Professional Documents
Culture Documents
Risk Guideline
Risk Guideline
SECOND EDITION
A Division of the
August 2011
A Division of the
Acknowledgement
RiskCover has produced the Risk management guidelines to assist the Western Australian State Government Agencies to implement their risk management programs.
Please direct all enquiries or comments on the contents of this document to: Risk management Services RiskCover Insurance Commission of WA The Forrest Centre 221 St Georges Terrace Perth Western Australia 6000 (08) 9264 3806 riskmanagement@icwa.wa.gov.au
Table of Contents
PUBLIC SECTOR COMMISSIONERS CIRCULAR ................................................................................................ i 1. INTRODUCTION .................................................................................................................................................. 1 1.1 1.2 1.3 2. 3. WHAT IS RISK MANAGEMENT? ....................................................................................................................... 1 WHY MANAGE RISK? ...................................................................................................................................... 2 HOW DO WE MANAGE RISKS? ........................................................................................................................ 2
COMMUNICATION AND CONSULTATION .................................................................................................. 4 RISK MANAGEMENT PROCESS ..................................................................................................................... 6 3.1 STEP 1: ESTABLISH THE FRAMEWORK AND CONTEXT .................................................................................... 6 3.1.1 Risk management Framework.................................................................................................................... 6 3.1.2 Methodology of Assessing Risk .................................................................................................................. 9 3.2 Specific Risk Assessment Context ............................................................................................................ 10 3.3 Summary .................................................................................................................................................. 11 3.2 STEP 2: RISK IDENTIFICATION ....................................................................................................................... 12 3.2.1 What is a Risk? ........................................................................................................................................ 12 3.2.2 Causes of Risk .......................................................................................................................................... 12 3.2.3 Summary .................................................................................................................................................. 13 3.3 STEP 3: RISK ASSESSMENT - ANALYSIS & EVALUATION ............................................................................... 13 3.3.1 Existing Controls & Controls Assurance ................................................................................................. 13 3.3.2 Risk Analysis ............................................................................................................................................ 15 3.3.3 Risk Evaluation ........................................................................................................................................ 16 3.3.4 Risk Ownership & Risk Decision ............................................................................................................. 17 3.3.5 Risk Acceptance Decision ........................................................................................................................ 18 3.3.6 Summary .................................................................................................................................................. 18 3.4 STEP 4: RISK TREATMENT ............................................................................................................................ 19 3.4.1 Identify, Evaluate and Select Treatment Options..................................................................................... 19 3.4.2 Prepare & Implement Treatment Plans ................................................................................................... 20 3.4.3 Summary .................................................................................................................................................. 20 3.5 USING RISK INFORMATION ............................................................................................................................ 21 3.5.1 Categorisation of Risk ................................................................................................................................... 21
4. MONITOR AND REVIEW ...................................................................................................................................... 23 4.1 4.2 4.3 FOCUS AREAS ............................................................................................................................................... 23 RISK MANAGEMENT PERFORMANCE MEASURES........................................................................................... 24 ROLES AND RESPONSIBILITIES ...................................................................................................................... 24
5. RISK MANAGEMENT IMPLEMENTATION .................................................................................................... 26 1. 2. 3. 4. 5. 6. EXECUTIVE AWARENESS AND COMMITMENT..................................................................................................... 26 DEVELOPMENT OF THE RISK MANAGEMENT FRAMEWORK ................................................................................. 26 COMMUNICATION / EDUCATION ......................................................................................................................... 27 MANAGING RISKS AT THE STRATEGIC LEVEL .................................................................................................... 27 MANAGING RISKS AT THE BUSINESS UNIT LEVEL ............................................................................................. 27 MONITOR AND REVIEW ...................................................................................................................................... 28
Appendix I ...................................................................................................................................................................... 29 GLOSSARY ................................................................................................................................................................... 29 Appendix II .................................................................................................................................................................... 36 SAMPLE RISK MANAGEMENT POLICY.......................................................................................................................... 36 Appendix III ................................................................................................................................................................... 39 SAMPLE RISK REFERENCE TABLES .............................................................................................................................. 39 Appendix IV ................................................................................................................................................................... 55 SAMPLE RISK REGISTER .............................................................................................................................................. 55 Appendix V..................................................................................................................................................................... 57
Table of Contents
SAMPLE RISK MANAGEMENT IMPLEMENTATION SCHEDULE ....................................................................................... 57 Appendix VI ................................................................................................................................................................... 60 STRATEGIC RISK MANAGEMENT FRAMEWORK ........................................................................................................... 60 Appendix VII.....................................................................................................................................................................66 PROJECT LIFE CYCLE........................................................................................................................................................66
TITLE
RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING
POLICY
All public sector bodies must practise risk management, regularly undertake a structured risk assessment process to identify the risks facing organisations, be able to demonstrate the management of risks, and where appropriate, have continuity plans to ensure they can respond to and recover from any business disruption. Public sector bodies must submit details of their risk management policy, assessment processes and continuity plans to RiskCover. Public sector bodies must ensure that risk management policies and continuity plans are maintained and reviewed on a regular basis.
BACKGROUND
Risk management has been a feature of the operation of the public sector for many years, with such requirements included in the Treasurers Instructions. The Insurance Commission of Western Australia through its RiskCover Division has a mandate to manage and administer risk management arrangements on behalf of public authorities and to provide advice to the Government on matters relating to risk management. Planning for major risk events, such as natural disasters, often receives special focus with a great deal of planning and mitigation work undertaken to deal with potential issues. However, it is a matter of good corporate governance that risk assessment and continuity planning are subject to continual review at the highest levels of an organisation. In more recent times the threat of terrorism and the possibility of an influenza pandemic have reinforced the need for government agencies to be prepared and able to continue to deliver services no matter the circumstances. The proclamation of the Emergency Management Act 2005 together with other State initiatives such as the Western Australian Management Plan for Pandemic Influenza, are parts of the process of ensuring that the public sector and the community are well prepared for emergencies of any kind.
Page i
Many agencies will already have well developed risk management processes while others may be less well prepared. RiskCover consultants will continue to be available to guide and assist agencies to enable them to meet the requirements (contact Mr Jim Hodges, Risk management Services Manager, RiskCover 9264 3702). Education and training in risk management and business continuity planning is also available through RiskCover.
Don Williams 9264 3400 Manager RiskCover Division Insurance Commission of WA Premiers Circular 2006/03
Page ii
Introduction
1. INTRODUCTION
These guidelines have been produced by RiskCover to assist State Government agencies in developing and implementing effective risk management processes. They should be read in conjunction with the WA Government Business Continuity Guidelines, as the management of critical incidents and emergencies is just one aspect of an agencys overall approach to managing risk.
The purpose of these guidelines is to provide an overview and explanation of the risk management process, some hints to the application of the process and includes sample documents for you to use. Please contact RiskCover Risk Management Services on Tel: 9264 3806 or email riskmanagement@icwa.wa.gov.au should you require any further information or assistance in implementing risk management within your agency.
A risk can be defined as any internal or external situation or event that has the potential to impact upon an agency, preventing the agency from successfully achieving its objectives, delivering its services, capitalising on its opportunities or carrying out its projects or events.
Risk management is simply the practice of systematically identifying and understanding risks and the controls that are in place to manage them. Ultimately the process gets you to a point of deciding whether, in the context of a particular strategy, activity or function, a risk is acceptable or requires further action.
The risk management process does not encourage managers to be risk averse. In fact, it is designed to provide managers with a degree of confidence to be able to manage risk to an acceptable level and to take a level of risk commensurate with the opportunity. The key element in managing risk is correctly balancing risk and reward. A culture which is risk averse will create inflexibility in the business and erect barriers to the achievement of the organisations goals. Alternatively, the acceptance of disproportionately high risk can have significant impacts on the business.
Page 1
Introduction
comprehensive understanding of the risk exposures facing an agency also facilitates effective planning and resource allocation, and encourages a proactive management culture, with flow-on benefits for every aspect of an agencys operation.
These guidelines will take you through the process, which comprises of the following steps: 1. Establish the context 2. Identification of the risks 3. Analysis and evaluation of the risks 4. Where necessary, treatment of the risks
In addition, there are two important concepts Communication and Consultation, and Monitor and Review that apply to every aspect of risk management. These are discussed at the beginning and end of the guidelines, respectively.
Page 2
Introduction
Implementing risk management involves a logical and structured way of thinking and it requires the development and use of a consistent language to support the process. It is important to use precise, common terminology to ensure the effective communication and unambiguous description of the risks within your agency and across the whole of government.
Page 3
Communication is the sharing of information and viewpoints. Effective communication has the following attributes: It is multi-directional. Information, ideas and perspectives are shared across functional areas, and senior management are receptive to the views of their subordinates. It involves information and opinions. Other peoples perspectives are understood and acknowledged. Factual information is gathered from all relevant sources. No individual or department has a monopoly on the facts. It is interactive. Listening is as important as talking. Good communication involves the sharing of information, opinions and experiences. It is respectful. It focuses on ideas and information, not personalities. Communication is most effective in an environment where people are valued and their viewpoints are respected. It engages the participants, promoting their understanding and ownership of the outcomes.
Consultation is a process that uses communication to make effective decisions. Importantly, consultation is not an outcome or an end in itself but a means by which outcomes are achieved. Consultation gives stakeholders the opportunity to influence decisions, however, it is not joint decision making, but rather an effective way to receive useful input and ensure that all relevant viewpoints are taken into account in identifying and evaluating risks.
A well-structured approach to communication and consultation can provide the following benefits:
Organisational coherence and a positive culture for risk management implementation Trust and understanding, resulting in better internal and external relationships The risk management process becomes tangible: people know what it is and how it works Integration of multiple perspectives Risk management is embedded as an ongoing part of management and organisational practice
Each step of the risk management process relies on communication and consultation to achieve its purpose. For instance, in setting the context, consultation with internal and external stakeholders is essential to reach a thorough understanding of the operating environment and to define the purpose and scope of the exercise. In risk identification, a diversity of input can prevent important risks being overlooked and ensure that risks are accurately described. In the risk assessment process, communication and consultation allows all perspectives to be considered in arriving at a realistic level of risk. Risk treatment is more effective
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Page 4
because treatment plans are better understood and the monitor and review process depends upon effective communication to ensure risk information is in use and current.
Communication and consultation does not mean asking everybody their opinion about everything. When developing a strategy to implement a formal risk management process within your organisation, you may wish to consider the following in relation to communication and consultation requirements:
Objectives What are the specific aims and goals of involving different parties in the process? Participants Who are the appropriate parties to be involved at each step of the process? Perspectives What particular contribution or viewpoint is anticipated and required from each participant? Methods How will consultation take place? It may not always be practical to get all the parties together in one place. How do we integrate risk thinking into all aspects of our business?
Hint: When agencies plan their communication and consultation for the risk management process, frequently they fail to adequately consider the needs and viewpoints of all stakeholders. Obviously, risk management involves the discussion of some matters that cannot be shared with external parties. However, if we fail to incorporate the needs and viewpoints of all stakeholders, the full benefit of risk management may not be realised.
A successful means of embedding the management of risks into an organisations culture is to integrate the risk management process into existing management processes. Avoid having risk management as a standalone process outside of our normal management activities as this reinforces the message that the management of risk is part of managing the business.
Page 5
In developing a framework for managing risk, an agency needs to consider the following: Core purpose, vision, mission and values - why does it exist? Strategic direction, goals, required outcomes and deliverables. These may be defined by legislation, ministerial directive, charter, etc. Internal and external environments, often assessed using a SWOT analysis. Internal and external stakeholders - who are they, what are their needs and expectations? Organisational planning, reporting & management processes Roles, responsibilities and communication strategies A program of review to ensure the framework continues to align with the organisations management practices Organisational Governance structures and the integration of the management of risk into these structures
Based on the outcome of this analysis, an agency will then be in a position to define how risks are to be managed across the organisation, through the development of: A Risk Management Policy Risk Management Procedures, which clearly define how the risk management process is undertaken and integrated into the planning, delivery, monitoring and reporting activities of an agency Risk Reference Tables - Are the agencys language which define consequence and likelihood. They also include a definition of the acceptance and reporting criteria for specific levels of risk. Risk management Implementation Strategy a plan of how the policy and procedures are to be communicated and implemented Risk Register Tool an electronic tool to facilitate the recording, managing, reporting and use of risk information
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Page 6
Integration of the management of risk into the organisational structure, roles and responsibilities
Section 5 of these guidelines discusses the implementation of the risk management process in more detail.
Risk Reference Tables Risk Reference Tables are developed by an agency for the purpose of establishing guidance as to how risks are to be evaluated, assessed, measured, accepted and reported. As well as establishing a common language, the use of semi-quantitative measures removes some of the subjectivity of the assessment process and allows risks from any part of the agency to be compared with any other, and hence prioritised. There are commonly four different tables used: a) Controls Rating Table b) Consequence Rating Table c) Likelihood Rating Table d) Risk Acceptance Criteria Table.
Refer to the samples of risk reference tables in Appendix III. Note that these tables are samples only and need to be customised for each agency to reflect their own organisational context and tolerance for risk.
a) Existing Controls Rating Table This table is used to rate the adequacy of the collective existing controls that are in place at the time of the assessment to manage a particular risk. It is usually qualitative in nature and it can be rated on three levels e.g. Excellent, Adequate and Inadequate. A Control is an established mechanism, procedure, process or practice that is currently in place to manage a risk. It controls the risk by reducing its consequences, likelihood, or both. A control should be tangible and in place at the time of an assessment
Hint: This is a reasonableness test. Is the agency doing what is reasonable in the circumstances to reduce the likelihood and/or consequences of this risk? There may be several controls, each of which contributes some way towards reducing the risk. What we are rating is the adequacy of those
combined measures. This is not an assessment of the effectiveness of each individual control. Effectiveness should be looked at in the control assessment process and be reflected in the rating of the likelihood.
Consequence Categories Consequence categories are based upon the individual agencys criteria for measurement of success and should reflect the agencys economic, social and in some cases, environmental responsibility. The categories should include those key areas, which, if impacted upon, would have a significant
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Page 7
affect on the ability of the agency to achieve its goals. In government, these consequence categories may include; Financial, Injury, Service Interruption, Reputation and Image, Operational Effectiveness, Community, Legal & Compliance and Environment.
Consequence Scale Consequences are usually rated on a scale of 1 to 5, 1 being insignificant and 5 being catastrophic. This is generally referred to as the level of consequence. For each of the consequence categories defined, an agency needs to define criteria for each of the levels specified. Care must be taken to ensure that criteria relating to different categories are equivalent at the same level of consequence i.e. the definition of a catastrophic Financial consequence needs to be equivalent in terms of priority as the definition of, say, a catastrophic Reputation & Image consequence.
Hints:
Be aware however, that when applying these scales, each consequence category is assessed on its own merit. For example a catastrophic Reputation and Image consequence does not automatically mean it is catastrophic across any or all other consequence categories.
When establishing the scale, avoid using subjective words such as significant when defining levels of consequence, as this will lead to ambiguity. Where possible use quantitative measures such as A financial loss of $25,000 - $50.000.
c) Likelihood Rating Table The other measure of risk is likelihood, and this is also commonly measured on a scale of 1 to 5, with 1 being rare and 5 being almost certain. Likelihood can be considered in two aspects. In one sense, you can base the scale on how frequently a given consequence will (or is likely to) happen, e.g. more than twice per year, every year, every three years, etc. Alternatively, you can consider the probability of something happening in a defined forward timeframe, e.g. in the next five years a consequence is almost certain or expected to occur in most circumstances. In either case, each level of the scale should be quantified.
Hint: The Consequence and Likelihood Tables become part of your agencys common risk language and reflect the agencys level of risk tolerance. The language used in these tables must be relevant to your agency not generic descriptions taken from samples.
Page 8
The level of a risk varies as you consider the context of how that risk is being managed. All risks will have an Inherent Level of Risk this is defined as the level of risk with no formal controls in place, or the level of risk in the event of a breakdown of all controls. Some organisations choose to assess and document this level of risk prior to considering the effectiveness of existing controls. Having information available which relates to this inherent risk level means that, when considering the adequacy of controls, the inherent or worst-case scenario is known.
Once the existing controls have been identified, documented and assessed for effectiveness, the Assessed Level of Risk can be evaluated. This is the Level of Risk with current controls in place.
Should the Assessed Level of Risk be unacceptable, then additional controls or improvements to existing controls, in the form of Treatments, are put in place. In order to evaluate the cost benefit of these proposed actions, a Predicted Level of Risk is estimated. This is the predicted Level of Risk after the Treatment Plan has been implemented.
Finally, once a risk Treatment Plan has been implemented, the risk is once again evaluated and a Residual Level of Risk is calculated. This is the remaining level of risk exposure and should now be in a range that is acceptable to the agency.
a) Risk Acceptance Criteria Table This table defines the agencys risk tolerance, or risk appetite and gives guidance as to the acceptability of risk. For a given level of risk, the table defines how that risk is perceived (e.g. low, moderate, high, or extreme) and may specify the level of controls rating (i.e. Inadequate, Adequate, Excellent) that is necessary to accept the risk. The criteria can often define how risks are to be reported, reviewed and who is the acceptance decision-maker.
Hint: Once the tables are established, run through a couple of examples. Do they make sense? How do the examples fit with your instincts and past experience? This acceptance criteria should be periodically reviewed to ensure it is still in line with the agencys risk appetite.
Page 9
3.2
Once the Risk Management Framework is established, the requirements for a specific risk assessment exercise can be defined. For instance, you may be embarking on a new strategic planning cycle and need to integrate the identification, assessment and management of risks as part of your strategic plan. Alternatively you may be reviewing/developing your business plans and want to identify the risks for your agency to inform this planning process. For each individual risk assessment exercise, it is important to set the following:
The parameters: What is the specific subject of the assessment (e.g. the specific strategy, activity, function)? Identify the essential stakeholders who need to be involved in the assessment Ensure all participants in the assessment exercise are clear about the purpose of the assessment prior to the exercise.
The specific risk assessment context can be categorised as Strategic, Operational, or Project:
Strategic Level Strategic risks concern the whole of the agency. They are the risks associated with long-term organisational objectives and the means by which those objectives will be achieved. Strategic risk assessment is normally conducted at a Board or Executive level and is most effective when integrated with the strategic planning process.
Operational Level Operational risks are associated with the development and implementation of operational plans or the processes, functions or activities of the agency. They are the risks associated with your normal business functions. Operational risks should be assessed by the parties familiar with the particular function or service with which the risks are associated.
Project Level Project risks are associated with specific projects or discreet initiatives. All projects will go through a life cycle, i.e. conception to planning, scoping, contracting, design, construction,
testing/commissioning, hand-over and operation. Project risks exist at every stage, and they need to be identified and managed to ensure the successful completion of the project. (Refer Appendix VII)
Once the context for a particular risk assessment has been specified, and the particular strategy, activity or project defined, the next step is to identify the critical success factors (CSFs) and key dependencies associated with it. This is the basis of the structured approach to identifying risk: anything that has an impact upon the CSFs constitutes a risk.
Page 10
A CSF is defined as any essential resource, expertise, input, or other factor, which is critical to the success of that particular strategy, activity or function. The strategy, activity or function should define what it is you do, the CSF is what is critical to enable you to perform this. CSFs can be outcome focused or input focused.
Hint: There may be more than one CSF per strategy, activity or function depending on the level at which the agency wants to capture the risk information
There is no right or wrong way to identify a CSF. Whether you take an outcome based or input based approach will depend on the focus of the agencys management. The risk information which flows from this will still capture the important aspects. Using the outcomes based approach will simply capture this information with a direct and obvious connection to the agency outcomes or deliverables. Some agencies are outcome focused in that their plans and activities to achieve the plans are directly linked to the outcomes desired. In this case the risk assessment should also be linked to the outcomes, whether they are strategic, operational or project outcomes. These outcomes may be clearly stated in the agencys plans. The risks will then be the things that will prevent you from successfully achieving the desired outcomes.
3.3
Summary
Step 1 of the risk management process is establishing the framework and context, in terms of how the agency will manage risks language, criteria and methodology and the context for each specific risk assessment. Risk management policies and procedures are established, and specific roles are assigned. Then a set of tools, known collectively as the Risk Reference Tables are developed, to measure and evaluate risks and controls. These tables establish a common language to manage risk and define the agencys risk tolerance. Once the overall agency Framework is established, the context for a specific risk assessments can be developed. Key strategies, activities or functions are defined, as are the associated CSFs and dependencies.
For those agencies who are not as outcome focused or where the activity or project is further distanced from the outcomes and there is not an easily identified link, it may be easier to focus on key dependencies or the critical inputs required to enable the agency to deliver the identified service, function or project. These inputs will be the things essential to enabling the service, function or project to be completed, ie. resources, budgets, specific equipment or skills.
Page 11
Hint: Do not mistake risks with consequences. Injuries, Financial Loss and Reputation Damage are not risks but consequences of a risk - i.e. if your risk was to eventuate, it could result in injuries, financial loss and/or reputation damage.
For each risk, you should identify possible causes of the risk event. Each risk may have one or more causal factors which can either directly or indirectly contribute to the risk event occurring. Identifying the range of causes will assist in understanding the risk, identify controls, evaluate the adequacy of existing controls and design effective risk treatments.
Page 12
3.2.3 Summary
Step 2 is about identifying your risks in a systematic fashion The causes of risks need to be identified, so that existing controls can be appropriately evaluated.
HINT: Identified risk can then be categorised to assist with reporting based upon like type risks. Avoid using generic risk categories as context for risk identification, as this can seriously limit the thoroughness of your risk assessment and can result in key risks being missed.
Hint: It is useful to cross-reference your controls with the identified causes. Are there controls in place for each potential cause of a risk?
a) Overall Control Rating All controls are looked at as a whole in terms of their adequacy in managing the risk. The adequacy of the controls is assessed on a common sense, qualitative basis. This can be viewed as a reasonableness test: are you doing what is reasonable under the circumstances to manage i.e. prevent or minimise the risk? The recommended rating scale is as follows: Excellent Doing more than what a reasonable person would be expected to do in the circumstances. Adequate Doing only what is a reasonable person would be expected to do in the circumstances. Inadequate Doing less than what a reasonable person would be expected to do in the circumstances
Page 13
If it is reasonably foreseeable that a risk may impact on the agency, then agencies should ensure controls are in place to manage the risk. These controls should be in line with what a reasonable person would do to avoid the unwanted effects of the risk. To assist in determining what is reasonable, the following should be considered;
1. the likelihood of the unwanted consequence/s occurring if no action was taken 2. the likely severity of the consequence 3. the availability, suitability and cost (financial and other) associated with implementing the control 4. the overall need to engage in a risk creating activity 5. the extent of knowledge about the risk, its elimination or mitigation
The above five points should be equally considered and guide agencys in implementing controls that would be expected of a reasonable person.
It is important to remember that the adequacy of controls are considered in terms of doing all things reasonable to manage a risk rather than all things possible. If budgets, resources and time where unlimited then doing all things possible is achievable. However in reality, budgets are capped and resources are limited.
b) Individual Control Assessment While controls have been assessed as a group, each control needs to be looked at to ensure those controls are effective and being used. This is what is commonly referred to as the controls assurance process. It is a means to confirm the existence and effectiveness of an individual control and in doing so, consideration should be given to factors such as:
Is the Control relevant? Is the Control documented? Is the Control in use? Is the Control up to date? Is the Control effective?
If an existing control is identified as being ineffective, then the necessary improvements should be incorporated into a Treatment Action Plan.
The review and sign off of existing controls is an integral part of the management of the risk; responsibility needs to be assigned to control owners to ensure there is accountability for and ownership of this important aspect of the risk management process.
Hint: You might not be responsible for the management of all controls and as such some controls may not be managed by the risk owner. For example Human Resources may be responsible for specific policies. Page 14
The policy control would then be delegated for assessment to the appropriate and responsible Human Resource staff member.
Consequence Rating A risk that eventuates may impact an agency across a number of different areas, to a greater or lesser extent. When analysing the consequences of a risk event, an agency needs to consider the level of impact (1 to 5) in relation to each of the consequence categories defined in the Consequence Rating Table. For example, a risk may have an impact of 5 for Financial Loss and 4 for Reputation and Image and little or no impact in the other areas. Both ratings may be recorded, as this demonstrates that your consideration of the risk has been thorough. When selecting the consequence rating, this must be done taking into account the existing controls for the particular risk.
Hint: Only select the consequence categories that are relevant to that risk. You do not have to rate every consequence category for each risk. Some consequences will not be applicable to a specific risk.
Likelihood Rating This describes how likely it is that a risk will eventuate with the defined consequences. Likelihood can be defined in terms of probability or frequency, depending on what is most convenient for the agencys purposes.
Hints: When you are rating the likelihood of a risk, ask yourself How likely is it for this risk to occur, given the existing controls, to the level of consequence identified. Past experience is an important guide to likelihood, but do not fall into the trap of thinking it is the only guide. There may be internal or external factors that may increase or decrease the likelihood of such an event occurring in the future.
Calculating the Level of Risk The Level of Risk, or Risk Rating, is calculated by multiplying the consequence and likelihood ratings. For any risk, there may be a number of different consequence/ likelihood scenarios. Within each category there may be multiple scenarios ranging from minor but likely to catastrophic but rare. It is important to rate what is the realistic worst-case scenario, which is the worst-case level of risk considering both
Page 15
consequences and likelihood. In these instances, it may be appropriate to rate the same consequence category more than once. Where there are multiple ratings for a risk, the highest combination of consequence/likelihood is taken as the level of risk.
In the example below, the assessor has considered two different scenarios in relation to Injuries; one with a potential catastrophic consequences and the other a moderate consequence. However, because of the difference in likelihood of these two scenarios, the highest level of risk (9 in this example) relates to the moderate consequence/moderate likely scenario, and as such determines the level of this risk.
Consequence Rating 5 3
Likelihood Rating 1 3
Level Of Risk 5 9
Explanation Multiple deaths very rarely happen. Injuries only requiring medical attention are more common. It is unlikely that services could be interrupted for more than three weeks.
Service Interruption
Hints: For risks that have a rating of 4 or 5 for consequence or likelihood this identifies a particular need to focus on the overall controls rating for those risks.
When dealing with risks that result in a Service Interruption, the agency may need to formulate a Business Continuity Plan (BCP) to address risks with major and/or catastrophic consequences (irrespective of likelihood rating). If you do identify a risk that will interrupt your services, you should determine what would be a maximum acceptable outage. That is, how long can you afford to have that service interrupted before the consequences become unacceptable? Once implemented the BCP is a risk control to facilitate the provision of critical services in a less than perfect operating environment until operations can be restored to normal. Refer to the Western Australian Government Business Continuity Management Guidelines for more detail.
Page 16
LEVEL OF RISK
CRITERIA FOR MANAGEMENT OF RISK Acceptable With adequate controls With adequate controls
REPORTING TO
13
Annual reporting to Audit & RM Committee Annual reporting to Audit & RM Committee
45 (excluding risk with consequence of 4 or 5) 6 9 (excluding risk with consequence of 4 or 5) 10 14 (including any risk with consequence of 4 or 5 and LOR <15) 15 25
Low
Risk Owner
Moderate
Quarterly Reporting to Audit & RM Committee/Director Quarterly Reporting to Audit & RM Committee and Executive Immediate Reporting to Executive and Director General
Significant
Critical
Director General
Assigning risk ownership ensures a specific person is responsible and accountable for a particular risk. It is usually impractical and ineffective for risk ownership to be assigned to a body, such as a business unit or committee.
Where a risk meets the criteria for acceptance as defined by an agencys Risk Acceptance Criteria Table, then the risk owner is capable of accepting the risk. Where a risk does not meet the criteria for acceptance, the risk must be managed by the position identified as having responsibility for that particular level of risk, as indicated by the Risk Acceptance Criteria Table. Similarly a risk should also be transferred to the appointed authority for acceptance when risks are defined as critical.
Page 17
The risk decision balances the issues of risk and opportunity. Should an opportunity be passed over because of the risks associated with it? Should more be done to manage the risk so as not to miss out on the opportunity? These are questions that the agency needs to address. An organisation cannot progress or improve without capitalising on opportunities, and opportunities will always have associated risks. The risk management process allows you to optimise these decisions and demonstrate you are effectively managing the risks.
Hint: In some circumstances, it may be necessary for an agency to accept a high level risk. Government agencies can be the provider of last resort in some instances or the only provider of specialised services. As such they may have no option but to continue to provide those services and assume the risk associated with them. In these circumstances it is important to ensure that the agency, for their own part, is doing all things reasonable to manage the risk.
3.3.6 Summary
In this step, we have assigned values risk ratings to individual risks and made decisions based on those ratings. We started by evaluating existing controls and subjecting them to an assurance process. Then, taking those controls into account, rankings were assigned to each risk for consequences, likelihood and level of risk, based on the measures established in Step 1. The rated risks are then evaluated against the risk acceptance criteria to determine how to manage the risk. There are three basic choices: Accept the risk as is, accept the risk after treatment, or do not accept the risk. Finally, we discussed the importance of risk ownership to ensure that the risk is monitored and the controls remain in place.
Page 18
In some cases, existing controls will be deemed to be adequate and effective, and the risk will be accepted as it stands. In other instances, the risk will need to be more effectively managed before it can be accepted. This latter case requires the formulation of risk treatments. Risk treatment involves identifying a range of options to reduce the consequences and/or likelihood of a risk, or improve the controls rating, evaluating those options, preparing treatment plans, and implementing them.
Hints: You may see alternative treatment options in other texts such as transfer the risk and share the risk. However, the treatment resulting from transferring or sharing the risk will fit in the above categories: they reduce consequences and/or likelihood.
Managing risk is about doing all things reasonable, not all things possible. To evaluate the treatment options a number of selection criteria can be applied: How will the treatment impact the Level of Risk and/or Controls Rating? For each treatment option, a predicted level of risk and controls rating should be calculated, considering the impact of adding this option as a new control. Treatment options, which reduce the level of risk to an acceptable level and/or improve the controls rating, should be considered. Cost of implementation versus benefits derived Selecting appropriate options involves balancing the cost against the benefits derived. An option may appear to be the best option from a risk reduction perspective, but the cost of implementation may be prohibitive. Compatible with agencies objectives The options selected need to be compatible with the overall objectives of the agency. Treatments
Page 19
that are incompatible with existing objectives, culture, or policies are obviously unacceptable, no matter how effective they might prove.
A treatment becomes a control only when it has been 100% implemented and signed off by the Treatment Owner. It is then subject to controls assurance and the regular monitoring and review process. Following the implementation of the treatment options, the level of risk needs to be re-evaluated to determine if the treatment brings the risk to an acceptable level for the agency. If not, further treatment options may need to be selected.
3.4.3 Summary
Formulating and implementing Treatment Action Plans is the final step in the risk management process, but it is only the beginning of fully integrating risk management into your agency. If the process stops once it becomes a set of documents, it will generate minimal benefit, and the time you spent on Steps 1 4 will be wasted.
Page 20
3.5
Risk management does not end once risks have been identified, assessed and documented. The risk information generated should be used to inform the agencys strategic and/or operational plans, to guide budgets or financial statements. Risk information thus becomes part of everyday thinking. How risk information is extracted and used, is facilitated by how risk information is categorised, sorted and reported.
Hint: Appropriate and useful risk categories should be determined by each agency as part of setting the organisational context. These are often linked to the categories of an agencys quality framework. Examples of categories are:
Leadership Strategy and Planning Knowledge and Information People Customer and Market Focus Innovation Quality and Improvement Success and Sustainability
b) Impact Range Another way to categorise risks is by impact range. The impact range is a classification hierarchy which indicates how wide the consequences of the risk will reach, within the agency and beyond.
Hint: If the risk were to eventuate, ask yourself How wide an impact could it have? Could the risk impact a specific division/department, the whole agency, or even the whole of the State? Common Impact Range descriptors include: State-wide Agency-wide Metro-wide Directorate-wide Division-wide
Page 21
Project Risks
Project risks are unique to each project and are identified at various stages of the project life cycle. Risks evolve through each of these stages, for example from its conception, design through to completion and handover and it is important that these be captured and monitored to ensure project success. Contracts are a key component of most projects. Contracts not only represent a formalised agreement between the principle and contractor they also include risks identified throughout the projects life cycle. These risks go towards informing the contracts terms and conditions. Hence it is critical that a thorough risk assessment be conducted prior to contract formation to ensure, where appropriate, risks are managed within the contract.
The early identification of the critical information will inform project planning and management, including the formulation of any contracts required for delivery of specific services or elements of the project. The terms and conditions specified in the contract should be reflective of the risk sharing decisions.
Page 22
Monitoring and review are related processes, but the distinctions between them are important in the context of risk management: Monitoring is an ongoing process of routine surveillance of both internal and external environments. Review is a more periodic process that looks at the current status or situation, and is usually has a specific focus.
Monitoring and review should be designed to detect both gradual and sudden change.
Continuous
monitoring is most likely to detect a dramatic change in a timely fashion, whereas periodic review of a particular aspect of the risk process is more oriented towards detecting trends and incremental change.
The first area relates to issues specific to a particular risk assessment, which would cover the following:
Context the risk assessment context, which was established from a number of facts and deductions. For instance, the operational environment, agency structure, stakeholder expectations, statutory requirements, economic conditions and political environment are all based on perceptions at the time. The monitoring and review process should detect if any of these underlying assumptions have changed, or if new factors have emerged that impact upon the context of the particular risk assessment.
Risks & Controls numerous factors can cause the likelihood and consequences of risks, or the actual nature of the risks themselves, to change. The controls for risks can also become less effective or irrelevant. Monitoring by the risk owner and others will ensure the timely detection of these changes so that appropriate action can be taken.
Page 23
Treatments risk treatments need to be monitored and reviewed to ensure they are on course to be fully and correctly implemented. In some cases, treatments need to be adapted or strengthened because the risk they are designed to address has changed; in other instances, resources can be saved by discontinuing irrelevant treatments.
The second area for monitor and review is in the application of the risk management process across the entire agency, with specific attention to the following:
Consistent application of the risk management process across the agency Incorporation of the risk management process into Strategic, Operational and Project planning Adoption of risk management practices and procedures by staff at all levels
The monitoring and review of the risk specific contexts, risks, controls and treatments is primarily the responsibility of Risk, Control and Treatment Owners and should be integrated into the existing reporting lines and forums of the agency.
The monitoring and review of the application of the agencys Risk Management Policy and Procedures should be integrated into the role of Senior Management, who should then ensure that the process is effective in delivering the desired outcomes. Internal and external audit may also play an important part in verifying application of the risk management process.
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Page 24
Risk management should be fully incorporated into the operational and management processes at every level of the organisation.
A final comment with regard to monitoring and review is the important role it plays in good corporate governance. All government agencies face increasing requirements for sound and transparent decision making and prudent allocation of resources. The monitoring and review process is pivotal in fulfilling these requirements. A structured risk management process provides a means for Senior Executives and Directors to stay informed about the risks associated with their agencys activities and to ensure appropriate measures are in place to address those risks. It contributes transparency and objectivity to decision making, and it provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to provide good governance.
Page 25
Consider risks at all levels of the agencies operations (strategic, operational and project); Integrate with business planning objectives, decision making and other elements of the agencys management framework; Involve the whole organisation, from the board to senior management and employees.
Senior management commitment to a formal, documented and fully integrated risk management process; Use of common risk language; Clearly defined responsibility & accountability for functions, activities and associated risks; A process for identification and management of risk which is fully integrated with existing management processes including business planning, budgeting and reporting processes; Risk management is reinforced through training and induction; Outcomes are monitored through the involvement of Senior Management and establishment of support functions and champions.
Risk management Procedures Provide direction and application of the risk management process for the agency.
Page 26
Risk Reference Tables - Use of the Risk Reference Tables is critical to provide a uniform measuring standard for risk and the means to aggregate and prioritise risks across the agency as a whole. Due to its criticality, it is imperative that there is Senior Executive input during their creation and their approval for use within the agency.
Risk Register Tool Agencies need to determine how to capture and report on the risk information captured through this process. Refer to the RiskCover website
www.riskcover.wa.gov.au for latest information regarding the RiskBase Web Application Tool
3. Communication / Education
A program of education and communication needs to be developed for the agency. This is typically managed by the Executive and Management who are the Risk Management Committee. They are charged with: dissemination of the policy and procedures raise awareness about managing risks deliver education session on the specifics of the process a performance management process a process for recognition, rewards and sanctions.
Page 27
The reporting on risks and management of the risks should be integrated into the Business Units existing reporting forums and timeframes.
Page 28
Glossary
Appendix I
Glossary
Page 29
Glossary
resources to be used before, during and after a disruptive event to ensure the timely resumption of critical business activities and long term recovery of the organisation.
Consequence
The impact or outcome of a risk eventuating. A risk can have multiple consequences and can be expressed qualitatively or quantitatively.
Consequence Categories
These are key impact areas, which if affected as a result of a particular risk event, could have a significant impact on the ability of an Agency to deliver its outcomes. Consequence Categories are agency specific, and should reflect the Agencys economic, social and environmental responsibilities.
Control
A procedure, system, activity or process that reduces the likelihood and/or consequences of a risk. A risk may have more than one control, and a control may address more than one risk.
Page 30
Glossary
Controls Rating
A qualitative, common-sense measure of the adequacy of controls in addressing a risk.
Controls Assurance
The process whereby Control Ratings are verified through a series of questions regarding their relevance and effectiveness.
Impact Range
A measurement of how widespread the consequences of a risk may be. This measurement can assist in the assessment of controls and the formulation of treatments.
Implementation Plan
A plan created to establish how the risk management process is to be implemented into an organisation.
Key Activity
Any high level activity or function that is instrumental in an agency delivering required outcomes or performing its mission.
Key Dependency
Inputs which are essential to enable the delivery of a service, function or project, e.g. resources, specific data, specific equipment or knowledge.
Likelihood
A measure of how likely it is that a certain consequence will eventuate, ranging from rare to almost certain.
Monitor
An ongoing process of surveillance of the internal and external environments to ensure that risks continue to be effectively and appropriately managed.
Operational (Context)
Deals with operational risks: those risks associated with normal, ongoing operations and activities.
Page 31
Glossary
Project (Context)
Deals with Project Risks: those risks associated with defined projects and other discreet undertakings.
Residual Risk
Risk remaining after risk treatment.
Review
Periodic assessment of a specific aspect of the risk management process or a particular group of risks to determine if there have been gradual changes over time and ensure they achieve established objectives (Note: Review can be applied to a risk management framework, risk management process, risk or control).
Risk Analysis
A process that assigns a risk rating to each risk by evaluating the effectiveness of existing controls and assigning values for Consequences and Likelihood for various scenarios.
Page 32
Glossary
Risk Assessment
Step 3 of the risk management process, which involves assigning values (Risk Ratings) to individual risks and deciding how to manage them (risk evaluation).
Risk Categories
Categorisation of risks within the agency by type, often based on source of risk. This helps identify common risks in different functional areas.
Risk Decision
The decision made after Risk Evaluation, balancing risk and reward.
Risk Evaluation
Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk Identification
Step 2 of the Risk management Process, which uses Critical Success Factors and Key Dependencies to identify risks.
A process of finding, recognising and describing risks relating to CSF and Key Dependencies. The identification of risk includes the identification of risk source, events, their causes and their potential consequences. Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders needs.
Risk Management
The practice of systematically identifying, understanding, and managing the risks encountered by an organisation.
Page 33
Glossary
Risk Owner
The person with the accountability and authority, specifically assigned in Step 3 to manage the risk, including monitoring the risk, its controls and any treatments that are implemented.
Risk Profile
A description of any set of risks. The set of risks can contain those that relate to the whole organisation, part of the organisation, or as otherwise defined.
Stakeholder
Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity. There are internal (e.g. employees) and external (e.g. community groups) stakeholders.
Strategic (Context)
Deals with strategic risks: risks which concern the whole agency and are associated with long term organizational objectives. Strategic risk management is most effective when conducted as an integral part of the strategic planning process.
Treatment
A measure that is designed and implemented to further reduce the consequences and/or likelihood of a risk, or improves the overall controls rating. Once a treatment is fully implemented and effective (in place), it becomes a control.
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Page 34
Glossary
Page 35
Sample RM Policy
Appendix II
Sample Risk Management Policy
Page 36
Sample RM Policy
Risk management will form part of strategic, operational and line management responsibilities and be integrated into the Strategic and Business Planning processes. In respect of a special risk responsibility may be assigned to a nominated officer of the agency, or a Committee Chairman, as determined by the need.
There will be an Executive Risk management Committee to determine and communicate Policy, Objectives, Procedures and Guidelines and to direct and monitor implementation, practice and performance throughout the agency.
Performance will be measured by: implementation and documentation of risk management, identification of risks and successful treatment in accordance with procedures and guidelines, mitigation and control of any losses, reduction in the costs of risks, and achievement of Best Practice.
Consultants may be retained from time to advise and assist in the risk management process, or management of specific risks or categories of risk.
Every employee of the agency is recognised as having a role in risk management for vigilance in the identification of risks to treatment and shall be invited and encouraged to participate in that process.
Page 37
Sample RM Policy
Objectives To ensure Risk management is adopted throughout the agency as a prudent management practice.
To ensure that all employees are made aware of the need to manage risk and to promote a culture of participation in that process.
To protect the agency from adverse incidents, to reduce its exposures to loss and to mitigate and control loss should it occur.
To ensure the ongoing, unimpeded capacity of the agency to fulfil its mission, perform its key functions, meet its objectives and serve its customers.
To reduce the costs of risk to both the agency and the Western Australian State Government.
To adhere to Australian Risk management Standards and comply with the Public Sector Commissioners Circular 2009/19.
Page 38
Appendix III
Sample Risk Reference Tables
Page 39
Sample 1
EXISTING CONTROLS
LEVEL E A I DESCRIPTOR Excellent Adequate Inadequate
FORESEEABLE
More than what a reasonable person would be expected to do in the circumstances. Only what a reasonable person would be expected to do in the circumstances. Less than what a reasonable person would be expected to do in the circumstances.
Minor
Injury or illness requiring first aid only Medical treatment necessary/ Insurance claim/ rehabilitation programme/ lost time injury or illness.
Negative media article. Low local exposure. Tenant/ client/ contractor complaint handled at Line Manager level Some negative media coverage or industry criticism. Tenants/ clients/ contractors make formal complaints. General Manager/Director involved.
Revenue/cost impact 2-5% of operational budget Revenue/cost impact 5-10% of operational budget
Minor delays in achieving objectives. Majority of objectives remain on track. Management effort required to redirect resources to avoid delays in achieving strategic intents. Administration of the program/ project/ activity could be subject to significant review or change Significantly reduced ability to achieve objectives / key deliverables. Continued function of the program/ project/ activity would be threatened. Failure to achieve one or more key deliverables resulting in, major flow on effects for external stakeholders and other public sector agencies.
All agency activity stopped for 2 4 hours All agency activity stopped for 4 hours 1 day
Minor delay impacting on ability to meet social / community expectations Community backlash, Social and community rejection
Moderate
Major
Extensive public criticism. Statewide media exposure. Public embarrassment. Loss of credibility. Director General involvement. Sustained State and National media reporting. Very high multiple impacts across Government. Minister involved. Government censure. Third party actions
Long delays in service delivery leads to Statewide impacts socially, economically and financially. Emerging environment and/or health issues. Widespread social problems causing multiple impacts. Serious long term environmental and health issues.
Catastrophic
Page 40
Page 41
Approved as at ..../..../....
By:
.......................................
Title:
.................................................................. Page 42
EXISTING CONTROLS
LEVEL E A I DESCRIPTOR Excellent Adequate Inadequate
FORESEEABLE
Sample 2
More than what a reasonable person would be expected to do in the circumstances. Only what a reasonable person would be expected to do in the circumstances. Less than what a reasonable person would be expected to do in the circumstances.
COMPLIANCE
Insignificant
Insignificant weakening of a single stakeholder relationship and little impact to staff morale Damage to 3 stakeholder relationships and temporary change to staff morale, able to be rectified in the short term Weakened relationship with a significant number of stakeholders and, some reduction in staff morale, requiring specific measures to rectify Damage done to the majority of existing stakeholder relationship and, significant and widespread staff absences Total loss of credibility with all stakeholders and loss of key staff
Minor
1 hour to 1 day.
non
Moderate
1 day to 1 week.
Substantiated, public embarrassment, moderate impact, moderate news profile, Ministerial involvement.
Medical treatment required and/or psychological intervention/treatment required Serious or extensive injuries and/or significant and long term psychological stress Death or severe permanent physical and/or psychological disablements.
Short term non compliance but with significant regulatory requirements imposed
Major
1 week to 1 month.
Substantiated, public embarrassment, high impact, high news profile, Third Party actions, public Ministerial involvement. Substantiated, public embarrassment, very high multiple impacts, high widespread multiple news profile, Third Party actions, public Ministerial involvement, Government censure.
Catastrophic
> $1.5m.
Page 43
13
Acceptable
Risk Owner
Low
Risk Owner
Moderate
Significant
Executive Director
Critical
Director General
(Note: Any risk with a consequence rating of 4 or 5 can only be accepted by the Executive Director with Excellent Controls)
Risk management Guidelines Copyright of Insurance Commission of WA RiskCover Division
Page 44
(Note: Any risk with a consequence rating of 4 or 5 can only be accepted by the Executive Director with Excellent Controls)
Approved as at ..../..../....
By:
.......................................
Title:
.................................................................. Page 45
EXISTING CONTROLS
LEVEL E DESCRIPTOR Excellent
FORSEEABLE
Sample 3
EXAMPLE DETAIL DESCRIPTION
More than what a reasonable person would be expected to do in the circumstances. Only what a reasonable person would be expected to do in the circumstances. Less than what a reasonable person would be expected to do in the circumstances.
Controls fully in place and require only ongoing maintenance and monitoring. systems are being continuously reviewed and procedures are regularly tested.
Protection
Adequate
Being addressed reasonably. Protection systems are in place and procedures exist for given circumstances. Periodic review. Little to no action being taken. No protection systems exist or they have not been reviewed for some time. No formalised procedures.
Inadequate
HISTORIC
Minor maintenance, localised, reparable damage affecting items/ areas of little significance Limited, reparable damage of items/ areas of some significance
OPERTAIONAL EFFICIENCY
Little impact
Insignificant
Minor
Moderate
Less than 10% of water communities affected Water quality affected for less than 24 hours Water levels rise of 0.5 -1m above highest natural level Minor impact to fish/mammal/sea birds/reptiles. 50 200 ha affected Area will regenerate in 6-18 months with low level of intervention 10 40% water communities affected Water quality affected for 1 3 days Water level rise of 1-2m above highest natural level 201 400 hectares affected Loss of 20-100 fish Communities will regenerate in 18 months to 5 years with some level of intervention and repair
2 hours 4 hours
Inconvenient delays
10 40% of plant or mammal life affected 101ha 200ha affected Will regenerate in 18 months 5 years with some level of intervention or repair
Public criticism of moderate impact from a number of sources, moderate news profile, Minister involved
4 hours 1 day
Delays in deliverables
major
Page 46
LEVEL
RANK
INJURIES
FINANCIAL LOSS
$250,000 $1m of operational budget
NATURAL ENVIRONMENT
Water Bodys 40 75% of water communities affected Water quality affected for 4- 10 days Water level rise of 2-3 m above highest natural level 401 2000 ha affected Loss of 100-250 fish Communities will regenerate in 5-10 years with some intervention and repair Flora & Fauna 40% - 75% of plant or animal life affected 201ha - 1000ha affected Will regenerate in 5-10 years with high level of intervention or repair HISTORIC Localised or limited, irreparable damage of items/ areas of considerable or exceptional significance
OPERTAIONAL EFFICIENCY
Non-achievement of major deliverables
Major
Catastrophic
or
More than 75% of water communities affected Water quality affected for more than 10 days Water level rise of >3m above highest natural level 2001 to 3828ha affected Loss of >250 Fisk Communities may regenerate in more than 10 years with some intervention or have no regeneration
>75% of plant or animal life affected 1001ha - 1900ha affected May regenerate in more than 10 years with considerable high level of intervention or repair, or have no regeneration
Page 47
Risk Rank
Low Moderate
Who is Responsible
Risk Owner Risk Owner
10 - 14
Significant
Director
15 - 25
High
CEO
Approved as at ..../..../....
By:
.......................................
Title:
.................................................................. Page 48
Sample 4
EXISTING CONTROLS
LEVEL E A I DESCRIPTOR Excellent Adequate Inadequate
FORESEEABLE
More than what a reasonable person would be expected to do in the circumstances. Only what a reasonable person would be expected to do in the circumstances. Less than what a reasonable person would be expected to do in the circumstances.
Minor
$5,000 $20,000
to
to
Inconvenient delays.
non
Moderate
$20,000 to $100,000
Substantiated, public embarrassment, moderate impact, moderate news profile, Ministerial involvement. Substantiated, public embarrassment, Major impact, Major news profile, Third Party actions, public Ministerial involvement. Substantiated, public embarrassment, multiple impacts, widespread multiple news profile, Third Party actions, public Ministerial involvement, Government censure.
Medical required.
treatment
Short term non compliance but with moderate regulatory requirements imposed Non compliance results in termination of service or imposed penalties
Major
$100,000 to $300,000
$40M to $120M
Catastrophic
More $120M
than
Page 49
Criteria for Management of Risk Requires Adequate controls and semi-annual monitoring.
Requires Adequate controls before an acceptance decision can Risk Owner be made. Quarterly monitoring. Requires Excellent controls prior to an acceptance decision Director being made. Monthly monitoring. Urgent Attention Required Requires Excellent controls and all Treatment Action Plans to CEO be explored and implemented where possible, prior to an acceptance decision. Continuous Monitoring. Urgent Attention Required
10 - 14
Significant
15 - 25
High
Page 50
Approved as at ..../..../....
By:
.......................................
Title:
..................................................................
Page 51
EXISTING CONTROLS
LEVEL E A I DESCRIPTOR Excellent Adequate Inadequate
FORESEEABLE
Sample 5
More than what a reasonable person would be expected to do in the circumstances. Only what a reasonable person would be expected to do in the circumstances. Less than what a reasonable person would be expected to do in the circumstances.
Insignificant
No real injuries
Some insignificant Operational - minor Isolated delays or change to <$20k loss or damages rectification required impact service
area
Minor
1 aid injury
st
Some minor delays or Service restrictions some services rectification required cancelled
Substantiated - $20k to $99k loss or Contained Minor impact complaints and lobby Some non compliances damages group correspondence
Moderate
Medical injury
Complaints and short Some moderate delays Not operational - minor Uncontained impact $100k to $999,999 loss term drop in patronage. and some services rectification required able to be rectified in or damages News reports and cancelled before operational short term parliamentary questions Not operational Extensive hazardous Major delays and most extensive rectification $1m to $9m loss or impact long term services cancelled required before damages rectification operational Sustained drop in patronage. High profile news reports and political embarrassment
Many compliance or probity infringements and some processes repeated Non compliance results in termination of process or imposed penalties
Major
Catastrophic
Multiple deaths
- >$10m damages
loss
Patronage decrease causes cancellation of service. Widespread or Uncontained hazardous news reports and major impact residual effect political/government repercussions or change
Page 52
Rank
Extreme
Who is Responsible
Risk is unacceptable refer to Executive
10 - 14
High
Risk is undesirable. Decision on acceptance of risk to be made by the relevant Executive Director. Decision on acceptance of risk to be made by the relevant Director or Senior Manager EXCEPT where the Consequence is Catastrophic, decision on acceptance or risk must be made by the relevant Executive Director. Risk is acceptable - manage by routine procedures EXCEPT where the Consequence is Catastrophic, decision on acceptance or risk must be made by the relevant Executive Director.
6-9
Moderate
1-5
Low
Risk is acceptable manage by routine procedures EXCEPT where the Consequence is Catastrophic, a Treatment Action Plan is required.
Page 53
Approved as at ..../..../....
By:
.......................................
Title:
.................................................................. Page 54
Appendix IV
Sample Risk Register
Page 55
Page 56
Appendix V
Sample Risk Management Implementation Schedule
Page 57
Sept 2009
Oct 2009
??? 2009
Executive with assistance from RM Co-ordinator Executive with assistance from RM Co-ordinator
????? 2009
Executive with assistance from RM Co-ordinator RM Co-ordinator & RM Committee Endorsed by Executive
Develop a program plan i.e. Develop & agree framework & procedure for identifying & managing operational risks and reporting requirements.
Identify , assess and prioritise risks as part of operational planning session or dedicated workshop Treat risks - Develop risk reduction strategies as part of strategic planning session Develop risk reduction strategies as part of regular operational management process
Oct 2009
6 Risk Auditing
Monitor & review risks and risk reduction strategies as part of regular operational management process Report risks and treatment strategies quarterly to RM committee as required by program plan. Develop & agree an audit plan to ensure the effectiveness of the RM process and the management of key risks
From Oct 2009 Monthly at management meetings. From Oct 2009 Monthly at management meetings.
??? 2009
Page 58
Page 59
Appendix VI
Strategic Risk Management Framework
Page 60
A Strategic Plan is a comprehensive master plan that states how we are going to achieve our mission and objectives. Anything that has a bearing on that is strategic. Strategic management is the set of managerial decisions and actions that determines the long run performance of the organisation.
Strategic Risk management is the identification and management of risks likely to have a material impact on the organisations ability to achieve its mission and objectives.
The risks identified and evaluated as a part of the strategic planning process will be risks that affect the entire agency and its ability to achieve its mission. This is the point at which the agency will identify risks which will prevent the agency from exploiting its opportunities and strengths, expose its weaknesses and fail to address the agencys threats.
Page 61
2.
The identification/evaluation/management of risks associated with particular strategies (current) and their implementation.
As our businesses are going concerns, there are strategic plans in various states of implementation. Therefore, the particular approach for your agency must reflect the current situation.
The following flow diagram shows how risk identification becomes an integral part of the strategic planning process.
Page 62
Strategic Risk Profile Environment Scan of Strategic Factors Internal Structure (The Organisation) Culture (Beliefs, Expectations, Values) Resources (Assets, Skills, Competencies, Knowledge, Systems)
Strategic Risk Profile SWOT Analysis Weaknesses Opportunities Risks that can Risks that arise from accompany weaknesses opportunity
Strategic Formulation Mission / Vision Goals and Critical Success Factors Objectives and KPIs Strategies Policies
Achievable? What can go wrong? Are all threats avoided and weaknesses minimized in respect to mission, goals and objectives?
Strategic Implementation (Operational Planning) Programs Budgets Procedures Can anything go wrong in this stage that will impact achievement?
Evaluation and Control Are there any weaknesses in information , management or control systems, or reporting?
Page 63
This review will highlight anything that should be taken into account for future planning.
2. Stakeholder Profile Identify who the organisations stakeholders are and their expectations. In addition, it is important to consider what the consequences will be if their expectations are not met. This should sharpen the focus and ensure that the strategies you are adopting will meet the needs and expectations of the stakeholders.
3. Environmental Scan Environmental scanning identifies factors which influence what the organisation will do and how it will do it. It covers both the Internal and External environmental factors. From the Environmental Scan, the organisation can assess where it sits in relation to industry, societys expectations, and how it is situated to appropriately respond to market trends or demands. 4. SWOT A SWOT analysis is used to identify Risks to strengths Risks from weaknesses Risks from opportunities Threats which are Risks
These risks are then evaluated in terms of impact upon achievement of objectives.
5. Strategy Formulation In this stage, strategies are identified to achieve Goals and Objectives whilst being focused on the organisations Mission/Vision. An assessment of the risks and opportunities associated with each proposed strategy and the potential for impact upon the achievement of objectives, should be an integral part of this step. This is the creative stage of developing strategies that will deliver the organisations goals and objectives, mission and vision without exposing it to unacceptable risk.
Page 64
6. Strategy Implementation Once the strategies are decided upon, the process of implementing them carries a new set of risks. Each of these risks need to be identified and appropriate risk minimisation strategies built into the implementation plan.
7. Evaluation and Control There needs to be system reviews which ensure that the process is implemented efficiently and effectively and progress needs to be reported. Mechanisms need to be put in place to monitor the implementation of the Strategic Plan and identify any new risks arise. The annual Strategic Review process needs to be programmed so as there is an opportunity for a formal review.
Page 65
Appendix VII
Project Life Cycle
Page 66
Example -
Page 67