appendix d risk management procedure template

8/10/2019 Appendix d Risk Management Procedure Template

1/33

APPENDIX D:

Risk Management Procedure Template


2/33


3/33

248615841. DO

#ntroduction

The role of this risk management procedure is to provide staff with guidance in how toapply consistent and comprehensive risk management This procedure provides informationon how to identify! analyse! evaluate and treat risks

In addition! it identifies other key activities needed for an effective risk managementapproach The risk management process contained in this procedure aligns with the

Australian "tandard for #isk $anagement %A"&N'" I"()*+++:,++-.

#isk is the chance of something happening that will have an impact on o/0ectives It isimportant that we manage risks in order that the negative impact of risks upon achievementof our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised

"et out /elow is a diagram illustrating how this procedure interacts with other key riskmanagement documents:

De"initions

Risk Management is theculture! processes andstructures that are directedtowards realising potential


4/33

248615841. DO

O! ecti es o" Risk Management

#isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated todifferent groups and levels within the organisation It is important to have complete andcurrent risk information availa/le as this information assists the to make more informeddecisions around /oth strategic direction and operational o/0ectives

#isk management is not a stand3alone discipline /ut re4uires integration with e1isting/usiness processes such as /usiness planning and Internal Audit! in order to provide us with

the greatest /enefits

The o/0ectives of a risk management framework are to:

Provide a systematic approach to the early identification and management of risks5 Provide consistent risk assessment criteria5 $ake availa/le accurate and concise risk information that informs decision making

including /usiness direction5 Adopt risk treatment strategies that are cost effective and efficient in reducing risk to

an accepta/le level5 and $onitor and review risk levels to ensure that risk e1posure remains within an

accepta/le level

3ene"its o" Risk Management

#isk management will support us in /eing a/le to meet our values and deliver upon our

/0 i A li i f i d h i i k ill


5/33

248615841. DO

Roles and responsi!ilities

An organisation2s a/ility to conduct effective risk management is dependent upon having anappropriate risk governance structure and well3defined roles and responsi/ilities

It is important for everyone to /e aware of his or her individual and collective riskmanagement responsi/ilities In order for risks to /e effectively managed! it is essential tohave people /ehaving in a way that is consistent with the organisation2s approved approach

This indicates that risk management is not merely a/out having a well3defined process /utalso a/out effecting the /ehavioural change necessary for risk management to /e em/eddedin all organisational activities

"et out /elow is risk management governance structure This structure illustrates thatrisk management is not the sole responsi/ility of one individual /ut rather occurs and issupported at all organisational levels

Risk Management o ernance *tructure

# is k 6 o m m i t t e e

9 o a r d3 p r o v i d e s o v e r s ig h t a n d r e v i e w


6/33

248615841. DO

Provide a high level description of the roles of the various people or groups involvedin the risk governance structure This will /e e1panded in the procedures

Boar Indicate the detailed responsi/ilities of the 9oard %if applica/le.

Committee Indicate the detailed responsi/ilities of the relevant committee %if applica/le.

C&ief %'ecutive Officer Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if

applica/le.

Risk Committee Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant

group & forum %if applica/le.


7/33

248615841. DO

Relations%ip &it% ot%er processes

#isk management is not a stand3alone discipline Inorder to ma1imi e risk management /enefits andopportunities! it needs to /e integrated with e1isting/usiness processes

"ome of the key /usiness processes with which risk alignment is necessary are:

#nternal ,udit 7 Internal Audit reviews the effectiveness of controls

Alignment /etween the Internal Audit function and that of the controls within the#isk $anagement process is critical! and the role of #isk 8 6ompliance $anagerwill seek to align these core processes

3usiness Planning including !udget 7 Identifying risk during the /usinessplanning process allows us to set realistic delivery timelines for strategies&activities or to choose to remove a strategy& activity if the associated risks are toohigh or unmanagea/le The impact of changing risk levels over the year can then/e mapped to the relevant o/0ective! ena/ling us to conduct more timely

1 i i h k k h ld


8/33

248615841. DO

(e) Process *teps

#isk management is a continual process that involves thefollowing key steps:

6ommunicate and consult Esta/lish the conte1t Identify risks Analyse risks Evaluate risks Treat risks $onitor and review

It is important to follow this process when conducting risk management as this ensures thatthe approach to risk management is /oth comprehensive and consistent

This process is formally conducted across the entire organisation on an annual /asis Thisoccurs in con0unction with the corporate and /usiness planning process and involves thereview and update of risk profiles for the enterprise as a whole includes a review for eachindividual division This illustrates a ;top3down< and a


9/33

Process *tep O er ie& Process

One ommunicateand onsult

6ommunication and consultation with internal ande1ternal stakeholders is important throughout the riskmanagement process to ensure the organisation has acomprehensive picture of the risks we face

7-ternal communication and consultation is targetedat informing e1ternal stakeholders of:

The organisation2s risk management approach The effectiveness of our risk management

approach #e4uesting feed/ack where appropriate

#isk management is a key governance andmanagement function! which e1ternal stakeholders!including =overnment and industry! are paying!increased attention to "atisfying these stakeholders

that we use appropriate risk management practices willinfluence their perception of the organisation

#nternal communication and consultation is aimed atinforming internal stakeholders of:

The risk management process "eeking feed/ack in relation to the process >ey risks and their responsi/ilities relating to

management of these


10/33


T&o 7sta!lis% t%eonte-t

This means considering:

1. T%e e-ternal conte-t

9uilding an understanding of our e1ternal stakeholdersand hence the e1tent to which this e1ternal environmentwill impact on our a/ility to achieve corporate o/0ectives:

9usiness! "ocial! #egulatory! 6ultural!6ompetitive! ?inancial and Political Environmentsin which we operate

It also involves considering our strengths!weaknesses! opportunities and threats

2. T%e internal conte-t

This is aimed at understanding organisational elementsand the way they interact! such as:

6ulture! internal stakeholders! structure!capa/ilities %in terms of resources such as people!systems! processes and capital.! goals ando/0ectives and the strategies in place to achievethese

$. T%e risk management conte-t

The goals! o/0ectives! strategies! scope and parametersfor the risk management process itself must also /econsidered

oteThe ;Esta/lish the 6onte1t< part of the risk managementprocess will only need to /e repeated when there aresignificant changes to either our e1ternal environment or/usiness operations


11/33


T%ree #denti") Risks#isk identification is a key step in the risk managementprocess to ensure a complete list of risks is identified

#isks can /e identified using various tools andtechni4ues including:

Part of risk identification also involves identifying risksthat may arise ;over the hori on< "ome e1amples ofpossi/le considerations could include:

@orldwide events #ising pu/lic e1pectations re pu/lic sector

entities 6hanging pu/lic attitudes towards =overnment

Identifying all risk elements provides a /etterunderstanding of the risk and assists when consideringcurrent controls and identifying further treatment actionsIt also reduces risk duplication and minimises confusionas to risk meaning


12/33


9our ,nal)se Risks(nce a risk is identified! it is important to ade4uatelydescri/e it The components of a comprehensive riskdescription are:

Event e g igh staff turnover5 6ause e g "taff 0o/ dissatisfaction5 and Impact i e Ina/ility to achieve strategic o/0ectives

#isk analysis involves: Identifying controls currently in place to

manage the risk /y either reducing theconse4uence or likelihood of the risk5

Assessing the effectiveness of currentcontrols5

Identifying the likelihood of the risk occurring5and

Identifying the potential conse4uence orimpact that would result if the risk was tooccur

@hen evaluating the effectiveness of current controls! thefactors to consider include consistency of application!understanding of control content and documentation ofcontrols where appropriate 6ontrols are aimed at/ringing the risk within an accepta/le level Theevaluation of current controls can occur through severaldifferent processes including:

6ontrol self assessment5 Internal Audit reviewing the effectiveness of

controls5 and E1ternal Audit reviewing the effectiveness of

controls

The conse4uence and likelihood ratings! as identifiedafter consideration of current controls! are com/ined todetermined the overall risk level


13/33


9i e 7 aluate Risks#isk evaluation involves considering the risk2s overall risklevel This allows determination of whether further risktreatment actions are re4uired to /ring the risk within alevel accepta/leThe output of the risk evaluation phase is a prioritised listof risks

There may /e times when the action re4uired will differfrom that identified a/ove5 however where this is thecase! the 6hief E1ecutive (fficer must approve deviationfrom the a/ove action


14/33


*i- Treat Risks#isk treatment involves e1amining possi/le treatmentoptions to determine the most appropriate action formanaging a risk Treatment actions are re4uired wherethe current controls are not managing the risk withindefined tolerance levels Treatment options could involveimproving e1isting controls and implementing additionalcontrols

Possi/le risk treatment options include: Avoid the risk 7 change /usiness process or

o/0ective so as to avoid the risk5 6hange the likelihood 7 undertake actions aimed

at reducing the cause of the risk5 6hange the conse4uence 7 undertake actions

aimed at reducing the impact of the risk5 "hare&transfer the risk 7 transfer ownership and

lia/ility to a third party5 and #etain the risk 7 accept the impact of the risk

@hen determining the preferred treatment option!consideration should /e given to the cost of the treatmentas compared to the likely risk reduction that will result%cost /enefit analysis.(n selecting the preferred treatment option! the followingshould occur:

The cost of any actions should /e incorporatedinto the relevant /udget planning process5

A responsi/le person should /e identified fordelivery of the action! with this e1pectation /eingcommunicated to them5

A realistic due date should /e set5 and Performance measures should /e determined


15/33


*e en Monitor andRe ie&

#isk information re4uires regular monitoring and reviewto ensure currency The environment in which weoperate is constantly changing and so therefore are ourrisks If risk information is inaccurate! we may make poor decisions that could otherwise have /een avoidedTherefore #isk (wners and #isk Treatment (wners havekey risk and control review and update responsi/ilities toensure continued currency of information pertaining totheir particular risks In addition! on an annual /asis! theentire risk register will /e reviewed! with reviewparticipation /eing /roader than solely #isk (wners and#isk Treatment (wners

It is also important for the effectiveness of the riskmanagement framework to monitored and reviewed Thisframework drives the e1tent to which risks will /eade4uately managed throughout the organisation$onitoring implementation of the #isk $anagement"trategy is one availa/le monitoring mechanism

In addition! the risk management framework itself will /ereviewed annually! with results /eing reported to the A#6and the 9oard As risk management developments areconstantly occurring! this review mechanism will provideus with information on current risk managementdevelopments! facilitating us making continuous riskmanagement improvements


16/33

Risk Reporting

"et out /elow is a diagram illustrating how the risk management reporting process fits intooverall risk management framework

#isk management reporting is a key element of the B$onitor and #eview2 phase of the risk management process! andneeds to occur at each step of the process This riskmanagement reporting process supports a formalised!structured and comprehensive approach /y to themonitoring and review of its risks! there/y enhancing its riskmanagement process

Risk Management Reporting Responsi!ilitiesroup Responsi!ilities9oard #eview reports

6ommunicate risk information issues /ack to the organisation

Identify new and emerging risks Audit and #isk6ommittee

#eview reports 6ommunicate risk information issues /ack to the organisation 6ommunicate key risk issues to the 9oard Identify new and emerging risks

6E( #eview reports 6losely monitor e1treme risks Identify new and emerging risks

6orporatePlan,++C3 ,+*+

9usinessPlan,++C3 ,++D

#iskPolicy

#isk $anagement Process

#isk Tools

#isk$anagement#eporting?ramework

#isk"trategy,++C 3,++D


17/33

Identify new and emerging risks

Risk 7scalation#isk escalation is an important tool for ensuring that risks are known and understood /y thepeople with the authority to appropriately manage them If a risk poses an e1treme risk andre4uires allocation of su/stantial risk treatment resources! then it would not /e appropriate for thisto /e managed at the divisional level The 9oard has overall accounta/ility for managing risks andtherefore! where a risk poses such a high threat! the 9oard should /e immediately informed of it

Everyone has the a/ility to identify risks at any time of the year @hen these risks are identifiedoutside of the formal annual risk review process! escalation of the risk to the appropriate recipientneeds to occur The ta/le set out /elow indicates the appropriate escalation process Thewill act as the conduit /etween the person who has identified the risk and the relevant escalationrecipient Therefore if you identify a risk which re4uires escalation please report it directly to the

The will assess and review the risk information provided to them and escalate the risk in linewith the re4uirements set out in the /elow ta/le

Risk /e el 7scalation Recipient Timingigh"ignificant$ediumow

Risk Reports and Recipients


18/33

Re ie& and ,ppro alThe #isk $anagement #eporting ?ramework and report templates will /e reviewedannually /y the and approved at least every /y the

,ccess to Risk Management Reporting 9rame&orkThe #isk $anagement #eporting ?ramework will /e made availa/le to each employee of

The #isk $anagement #eporting ?ramework will /e availa/le as follows:

Re"erences

?or further information on risk management! the following documents provide acomprehensive and practical overview:

A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines I"( =uide C):,++- 7 #isk management 3 Foca/ulary IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues 9 ),C:,+*+ 7 6ommunicating and consulting a/out risk


19/33

,ppendi- Risk ontrol /ikeli%ood onse0uence Rating

The following were endorsed /y the in for These will /e su/0ect to review in

ontrol 7""ecti eness Rating riteriaRating De"inition #ndicators

/ikeli%ood Rating riteria

Rating Descriptor 9re0uenc) Description

onse0uence Rating *cale

DescriptionRating

9inancial *er ice:ualit)

Reputation People ;(no&ledge

*take%olders omplianceey #isks #eport indicates which risks have /een covered /yassurance activities in the previous year and which are proposed to /e covered over the coming


25/33

,L H*G L* D(6

Risk management annual activity schedule and improvement Initiatives

PurposeThe #isk $anagement Improvement Initiatives #eport tracks progress against the riskmanagement improvement initiatives approved to /e implemented over the coming year Itprovides assurance around the continual improvement of the risk management processes andpractices

Information included Description of the initiative5 Description of the risk management activity5 Person%s. responsi/le5 Date for completion5 "tatus %e g in progress! completed.5 and Additional comments %e g specific detail around the status.

New and emerging risks

PurposeThe New and Emerging #isks #eport provides an opportunity to highlight emerging risks or addnew risks to the risk register throughout the year It is important to retain the risk register currencyoutside of the formal annual risk review process Personnel from within the organisation would


26/33

,L H*G L* D(6

Information included #isk description5 #isk category5 #isk owner5 "hared responsi/ility5 Description of the cause & contri/uting factors5 Description of the impact5 Description of current controls5 and Description of risk treatment information including action! responsi/le person! due date and

status


27/33

,L H*G L* D(6

Templates 7-amples

Risk Pro"ile

,lmost ertain H

/ikel) ,!)

Possi!le * *G -!G!*+

>nlikel) C *) *,!L

Remote *L **

/#(7/#?OOD@O *7:>7 7 #nsigni"icant Minor Moderate Ma or 7-treme

Rank Re" Risk ategor) Risk Description Rating Trend Reason "or %ange

#mpro ementRe0uiredA

#mpro ement*tatus

1 H ?ig% Mreason for change Bes

2 ?ig% Mreason for change Bes

$ - *igni"icant Mreason for change Bes

4 G *igni"icant Mreason for change Bes

5 *+ *igni"icant Mreason for change No

P A=E * (? )


28/33

,L H*G L* D(6

Rank Re" Risk ategor) Risk Description Rating Trend Reason "or %ange

#mpro ementRe0uiredA

#mpro ement*tatus

6 *, *igni"icant Mreason for change No

' L *igni"icant Mreason for change Bes

8 , *igni"icant Mreason for change Bes

C ) *igni"icant Mreason for change Bes

1+ *) Medium Mreason for change Bes

11 * Medium Mreason for change No

12 ** /o& Mreason for change Bes

1$ C /o& Mreason for change No

14 *L /o& Mreason for change No

15 *G Medium Mreason for change Bes

(e) Risks in red are ne&@ emerging risks Ro&s %ig%lig%ted contain opportunities

#mpro ement *tatus

P A=E *- (? )

Completed In

Pro

gressverdueNot

Ap plic a!l e


29/33

248615841. DO

Risk Treatment ,ctions *tatus Detailed

Re" Risk Description Rating Treatment ,ctions Due Date Responsi!le

Person

*tatus omments

H ?ig% * Mdate Mpersonresponsi/le

In progress -GO complete%e1ample.

, Mdate Mpersonresponsi/le

6ompleted

) Mdate Mpersonresponsi/le

In progress

L Mdate Mpersonresponsi/le

6ompleted

- *igni"icant * Mdate Mpersonresponsi/le

In progress

, Mdate Mpersonresponsi/le

In progress

) Mdate Mpersonresponsi/le

6ompleted

L Mdate Mpersonresponsi/le

In progress

Completed

In Progress

verdue


30/33

248615841. DO

,ssurance o erage o" (e) Risks

Rank Risk Description ontrol @

Treatment

Risk

Rating

Trend ,ssurance ,cti ities Pre ious Bear

i.e. internal audit< e-ternal audit

,ssurance ,cti ities e-t Bear

i.e. internal audit< e-ternal audit1 ?ig% None Internal Audit

C *igni"icant None Internal Audit

5 *igni"icant None Internal Audit

6 *igni"icant Internal Audit E1ternal Audit

4 *igni"icant Internal Audit None

8 *igni"icant Internal Audit None


31/33

248615841. DO

Risk Management ,nnual ,cti it) *c%edule and #mpro ement #nitiati es

#mpro ement#nitiati e ,ction Responsi!lePerson Due date ,c%ie ed omments


32/33

248615841. DO

e& and 7merging T%reats and Opportunities

Title Risk ,ssessmentompleted 3)

ategor) Date ,ssessed

#denti") Risks ,nal)se Risks 7 aluate ,ction

Risk Description @#mpact

ause 7-isting ontrols ontrol,ssessment

Risk ,ssessment Treat RiskA

onse0uence

Avoid #isk . Accept #isk #educe #isk Transfer #isk Increase #isk

/ikeli%ood

Risk Rating

Detailed Risk Register


33/33

248615841. DO

Title Risk ,ssessmentompleted 3)

ategor) Date ,ssessed

#denti") Risks ,nal)se Risks 7 aluate ,ction

Risk Description @#mpact

ause 7-isting ontrols ontrol,ssessment

Risk ,ssessment Treat RiskA

onse0uence Avoid #isk Accept #isk #educe #isk Transfer #isk Increase #isk

/ikeli%ood

Risk Rating

Risk O&ner Pre"erred Risk Treatment ; O! ecti e

Treat Risks Monitor ;Re ie&

#nsurance (R# ( #

Risk Treatment @ ,ctionPlan

,ccounta!ilities Timelines Risk Rating Re ie& @ Monitor #nsurance*tatus

Measurement andmonitoring

Insura/leK InsuredK

appendix d risk management procedure template

Documents