ACT Insurance Authority

GUIDE TO RISK MANAGEMENT

February 2004
1 of 10
Insurance & Risk
Management Strategies
Contents
INTRODUCTION...............................................................................................................3
THE RISK MANAGEMENT PROCESS..........................................................................4
CONSEQUENCE................................................................................................................ 4
THE STEPS INVOLVED IN MANAGING RISK............................................................5
FREQUENTLY ASKED QUESTIONS.............................................................................7
Are there templates to assist the risk assessment activities?...............................
!here "o I fin" the "etails re#uire" to un"ertake a risk assessment?..................
!hen shoul" I "o $isk %ana&ement?..................................................................
!hen am I re#uire" to complete a $isk %ana&ement 'lan?................................(
)houl" I use the templates provi"e" *ith this +ui"e?...........................................(
!hat "o I nee" to "ocument?...............................................................................(
!hat about Frau" an" Inte&rity risks?..................................................................(
!ho can I ask for further information an" a"vice?................................................,
USEFUL REFERENCES....................................................................................................9
USEFUL SITES...................................................................................................................9
2 of 10
Introduction
This Guide to Risk Management for the ACT Government is designed to
help you identify key risks to your outputs, whether for your
Department, Agency, team or individual activity Managing risk ena!les
your organisation to achieve its potential with the least interference from
a risk eventuating "ffective Risk Management also ena!les you to take
advantage of opportunities as they arise
Risk management applies to all ACT Government decision#making
activities, including policy development and advice, outsourcing and
outsourced services, contract management, program delivery, pu!lic
events and ena!ling services Risk Management ena!les us to minimise
the !arriers to meeting our !usiness o!$ectives
Risk Management isn%t $ust a!out decisions and !ehaviour that affect
e&penditure or e&pose the Territory to lia!ility Risk Management is
a!out giving the !est advice we can to Ministers and stakeholders
A A!out this Guide
This guide is !ased on Australian'(ew )ealand *tandard A*'()*
+,-./0..+ # Risk Management 1the *tandard2 and descri!es how to
meet the re3uirements of the Territory%s Risk Management 4olicy
*tatement 5or further details on any aspects of Risk Management,
please refer to
a. the *tandard 1wwwstandardscomau2, and
b. the ACT Government%s "nterprise#wide Risk Management
5ramework
6 Definition of Risk
A risk is defined !y the Australia'(ew )ealand *tandard for Risk
Management 1AS/NZS 4360:20042 as
the possibility of something happening that impacts on you
ob!ecti"es# $t is the chance to eithe ma%e a gain o a loss# $t
is measue& in tems of li%elihoo& an& conse'uence#(
The effective management of risk ena!les you to ma&imise opportunities
and achieve your outputs
- of 10
The Risk Management 4rocess
4 of 10
A*'()* +,-./0..+
.ikelihoo"
Conse#uence
M
o
n
i
t
o
r

/

R
e
v
i
e
w
S
t
a
k
e
h
o
l
d
e
r

C
o
n
s
u
l
t
a
t
i
o
n

/

C
o

u
n
i
!
a
t
i
o
n
Conse"uen!e Conse"uen!e
Likelihoo
d
Esta#lish Goals $ Conte%t
Identi&' Risks
Anal'se Risks
Estiate Risk (evel
(ikelihood
Conse"uen!e
Evaluate the Risks
Treat the Risks
The steps involved in managing risk
A "sta!lish Goals and Conte&t
As outlined in the Risk Management process, the risk
assessment is undertaken within the conte&t of your
goals The identification ' validation of your goals is
therefore a critical first step in the risk management
process
"ffective risk management re3uires a thorough understanding of the
conte&t in which your Department or Agency operates The analysis of
this operating environment ena!les you to define the parameters within
which the risks to your outputs need to !e managed
The conte&t sets the scope for the risk management process The
conte&t includes strategic, organisational and risk management
considerations According to the *tandard, strategic conte&t defines the
relationship !etween the organisations and its environment 5actors
that influence the relationship include financial, operational, competitive,
political 1pu!lic perceptions ' image2, social, client, cultural and legal
The definition of the relationships is usually communicated through
frameworks such as the *78T 18rganisational strengths, weaknesses,
opportunities and threats2 and 4"*T 14olitical, "conomic, *ocietal, and
Technological2
The organisational conte&t provides an understanding of the
organisation, its capa!ility and goals, o!$ectives and strategies
According to the *tandard, organisational conte&t is important !ecause/
a2 risk management occurs within the conte&t of endeavouring to
achieve the goals and o!$ectives,
!2 failure to achieve the o!$ectives is one set of risks that need to !e
managed, and
c2 the goals and strategies assist to define whether a risk is accepta!le
or unaccepta!le
The risk management conte&t defines that part of the organisation
1goals, o!$ectives, or pro$ect2 to which the risk management process is
to !e applied
/ of 10
6 Identify risks
Identify the risks most likely to impact on your outputs,
together with their sources and impacts It is important
to !e rigorous in the identification of sources and
impacts as the risk treatment strategies will !e directed
to sources 1preventive2 and impacts 1reactive2
C Analyse risks
Identify the controls 1currently in place2 that deal with
the identified risks and assess their effectiveness
6ased on this assessment, analyse the risks in terms of
likelihood and conse3uence Refer to the Risk Matri& to
assist you in determining the level of likelihood and
conse3uence, and the current risk level 1a com!ination of likelihood
and conse3uence2
D "valuate risks
This stage of the risk assessment process determines
whether the risks are accepta!le or unaccepta!le This
decision is made !y the person with the appropriate
authority A risk that is determined as accepta!le
should !e monitored and periodically reviewed to ensure
it remains accepta!le A risk deemed unaccepta!le should !e
treated 1see !elow2 In all cases the reasons for the assessment should
!e documented to provide a record of the thinking that led to the
decisions *uch documentation will provide a useful conte&t for future
risk assessment
" Determine the treatments for the risks
Treatment strategies will !e directed towards/
i Avoiding the risk !y discontinuing the activity that
generates it, 1rarely an option when providing
services to the pu!lic2,
ii Reducing the likelihood of the occurrence,
iii Reducing the conse3uences of the occurrence,
iv Transferring the risk, and
v Retaining the risk
4otential treatment options are developed according to the selected
treatment strategy The selection of the preferred treatment options
takes into account factors such as the costs and effectiveness
0 of 10
The determination of the preferred treatments also includes the
documentation of implementation details 1eg responsi!ilities, a timeta!le
for implementation and monitoring re3uirements2
The intention of these risk treatments is to reduce the risk level of
unacceptable risks to an acceptable level 1ie/ the target risk level2 9se
the Risk Matri& to determine the e&pected reduction in level of risk
1e&pected conse3uence, likelihood and Target risk level2 resulting from
the successful implementation of the treatment
5 Monitor and report on the effectiveness of risk treatments
The relevant manager is re3uired to monitor the
effectiveness of risk treatments and has the
responsi!ility to identify new risks as they arise and
treat them accordingly Managers are also re3uired to
report on the progress of risk treatments at regular
intervals The person who has the responsi!ility for a
risk treatment is e&pected to provide feed!ack on the progress of the
:pro$ect ' initiative% as detailed in the :monitoring% field of the treatment
5re3uently Asked ;uestions
Ae thee templates to assist the is% assessment acti"ities)
The following templates and work sheets for completing a risk
management plan can !e o!tained in the ACTIA Risk Management
Toolkit/
Risk Matri&
Identifying and analysing risks
Risk Treatment *chedule
7orksheet < = *takeholder Agenda Analysis
7orksheet 0 = *78T Analysis
7orksheet , = 4"*T Analysis
7here do I find the details re3uired to undertake a risk
assessment>
ACTIA has produced the Risk Management Toolkit to take you step !y
step through the Risk Management process, including completion of a
Risk Management 4lan
7hen should I do Risk Management>
?ou are always re3uired to manage risk Managing risk in the ACT
Government is a!out identifying and evaluating the risks to your
of 10
!usiness and implementing treatments where appropriate ?our review
of the risks should involve asking 3uestions such as/
@ow am I managing my risks>
Are the treatment strategies effective>
Are the risk levels appropriate>
Are there any new risks and what are the implications for the
!usiness>
?our risk management plan is therefore always !eing updated
7hen am I re3uired to complete a Risk Management 4lan>
?our own Agency or Department will set guidelines as to when you are
re3uired to complete a Risk Management 4lan @owever, risk
assessment is usually a precursor to strategic and !usiness planning,
ma$or procurement, pro$ects and change programs Risk Management is
therefore an integral component of all daily !usiness activities
*hould I use the templates provided with this Guide>
The templates provide a consistent approach to the identification of risks
and their treatments within the ACT Government enterprise = wide risk
management framework and are in accordance with A*'()* +,-./0..+
7hat do I need to document>
It is important to keep on file all documentation that captures your
workgroup%s most important ideas and insights regarding key risk when
undertaking a risk assessment, monitoring the risks and treatments
Records of options and decisions also need to !e maintained This
documentation demonstrates the reasoning !ehind decisions and is
essential for audit and review purposes
7hat a!out 5raud and Integrity risks>
5raud and integrity risks are to !e considered as part of the overall Risk
Management process as they form a su!set of each agency%s !usiness
risks ?ou should follow the same methodology used to assess any other
kind of risk
5raud risks should also !e considered in the risk management plans that
are prepared for specific activities, programmes, procurements and
contracts
( of 10
5or further information on 5raud A Integrity risks please contact/
Mr 4eter Ro!erts,
*pecialist Adviser,
Industrial Relations and 4u!lic *ector Management Group,
Chief Ministers Department
4hone/ -0.B CB.-
7ho can I ask for further information and advice>
If you need general advice a!out risk management 1including the
materials provided2, or re3uire risk management training, please contact
the ACT Insurance Authority/
*enior Risk Manager 4eter @eal -0.B.,.0
Risk Manager David Ross -0.B.0--
7e!site/ http/''wwwtreasuryactgovau'actia
9seful References
*tandards Australia *AA'()* @6 <+,/ 0..+, *ui&elines fo managing
is% in the Austalian an& Ne+ Zealan& public secto
*tandards Australia *AA'()* @6 00</0..,, ,usiness -ontinuity
.anagement
*tandards Australia 1risk management portal2 This site includes
details a!out the purchase of electronic and hard copies of their
pu!lications and products
9seful *ites
The ACT Insurance Authority we!site provides up to date information
for ACT Government Agencies and Departments on Insurance and
Risk Management
http/''wwwtreasuryactgovau'actia
The ACT Treasury 4u!lic Dia!ility Insurance Risk Advisory we!site
This we!site provides advice to ACT community and small
!usinesses on risk management and pu!lic lia!ility issues The site
also includes a :downloada!le% risk management plan and an :on#
line% risk profile calculator
http/''wwwinsuranceriskadviceactgovau'
ACT 7orkcover
http/''wwwworkcoveractgovau
Comcare # The workers compensation insurer for the Territory
http/''wwwcomcaregovau'
The Australasian Institute of Risk Management
http/''wwwairmorgau'
, of 10
The Association of Risk and Insurance Managers of Australia
http/''wwwarimacomau'
The Insurance Council of Australia
http/''wwwicacomau'
*tandards Australia Risk Management 4ortal
wwwstandardscomau
Risk Management Canada # Treasury 6oard of Canada *ecretariat
http/''wwwt!s#sctgcca'rm#gr'home#accueilasp>DanguageE"(
Risk Management 9nited Fingdom Treasury Risk 4ortal
http/''wwwhm#
treasurygovuk'documents'pu!licGspendingGandGservices'risk'pss
GriskGportalcfm
10 of 10