates the reporting and management of those systemic issues allowing common causes to be managed with agencywide controls or treatments, rather than at an area or department level.
Hint: Appropriate and useful risk categories should be determined by each agency as part of setting the organisational context. These are often linked to the categories of an agencys quality framework. Examples of categories are:
Leadership Strategy and Planning Knowledge and Information People Customer and Market Focus Innovation Quality and Improvement Success and Sustainability
b) Impact Range Another way to categorise risks is by impact range. The impact range is a classification hierarchy which indicates how wide the consequences of the risk will reach, within the agency and beyond.
Hint: If the risk were to eventuate, ask yourself How wide an impact could it have? Could the risk impact a specific division/department, the whole agency, or even the whole of the State? Common Impact Range descriptors include: State-wide Agency-wide Metro-wide Directorate-wide Division-wide
Page 21
Project Risks
Project risks are unique to each project and are identified at various stages of the project life cycle. Risks evolve through each of these stages, for example from its conception, design through to completion and handover and it is important that these be captured and monitored to ensure project success. Contracts are a key component of most projects. Contracts not only represent a formalised agreement between the principle and contractor they also include risks identified throughout the projects life cycle. These risks go towards informing the contracts terms and conditions. Hence it is critical that a thorough risk assessment be conducted prior to contract formation to ensure, where appropriate, risks are managed within the contract.
3.5.2 Using Project Risk Information

Project risks are those issues which will affect the successful delivery of the project, specifically its cost, timeliness and deliverables. It is important to integrate risk thinking into the project planning as the risk information can provide ideal checklists of what needs to be done to achieve a successful project and when it should be done.
The early identification of the critical information will inform project planning and management, including the formulation of any contracts required for delivery of specific services or elements of the project. The terms and conditions specified in the contract should be reflective of the risk sharing decisions.
Page 22
Monitor and Review
4. MONITOR AND REVIEW

As with communication and consultation, monitoring and review is an ongoing part of risk management that is integral to every step of the process. It is also the part of risk management that is most often given inadequate focus, and as a result the risk management programs of many agencies become irrelevant and ineffective over time. Monitoring and review ensures that the important information generated by the risk management process is captured, used, and maintained.
Refer to Appendix IV for a sample risk register.
Monitoring and review are related processes, but the distinctions between them are important in the context of risk management: Monitoring is an ongoing process of routine surveillance of both internal and external environments. Review is a more periodic process that looks at the current status or situation, and is usually has a specific focus.
Monitoring and review should be designed to detect both gradual and sudden change.
Continuous
monitoring is most likely to detect a dramatic change in a timely fashion, whereas periodic review of a particular aspect of the risk process is more oriented towards detecting trends and incremental change.
4.1 Focus Areas

Monitor and review procedures are focused on two principle areas of risk management.
The first area relates to issues specific to a particular risk assessment, which would cover the following:
Context the risk assessment context, which was established from a number of facts and deductions. For instance, the operational environment, agency structure, stakeholder expectations, statutory requirements, economic conditions and political environment are all based on perceptions at the time. The monitoring and review process should detect if any of these underlying assumptions have changed, or if new factors have emerged that impact upon the context of the particular risk assessment.
Risks & Controls numerous factors can cause the likelihood and consequences of risks, or the actual nature of the risks themselves, to change. The controls for risks can also become less effective or irrelevant. Monitoring by the risk owner and others will ensure the timely detection of these changes so that appropriate action can be taken.
Page 23
Monitor and Review
Treatments risk treatments need to be monitored and reviewed to ensure they are on course to be fully and correctly implemented. In some cases, treatments need to be adapted or strengthened because the risk they are designed to address has changed; in other instances, resources can be saved by discontinuing irrelevant treatments.
The second area for monitor and review is in the application of the risk management process across the entire agency, with specific attention to the following:
Consistent application of the risk management process across the agency Incorporation of the risk management process into Strategic, Operational and Project planning Adoption of risk management practices and procedures by staff at all levels
4.2 Risk Management Performance Measures

To be able to effectively monitor and review the management of risk within an agency, appropriate performance indicators need to be developed. These may be strategically or operationally focused. Higher level organisational performance measures should be used to judge the performance of risk management within the agency. To ensure there is congruency between the risk management process and organisational performance measures, risk management should be linked into strategic plans, budgeting cycles and other all encompassing documentation within the agency. At an operational level both outcome and process measures should be used as benchmarks. Outcome based performance indicators (PIs) include claim reports and are relatively accurate and sensitive. Process based PIs measure activities and processes as they occur and thus provide more timely, if less precise information about changes. An example of an outcome based PI is a performance report
4.3 Roles and Responsibilities

The monitoring and review of an agencys risks is an integral part of all core business functions, and it should be seen and treated as such.
The monitoring and review of the risk specific contexts, risks, controls and treatments is primarily the responsibility of Risk, Control and Treatment Owners and should be integrated into the existing reporting lines and forums of the agency.
The monitoring and review of the application of the agencys Risk Management Policy and Procedures should be integrated into the role of Senior Management, who should then ensure that the process is effective in delivering the desired outcomes. Internal and external audit may also play an important part in verifying application of the risk management process.
Page 24
Monitor and Review
Risk management should be fully incorporated into the operational and management processes at every level of the organisation.
A final comment with regard to monitoring and review is the important role it plays in good corporate governance. All government agencies face increasing requirements for sound and transparent decision making and prudent allocation of resources. The monitoring and review process is pivotal in fulfilling these requirements. A structured risk management process provides a means for Senior Executives and Directors to stay informed about the risks associated with their agencys activities and to ensure appropriate measures are in place to address those risks. It contributes transparency and objectivity to decision making, and it provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to provide good governance.
Page 25
Risk management Implementation
5. RISK MANAGEMENT IMPLEMENTATION

The key steps in implementing a risk management process within an agency are summarised below.
The risk management process will:
Consider risks at all levels of the agencies operations (strategic, operational and project); Integrate with business planning objectives, decision making and other elements of the agencys management framework; Involve the whole organisation, from the board to senior management and employees.
The main principles underpinning effective risk management are:
Senior management commitment to a formal, documented and fully integrated risk management process; Use of common risk language; Clearly defined responsibility & accountability for functions, activities and associated risks; A process for identification and management of risk which is fully integrated with existing management processes including business planning, budgeting and reporting processes; Risk management is reinforced through training and induction; Outcomes are monitored through the involvement of Senior Management and establishment of support functions and champions.
1. Executive Awareness and Commitment

This involves the development of an organisational risk management philosophy and awareness of risk at senior levels and includes the nomination of an Executive Sponsor who will act as a champion of the process, and a Risk management Co-ordinator who will assist the sponsor by facilitating the process.
2. Development of the Risk management Framework

The risk management framework defines the context for managing risk within an agency as discussed in Step 1. It includes:
Risk management Policy Develop a Risk Management Policy.
Refer to Appendix II for sample Policy document.
Risk management Procedures Provide direction and application of the risk management process for the agency.
Page 26
Risk Reference Tables - Use of the Risk Reference Tables is critical to provide a uniform measuring standard for risk and the means to aggregate and prioritise risks across the agency as a whole. Due to its criticality, it is imperative that there is Senior Executive input during their creation and their approval for use within the agency.
Refer to Appendix III for sample Risk Reference Tables
Risk Register Tool Agencies need to determine how to capture and report on the risk information captured through this process. Refer to the RiskCover website
www.riskcover.wa.gov.au for latest information regarding the RiskBase Web Application Tool
3. Communication / Education
A program of education and communication needs to be developed for the agency. This is typically managed by the Executive and Management who are the Risk Management Committee. They are charged with: dissemination of the policy and procedures raise awareness about managing risks deliver education session on the specifics of the process a performance management process a process for recognition, rewards and sanctions.
4. Managing Risks at the Strategic Level

Risk Identification Some aspects of the strategic planning process where risks can be easily and readily identified include: A Strategic Performance Review looking at what has gone wrong in previous terms A Stakeholder Analysis looking at the risks to not meeting stakeholder expectations External and Internal Environmental Analysis those external factors affecting the agency SWOT Analysis looking at both the internal and external environmental factors Strategy Formulation using risk information to inform the process of developing strategies Strategy Implementation looking at those risks which will impact on the successful implementation of the chosen strategies
5. Managing Risks at the Business Unit Level

Business Unit Directors/Managers need to agree on a program for identifying and evaluating risks associated with the functions performed within their Business Unit/s. At this level they should be looking at the risks associated with their Business Units operational plan and the functions they perform.
Page 27
The reporting on risks and management of the risks should be integrated into the Business Units existing reporting forums and timeframes.
6. Monitor and Review

Develop indicators to measure the performance of the risk management process. Risk reporting establish the process for business units and project teams to report on their risks and progress of treatments in response to Executives and Managers need for risk information. Link incident and accident reporting mechanisms to the risk management process. Risk auditing develop links to the internal audit process to ensure that the risk management process is efficient and effective in meeting the objectives set out in the Policy and that key organisational risks are being managed.
Refer to Appendix V for a sample Implementation Schedule.
Page 28
Glossary
Appendix I
Glossary
Page 29
Glossary
Business Continuity Management (BCM)

Business Continuity Management is a discipline that prepares an organisation for the unexpected. It is a management process that provides the framework for building resilience to business and service interruption risks, responding in a timely and effective manner to ensure continuity of critical business activities, and ensuring the long tem viability of the organisation following a disruptive event.
Business Continuity Plan (BCP)

The principle output of the BCM process. A BCP is, in effect, a treatment plan for certain risks the The plan outlines the actions to be taken and consequences of which could disrupt core functions.
resources to be used before, during and after a disruptive event to ensure the timely resumption of critical business activities and long term recovery of the organisation.
Cause (or Trigger)

The factors, either root or contributory, that may give rise to a risk event. A risk can have multiple causes.

Continual and interactive processes that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders and others regarding the management of risk (Note: The information can relate to the existence, nature, form, likelihood, severity, evaluation, acceptability, treatment or other aspects of the management of risk; consultation is a two-way process of information communication between an organisation and its stakeholders or others on an issue prior to making a decision or determining a direction on a particular issue. Consultation is; a process which impacts on a decision through influence rather than power, and an input to decision making, not joint decision making.
Consequence
The impact or outcome of a risk eventuating. A risk can have multiple consequences and can be expressed qualitatively or quantitatively.
Consequence Categories
These are key impact areas, which if affected as a result of a particular risk event, could have a significant impact on the ability of an Agency to deliver its outcomes. Consequence Categories are agency specific, and should reflect the Agencys economic, social and environmental responsibilities.
Control
A procedure, system, activity or process that reduces the likelihood and/or consequences of a risk. A risk may have more than one control, and a control may address more than one risk.
Page 30
Glossary
Controls Rating
A qualitative, common-sense measure of the adequacy of controls in addressing a risk.
Controls Assurance
The process whereby Control Ratings are verified through a series of questions regarding their relevance and effectiveness.
Critical Success Factor (CSF)

A factor which is essential for the successful performance of a Key Activity.
Impact Range
A measurement of how widespread the consequences of a risk may be. This measurement can assist in the assessment of controls and the formulation of treatments.
Implementation Plan
A plan created to establish how the risk management process is to be implemented into an organisation.
Key Activity
Any high level activity or function that is instrumental in an agency delivering required outcomes or performing its mission.
Key Dependency
Inputs which are essential to enable the delivery of a service, function or project, e.g. resources, specific data, specific equipment or knowledge.
Likelihood
A measure of how likely it is that a certain consequence will eventuate, ranging from rare to almost certain.
Monitor
An ongoing process of surveillance of the internal and external environments to ensure that risks continue to be effectively and appropriately managed.
Operational (Context)
Deals with operational risks: those risks associated with normal, ongoing operations and activities.
Page 31
Glossary
Performance Indicators (PIs)

Clear, simple measures of performance over time used in the monitor and review process. PIs can measure either processes or outcomes.
Project (Context)
Deals with Project Risks: those risks associated with defined projects and other discreet undertakings.
Residual Risk
Risk remaining after risk treatment.
Review
Periodic assessment of a specific aspect of the risk management process or a particular group of risks to determine if there have been gradual changes over time and ensure they achieve established objectives (Note: Review can be applied to a risk management framework, risk management process, risk or control).
Risk (or Risk Event)

(from ISO 31000:2009) effect of uncertainty on objectives NOTE 1 NOTE 2 An effect is a deviation from the expected positive and/or negative Objectives can have difference aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3 Risk is often characterized by reference to potential events and consequences, or a combination of these. NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in the circumstances) and the associated likelihood of occurrence. NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.
Risk Acceptance Criteria

Agency specific reference formulated in Step 1 that delineate under what conditions risks of a certain level can be accepted. The higher the risk rating, the higher the standard of controls, monitoring, and ownership required. Risk criteria are based on organisational objectives, and external and internal environments and can be derived from standards, laws, policies and other requirements).
Risk Analysis
A process that assigns a risk rating to each risk by evaluating the effectiveness of existing controls and assigning values for Consequences and Likelihood for various scenarios.
Page 32
Glossary
Risk Assessment
Step 3 of the risk management process, which involves assigning values (Risk Ratings) to individual risks and deciding how to manage them (risk evaluation).
Risk Categories
Categorisation of risks within the agency by type, often based on source of risk. This helps identify common risks in different functional areas.
Risk Decision
The decision made after Risk Evaluation, balancing risk and reward.
Risk Evaluation
Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk Identification
Step 2 of the Risk management Process, which uses Critical Success Factors and Key Dependencies to identify risks.
A process of finding, recognising and describing risks relating to CSF and Key Dependencies. The identification of risk includes the identification of risk source, events, their causes and their potential consequences. Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders needs.
Risk Management
The practice of systematically identifying, understanding, and managing the risks encountered by an organisation.
Risk Management Framework

Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. The Framework includes the policy, objectives, mandate, accountabilities, resources, processes, activities and commitment to managing risk. The Risk Management Framework is embedded within the organisations overall strategic and operational policies and practices.
Risk management Policy

Statement of the overall intentions and direction of an organisation related to risk management.
Page 33
Glossary
Risk Management Process

Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk Owner
The person with the accountability and authority, specifically assigned in Step 3 to manage the risk, including monitoring the risk, its controls and any treatments that are implemented.
Risk Profile
A description of any set of risks. The set of risks can contain those that relate to the whole organisation, part of the organisation, or as otherwise defined.
Risk Rating (or Level of Risk)

The value assigned to the risk which represents the highest product of Consequence and Likelihood.
Risk Reference Tables

Collective term for the various risk measurement and evaluation tools formulated in Step 1.
Risk Tolerance (or Risk Appetite)

The degree that an organization is willing to accept risk in order to achieve its objectives. Risk tolerance is a product of mission, culture, policy, and other factors that determine what an agency is and how it goes about its business.
Stakeholder
Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity. There are internal (e.g. employees) and external (e.g. community groups) stakeholders.
Strategic (Context)
Deals with strategic risks: risks which concern the whole agency and are associated with long term organizational objectives. Strategic risk management is most effective when conducted as an integral part of the strategic planning process.
Treatment
A measure that is designed and implemented to further reduce the consequences and/or likelihood of a risk, or improves the overall controls rating. Once a treatment is fully implemented and effective (in place), it becomes a control.
Page 34
Glossary
Treatment Action Plan (TAP)

The plan formulated for the selected treatments in Step 4 to ensure they are fully and properly implemented. TAPs should identify owners, proposed actions, resource requirements, schedule and predicted effect on the risk.
Page 35
Sample RM Policy
Appendix II
Sample Risk Management Policy
Page 36
Sample RM Policy
SAMPLE: AGENCY NAME
Risk Management Policy

It is the policy of the agency to achieve Best Practice in the management of all risks that threaten to adversely impact the agency, its customers, people, assets, functions, objectives, operations or members of the public.
Risk management will form part of strategic, operational and line management responsibilities and be integrated into the Strategic and Business Planning processes. In respect of a special risk responsibility may be assigned to a nominated officer of the agency, or a Committee Chairman, as determined by the need.
There will be an Executive Risk management Committee to determine and communicate Policy, Objectives, Procedures and Guidelines and to direct and monitor implementation, practice and performance throughout the agency.
Performance will be measured by: implementation and documentation of risk management, identification of risks and successful treatment in accordance with procedures and guidelines, mitigation and control of any losses, reduction in the costs of risks, and achievement of Best Practice.
Consultants may be retained from time to advise and assist in the risk management process, or management of specific risks or categories of risk.
Every employee of the agency is recognised as having a role in risk management for vigilance in the identification of risks to treatment and shall be invited and encouraged to participate in that process.
Page 37
Sample RM Policy
Objectives To ensure Risk management is adopted throughout the agency as a prudent management practice.
To ensure that all employees are made aware of the need to manage risk and to promote a culture of participation in that process.
To protect the agency from adverse incidents, to reduce its exposures to loss and to mitigate and control loss should it occur.
To ensure the ongoing, unimpeded capacity of the agency to fulfil its mission, perform its key functions, meet its objectives and serve its customers.
To reduce the costs of risk to both the agency and the Western Australian State Government.
To adhere to Australian Risk management Standards and comply with the Public Sector Commissioners Circular 2009/19.
Page 38
Sample Risk Reference Tables
Appendix III
Page 39
Sample 1
EXISTING CONTROLS
LEVEL E A I DESCRIPTOR Excellent Adequate Inadequate
FORESEEABLE
More than what a reasonable person would be expected to do in the circumstances. Only what a reasonable person would be expected to do in the circumstances. Less than what a reasonable person would be expected to do in the circumstances.
QUALITATIVE MEASURES OF CONSEQUENCE

LEVEL 1 RANK Insignificant INJURIES Minor incident / near miss report but no immediate signs of injury REPUTATION & IMAGE Individual tenant/ contractor / client complaint. Issue rectified at local level FINANCIAL LOSS Revenue/cost impact 0-2% of operational budget OPERATIONAL EFFICIENCY Impact absorbed through routine operations INTERRUPTION TO SERVICES All agency activity stopped for less than 2 hours SOCIAL/COMMUNITY Low localised event with no broader impacts
Minor
Injury or illness requiring first aid only Medical treatment necessary/ Insurance claim/ rehabilitation programme/ lost time injury or illness.
Negative media article. Low local exposure. Tenant/ client/ contractor complaint handled at Line Manager level Some negative media coverage or industry criticism. Tenants/ clients/ contractors make formal complaints. General Manager/Director involved.
Revenue/cost impact 2-5% of operational budget Revenue/cost impact 5-10% of operational budget
Minor delays in achieving objectives. Majority of objectives remain on track. Management effort required to redirect resources to avoid delays in achieving strategic intents. Administration of the program/ project/ activity could be subject to significant review or change Significantly reduced ability to achieve objectives / key deliverables. Continued function of the program/ project/ activity would be threatened. Failure to achieve one or more key deliverables resulting in, major flow on effects for external stakeholders and other public sector agencies.
All agency activity stopped for 2 4 hours All agency activity stopped for 4 hours 1 day
Minor delay impacting on ability to meet social / community expectations Community backlash, Social and community rejection
Moderate
Major
Substantial damages / life threatening injury or illness
Extensive public criticism. Statewide media exposure. Public embarrassment. Loss of credibility. Director General involvement. Sustained State and National media reporting. Very high multiple impacts across Government. Minister involved. Government censure. Third party actions
Revenue/cost impact of 10-20% of operational budget
All agency activity stopped for 1 3 days
Long delays in service delivery leads to Statewide impacts socially, economically and financially. Emerging environment and/or health issues. Widespread social problems causing multiple impacts. Serious long term environmental and health issues.
Catastrophic
Loss of life. Permanent disabilities
Revenue/cost impact more than 20% of operational budget.
All agency activity stopped for more than 3 days
Page 40
QUALITATIVE MEASURES OF LIKELIHOOD

LEVEL 1 2 3 4 5 DESCRIPTOR Rare Unlikely Moderate Likely Almost certain EXAMPLE DETAIL DESCRIPTION The event may occur only in exceptional circumstances. The event could occur at some time. The event should occur at some time. The event will probably occur in most circumstances. The event is expected to occur in most circumstances. FREQUENCY Less than once in 5 years At least once in 5 years At least once in 3 years At least once per 1 year More than once per year
RISK ACCEPTANCE CRITERIA TABLE

LEVEL OF RISK 1-3 4-5 6 - 11 12 - 25 Low Minor Significant Extreme CRITERIA FOR MANAGEMENT OF RISK Only acceptable with adequate controls. Only acceptable with adequate controls. Only acceptable with Excellent controls. Only acceptable with Excellent controls. WHO IS RESPONSIBLE Risk Owner Risk Owner CEO / Executive Group CEO / Executive Group
Page 41
RISK ASSESSMENT CRITERIA TABLE

Consequence 1 Rare 1 2 3 4 5 Insignificant Minor Moderate Major Catastrophic 1 2 3 4 5 2 Unlikely 2 4 6 8 10 3 Moderate 3 6 9 12 15 Likelihood 4 Likely 4 8 12 16 20 5 Almost Certain 5 10 15 20 25
Approved as at ..../..../....
By:
.......................................
Title:
.................................................................. Page 42
EXISTING CONTROLS
FORESEEABLE
Sample 2

LEVEL RANK FINANCIAL INTERRUPTION TO SERVICES less than 1 hour REPUTATION & IMAGE Unsubstantiated, low impact or no news item. INJURIES Minor injuries not requiring First Aid, or near miss. No psychological stress First aid treatment and/or one off counselling STAKEHOLDER
IMPACT
COMPLIANCE
Insignificant
< $10 000.
Insignificant weakening of a single stakeholder relationship and little impact to staff morale Damage to 3 stakeholder relationships and temporary change to staff morale, able to be rectified in the short term Weakened relationship with a significant number of stakeholders and, some reduction in staff morale, requiring specific measures to rectify Damage done to the majority of existing stakeholder relationship and, significant and widespread staff absences Total loss of credibility with all stakeholders and loss of key staff
No noticeable regulatory or statutory impact
Minor
$10 000 $50 000.
1 hour to 1 day.
Substantiated, low impact, low news profile.
Some temporary compliances
non
Moderate
$50 000 $500 000.
1 day to 1 week.
Substantiated, public embarrassment, moderate impact, moderate news profile, Ministerial involvement.
Medical treatment required and/or psychological intervention/treatment required Serious or extensive injuries and/or significant and long term psychological stress Death or severe permanent physical and/or psychological disablements.
Short term non compliance but with significant regulatory requirements imposed
Major
$500 000 $1.5 m.
1 week to 1 month.
Substantiated, public embarrassment, high impact, high news profile, Third Party actions, public Ministerial involvement. Substantiated, public embarrassment, very high multiple impacts, high widespread multiple news profile, Third Party actions, public Ministerial involvement, Government censure.
Non compliance results in termination of service or imposed penalties
Catastrophic
> $1.5m.
More than 1 month
Non compliance results in criminal charges or loss of required accreditation
Page 43


LEVEL OF RISK CRITERIA FOR MANAGEMENT OF RISK REPORTING TO WHO IS RESPONSIBLE
13
Acceptable
Annual reporting to Audit & RM Committee
Risk Owner
45 (excluding risk with consequence of 4 or 5) 6 9 (excluding risk with consequence of 4 or 5)
Low
Annual reporting to Audit & RM Committee
Risk Owner
Moderate
Quarterly Reporting to Audit & RM Committee/Director
Director if not already the Risk Owner
10 14 (including any risk with consequence of 4 or 5 and LOR <15) 15 25
Significant
Quarterly Reporting to Audit & RM Committee and Executive
Executive Director
Critical
Immediate Reporting to Executive and Director General
Director General
(Note: Any risk with a consequence rating of 4 or 5 can only be accepted by the Executive Director with Excellent Controls)
Page 44

(Note: Any risk with a consequence rating of 4 or 5 can only be accepted by the Executive Director with Excellent Controls)
By:
.......................................
Title:
.................................................................. Page 45
EXISTING CONTROLS
LEVEL E DESCRIPTOR Excellent
FORSEEABLE
Sample 3
EXAMPLE DETAIL DESCRIPTION
Controls fully in place and require only ongoing maintenance and monitoring. systems are being continuously reviewed and procedures are regularly tested.
Protection
Adequate
Being addressed reasonably. Protection systems are in place and procedures exist for given circumstances. Periodic review. Little to no action being taken. No protection systems exist or they have not been reviewed for some time. No formalised procedures.
Inadequate

LEVEL RANK INJURIES FINANCIAL LOSS
Less than $10,000
NATURAL ENVIRONMENT Water Bodys Flora & Fauna

Plant life not affected No loss of marine life Loss of Water Quality temporarily less for less than 12 hours Water levels not affected. Area will regenerate in less than 6 months with minimal interruption or repair Insignificant effect on Flora No animals affected Less than 20ha affected Will regenerate in less than 6 months with minimal intervention or repair Less than 10% of plant or mammal life affected 20ha - 100ha affected Area Will regenerate in 6-18 months with low level of intervention or repair
HISTORIC
Minor maintenance, localised, reparable damage affecting items/ areas of little significance Limited, reparable damage of items/ areas of some significance
REPUTATION & IMAGE

Credibility not challenged. Low impact or no news item
INTERRUPTION TO CRITICAL SERVICES

Less than 2 hours
OPERTAIONAL EFFICIENCY
Little impact
Insignificant
Minor injuries not requiring first aid, or near miss
Minor
First aid treatment
$10,000 $50,000 of operational budget
Moderate
Medical treatment required
$50,000 $250,000 of operational budget
Less than 10% of water communities affected Water quality affected for less than 24 hours Water levels rise of 0.5 -1m above highest natural level Minor impact to fish/mammal/sea birds/reptiles. 50 200 ha affected Area will regenerate in 6-18 months with low level of intervention 10 40% water communities affected Water quality affected for 1 3 days Water level rise of 1-2m above highest natural level 201 400 hectares affected Loss of 20-100 fish Communities will regenerate in 18 months to 5 years with some level of intervention and repair
Credibility challenged locally by an individual. Minor impact, low news item
2 hours 4 hours
Inconvenient delays
10 40% of plant or mammal life affected 101ha 200ha affected Will regenerate in 18 months 5 years with some level of intervention or repair
Limited, irreparable damage of items/ areas of some significance
Public criticism of moderate impact from a number of sources, moderate news profile, Minister involved
4 hours 1 day
Delays in deliverables
major
Page 46
LEVEL
RANK
INJURIES
FINANCIAL LOSS
$250,000 $1m of operational budget
NATURAL ENVIRONMENT
Water Bodys 40 75% of water communities affected Water quality affected for 4- 10 days Water level rise of 2-3 m above highest natural level 401 2000 ha affected Loss of 100-250 fish Communities will regenerate in 5-10 years with some intervention and repair Flora & Fauna 40% - 75% of plant or animal life affected 201ha - 1000ha affected Will regenerate in 5-10 years with high level of intervention or repair HISTORIC Localised or limited, irreparable damage of items/ areas of considerable or exceptional significance
REPUTATION & IMAGE

Public criticism with high impact from a number of sources, widespread, high news profile, Minister and Government required to make public statement Public criticism from multiple sources, very high impact, international and national multiple media coverage, community groups involved, public Ministerial and Government involvement, Government censure or disclaimer
INTERRUPTION TO CRITICAL SERVICES

1 day 3 days
OPERTAIONAL EFFICIENCY
Non-achievement of major deliverables
Major
Death or severe injury
Catastrophic
Multiple deaths severe injuries
or
More than $1m of operational budget
More than 75% of water communities affected Water quality affected for more than 10 days Water level rise of >3m above highest natural level 2001 to 3828ha affected Loss of >250 Fisk Communities may regenerate in more than 10 years with some intervention or have no regeneration
>75% of plant or animal life affected 1001ha - 1900ha affected May regenerate in more than 10 years with considerable high level of intervention or repair, or have no regeneration
Permanent, widespread, irreparable damage, serious loss of heritage values
More than 3 days
Non-achievement of major key objectives

Page 47
RISK ACCEPTANCE CRITERIA TABLE Level of Risk

15 6-9
Risk Rank
Low Moderate
Criteria for Management of Risk

Acceptable. Requires Adequate controls and semi-annual monitoring. Management Control Required. Requires Adequate controls and quarterly monitoring. Urgent Management Attention Required. Requires Excellent controls and monthly monitoring. Requires Excellent controls. Risk Reduction Required.
Who is Responsible
Risk Owner Risk Owner
10 - 14
Significant
Director
15 - 25
High
CEO

By:
.......................................
Title:
.................................................................. Page 48
Sample 4
EXISTING CONTROLS
FORESEEABLE

LEVEL RANK Budget 1 Insignificant Less than $5,000 FINANCIAL Funds Under Management Less than $500,000 Unsubstantiated, Insignificant impact or no news item. Little impact. Minor injuries not requiring First Aid, or near miss. First aid treatment. No noticeable regulatory or statutory impact REPUTATION & IMAGE OPERATIONAL EFFICIENCY INJURIES COMPLIANCE
Minor
$5,000 $20,000
to
$500,000 $3M $3M to $40M
to
Substantiated, Minor impact, low news profile.
Inconvenient delays.
Some temporary compliances
non
Moderate
$20,000 to $100,000
Substantiated, public embarrassment, moderate impact, moderate news profile, Ministerial involvement. Substantiated, public embarrassment, Major impact, Major news profile, Third Party actions, public Ministerial involvement. Substantiated, public embarrassment, multiple impacts, widespread multiple news profile, Third Party actions, public Ministerial involvement, Government censure.
Delays in major deliverables.
Medical required.
treatment
Short term non compliance but with moderate regulatory requirements imposed Non compliance results in termination of service or imposed penalties
Major
$100,000 to $300,000
$40M to $120M
Non achievement of major deliverables.
Serious or extensive injuries.
Catastrophic
More than $300,000
More $120M
than
Non achievement of major key objectives.
Death or multiple severe permanent disablements.
Page 49

LEVEL 1 2 3 4 5 DESCRIPTOR Rare Unlikely Moderate Likely Almost certain EXAMPLE DETAIL DESCRIPTION The event may occur only in exceptional circumstances. The event could occur at some time. The event should occur at some time. The event will probably occur in most circumstances. The event is expected to occur in most circumstances. FREQUENCY Less than once in 5 years At least once in 5 years At least once in 3 years Once per year More than once per year
Level of Risk 15 6-9
Risk Rank Low Moderate
Criteria for Management of Risk Requires Adequate controls and semi-annual monitoring.
Who is Responsible Risk Owner
Requires Adequate controls before an acceptance decision can Risk Owner be made. Quarterly monitoring. Requires Excellent controls prior to an acceptance decision Director being made. Monthly monitoring. Urgent Attention Required Requires Excellent controls and all Treatment Action Plans to CEO be explored and implemented where possible, prior to an acceptance decision. Continuous Monitoring. Urgent Attention Required
10 - 14
Significant
15 - 25
High
Page 50

By:
.......................................
Title:
..................................................................
Page 51
EXISTING CONTROLS
FORESEEABLE
Sample 5

Level Rating Safety of People Operations Technical Economic Environment Political & public Compliance
Insignificant
No real injuries
Some insignificant Operational - minor Isolated delays or change to <$20k loss or damages rectification required impact service
area
Suggested low improvements unsubstantiated complaints
and Guidance required for compliance
Minor
1 aid injury
st
Some minor delays or Service restrictions some services rectification required cancelled
Substantiated - $20k to $99k loss or Contained Minor impact complaints and lobby Some non compliances damages group correspondence
Moderate
Medical injury
Complaints and short Some moderate delays Not operational - minor Uncontained impact $100k to $999,999 loss term drop in patronage. and some services rectification required able to be rectified in or damages News reports and cancelled before operational short term parliamentary questions Not operational Extensive hazardous Major delays and most extensive rectification $1m to $9m loss or impact long term services cancelled required before damages rectification operational Sustained drop in patronage. High profile news reports and political embarrassment
Many compliance or probity infringements and some processes repeated Non compliance results in termination of process or imposed penalties
Major
Death or major injuries
Catastrophic
Multiple deaths
All services cancelled
Not operational cannot be rectified
- >$10m damages
loss
Patronage decrease causes cancellation of service. Widespread or Uncontained hazardous news reports and major impact residual effect political/government repercussions or change
Page 52

LEVEL 1 2 3 4 5 DESCRIPTOR Rare Unlikely Moderate Likely Almost certain EXAMPLE DETAIL DESCRIPTION The event may occur only in exceptional circumstances. The event could occur at some time. The event should occur at some time. The event will probably occur in most circumstances. The event is expected to occur in most circumstances. FREQUENCY Less than once in 10 years At least once in 5 years At least once in 3 years Once per year More than once per year

Level of Risk
15 - 25
Rank
Extreme
Criteria for Management of Risk

Treatment Action Plan Required. Excellent controls required Treatment Action Plan Required. Excellent controls required Risk may be accepted by the relevant Director or Senior Manager EXCEPT where the Consequence is Catastrophic, a Treatment Action Plan is required.
Who is Responsible
Risk is unacceptable refer to Executive
10 - 14
High
Risk is undesirable. Decision on acceptance of risk to be made by the relevant Executive Director. Decision on acceptance of risk to be made by the relevant Director or Senior Manager EXCEPT where the Consequence is Catastrophic, decision on acceptance or risk must be made by the relevant Executive Director. Risk is acceptable - manage by routine procedures EXCEPT where the Consequence is Catastrophic, decision on acceptance or risk must be made by the relevant Executive Director.
6-9
Moderate
1-5
Low
Risk is acceptable manage by routine procedures EXCEPT where the Consequence is Catastrophic, a Treatment Action Plan is required.
Page 53

By:
.......................................
Title:
.................................................................. Page 54
Sample Risk Register
Appendix IV
Page 55
Sample Risk Register All Risks Identified sorted by Level of Risk
Page 56
Appendix V
Sample Risk Management Implementation Schedule
Page 57
Sample RM Implementation Strategy
SAMPLE: Agency Name

Risk Management Implementation Schedule
Step No. 1 What? How? When? Who? (Responsibility) Support of Senior Management Produce briefing paper & implementation plan Briefing to Executive Obtain executive sign-off Formation of Risk management committee (including documented terms of reference) Draft policy Draft Risk Reference Tables Determine roles and responsibilities Determine individual & corporate KPIs Obtain executive sign-off Arrange RM awareness sessions Distribute policy, procedure & risk reference tables Ensure all managers understand their responsibilities in managing risk modify JDFs where appropriate. Develop a program plan i.e. Develop a framework & procedure for identifying & managing strategic risks & obtain executive sign-off Identify, assess and prioritise risks as part of strategic planning session. Treat risks - Develop risk reduction strategies as part of strategic planning session Monitor & review risks and risk reduction strategies as part of regular strategic management process From ??? 2009 Monthly at executive meetings Oct 2009 Sept 2009 RM Co-ordinator
Development of Organisations RM Policy
Sept 2009
RM Co-ordinator & RM Committee
Oct 2009
Communicating the Policy
RM Co-ordinator & RM Committee
Managing Risks at Strategic Level (Agency)
??? 2009
Executive with assistance from RM Co-ordinator Executive with assistance from RM Co-ordinator
????? 2009
Executive with assistance from RM Co-ordinator RM Co-ordinator & RM Committee Endorsed by Executive
Managing Risks at Business Unit Level
Develop a program plan i.e. Develop & agree framework & procedure for identifying & managing operational risks and reporting requirements.
Identify , assess and prioritise risks as part of operational planning session or dedicated workshop Treat risks - Develop risk reduction strategies as part of strategic planning session Develop risk reduction strategies as part of regular operational management process
Oct 2009
Business Unit management team
6 Risk Auditing
Monitor & review risks and risk reduction strategies as part of regular operational management process Report risks and treatment strategies quarterly to RM committee as required by program plan. Develop & agree an audit plan to ensure the effectiveness of the RM process and the management of key risks
From Oct 2009 Monthly at management meetings. From Oct 2009 Monthly at management meetings.
Business Unit management teams
Business Unit management teams
??? 2009
RM Co-ordinator / Executive /Audit
Page 58
Sample RM Implementation Strategy

Step No. What? How? When? Who? (Responsibility) Implement the audit plan Annually ??? Audit Manager
Page 59
Project Life Cycle
Appendix VI
Strategic Risk Management Framework
Page 60
Project Life Cycle
STRATEGIC RISK MANAGEMENT CONTEXT

RISK MANAGEMENT AND STRATEGIC PLANNING
Strategic management is the continuing process of aligning the internal capabilities of the organisation with the external demands of its environment. It involves the formulation and implementation of strategies to achieve the organisations goals and objectives. It is an iterative process, in which management of change, monitoring and review are important parts.
A Strategic Plan is a comprehensive master plan that states how we are going to achieve our mission and objectives. Anything that has a bearing on that is strategic. Strategic management is the set of managerial decisions and actions that determines the long run performance of the organisation.
Strategic Risk management is the identification and management of risks likely to have a material impact on the organisations ability to achieve its mission and objectives.
The risks identified and evaluated as a part of the strategic planning process will be risks that affect the entire agency and its ability to achieve its mission. This is the point at which the agency will identify risks which will prevent the agency from exploiting its opportunities and strengths, expose its weaknesses and fail to address the agencys threats.
STRATEGIC RISK MANAGEMENT

There are two elements to the management of risks at a strategic level and these are:
1. The identification/evaluation/management of risks in the Strategic decision making process.

Risks are identified at each stage of the planning process, for example; Examination and evaluation of current Mission, Objectives, etc. External Environmental analysis Internal Environmental analysis development and evaluation of alternative strategies selection of strategies
Page 61
Project Life Cycle
2.
The identification/evaluation/management of risks associated with particular strategies (current) and their implementation.
As our businesses are going concerns, there are strategic plans in various states of implementation. Therefore, the particular approach for your agency must reflect the current situation.
The following flow diagram shows how risk identification becomes an integral part of the strategic planning process.
Page 62
Project Life Cycle
Typical Strategic Planning Process

Strategic Risk Review Financial Performance Operational Performance Mission / Vision Existing Goals and Objectives
Achieved? Did anything go wrong?
Stakeholder Profile Stakeholder Expectations Impact if not met
Strategic Risk Profile Environment Scan of Strategic Factors Internal Structure (The Organisation) Culture (Beliefs, Expectations, Values) Resources (Assets, Skills, Competencies, Knowledge, Systems)
External Task (Industry Analysis)
Societal (General Forces)
Strengths Risks to strengths
Strategic Risk Profile SWOT Analysis Weaknesses Opportunities Risks that can Risks that arise from accompany weaknesses opportunity
Threats Outright risks
Strategic Formulation Mission / Vision Goals and Critical Success Factors Objectives and KPIs Strategies Policies
Achievable? What can go wrong? Are all threats avoided and weaknesses minimized in respect to mission, goals and objectives?
Strategic Implementation (Operational Planning) Programs Budgets Procedures Can anything go wrong in this stage that will impact achievement?
Evaluation and Control Are there any weaknesses in information , management or control systems, or reporting?
Page 63
Project Life Cycle
The Process Explained

1. Strategic Performance Review Review how the organisation has performed against previous Goals/Objectives: a. Were they achieved? b. Did something prevent you from achieving your Goals/Objectives? c. Were all performance targets met?
This review will highlight anything that should be taken into account for future planning.
2. Stakeholder Profile Identify who the organisations stakeholders are and their expectations. In addition, it is important to consider what the consequences will be if their expectations are not met. This should sharpen the focus and ensure that the strategies you are adopting will meet the needs and expectations of the stakeholders.
3. Environmental Scan Environmental scanning identifies factors which influence what the organisation will do and how it will do it. It covers both the Internal and External environmental factors. From the Environmental Scan, the organisation can assess where it sits in relation to industry, societys expectations, and how it is situated to appropriately respond to market trends or demands. 4. SWOT A SWOT analysis is used to identify Risks to strengths Risks from weaknesses Risks from opportunities Threats which are Risks
These risks are then evaluated in terms of impact upon achievement of objectives.
5. Strategy Formulation In this stage, strategies are identified to achieve Goals and Objectives whilst being focused on the organisations Mission/Vision. An assessment of the risks and opportunities associated with each proposed strategy and the potential for impact upon the achievement of objectives, should be an integral part of this step. This is the creative stage of developing strategies that will deliver the organisations goals and objectives, mission and vision without exposing it to unacceptable risk.
Page 64
Project Life Cycle
6. Strategy Implementation Once the strategies are decided upon, the process of implementing them carries a new set of risks. Each of these risks need to be identified and appropriate risk minimisation strategies built into the implementation plan.
7. Evaluation and Control There needs to be system reviews which ensure that the process is implemented efficiently and effectively and progress needs to be reported. Mechanisms need to be put in place to monitor the implementation of the Strategic Plan and identify any new risks arise. The annual Strategic Review process needs to be programmed so as there is an opportunity for a formal review.
Page 65
Project Life Cycle
Appendix VII
Project Life Cycle
Page 66
Project Life Cycle
Example -
Page 67

Risk Guideline

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Guideline

Uploaded by

Copyright:

Available Formats

WA Government RISK MANAGEMENT GUIDELINES

WA GOVERNMENT RISK MANAGEMENT GUIDELINES

First edition January 2007 Second edition August 2011

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

PUBLIC SECTOR COMMISSIONERS CIRCULAR

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

MC Wauchope Public Sector Commissioner

For enquiries contact:

Other relevant Circulars: Circular/s replaced by this Circular:

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

1.1 What is Risk Management?

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

1.2 Why Manage Risk?

1.3 How Do We Manage Risks?

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Refer to the Glossary of Terms provided in Appendix I.

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Communication and Consultation

2. COMMUNICATION AND CONSULTATION

Communication and Consultation

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

3. RISK MANAGEMENT PROCESS

3.1.1 Risk management Framework

Risk management Process

b) Consequence Rating Table

Risk management Process

Refer to Appendix III for examples of Consequence Tables

Refer to Appendix III for examples of Likelihood Tables

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

3.1.2 Methodology of Assessing Risk

Refer to Appendix III for sample Risk Acceptance Criteria Tables.

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

Specific Risk Assessment Context

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

3.2 Step 2: Risk Identification

Key Activity Providing advice to clients

Critical Success Factor Accuracy of information

Risk Incomplete or inaccurate information provided to clients

3.2.2 Causes of Risk

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

3.3 Step 3: Risk Assessment - Analysis & Evaluation

3.3.1 Existing Controls & Controls Assurance

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

3.3.2 Risk Analysis

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

Consequence Category Injuries Injuries

3.3.3 Risk Evaluation

Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division

Risk management Process

WHO IS RESPONSIBLE Risk Owner

With adequate controls

Director if not already the Risk Owner Executive Director