Risk Management Guideline
The process for managing departmental and business
area risk Version no.: 1.1 Reference no.: HREAS:GU:2013:001
Policy owner: Principal Consultant, Risk management Pages: 28
Effective date: April 2013 Review date: April 2015
Security classification: Unclassified Uncontrolled when printed
Risk Management Document Suite
Corporate Assurance and Risk Management
Page 2 of 28
Table of contents
Introduction ................................................................................................................................... 3
Purpose ......................................................................................................................................... 3
What is risk? ................................................................................................................................. 3
Types of risk .................................................................................................................................. 4
The risk management process ..................................................................................................... 4
Step 1: Communication and Consultation 5
Step 2: Establish the Context 6
Step 3: Risk assessment – Identify risk 8
Step 4: Risk assessment – Analyse risk 10
Step 5: Risk assessment – Evaluate risk 12
Step 6: Treat risk 14
Appendix A Risk identification techniques ........................................................................... 17
Appendix B Risk cause categories ........................................................................................ 18
Appendix C DSITIA risk assessment matrix .......................................................................... 20
Appendix D DSITIA risk rating responses ............................................................................. 21
Appendix E Risk controls and treatments ............................................................................. 22
Appendix F Fraud and corruption risk assessment ............................................................. 23
Appendix G Glossary .............................................................................................................. 26
References .................................................................................................................................. 28
DSITIA risk management guideline
Page 3 of 28
Introduction
Risk needs to be considered and addressed by everyone. Risk management is critical to the
department’s planning, management and decision-making processes. Effective risk management
will support the achievement of the department’s objectives, help improve service delivery,
accountability and decision-making, and contribute to the personal well-being of employees. This
Risk Management Guideline should be read in conjunction with the DSITIA Risk Management
Policy and the DSITIA Risk Management Framework.
Purpose
This guideline describes best practice for identifying, assessing, treating and monitoring risks
based on the approach outlined in the DSITIA Risk Management Framework.
What is risk?
As defined in the AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines, risk is
the effect of uncertainty on objectives. Risk is only present if there is an element of uncertainty
surrounding it. If something is going to happen for certain then there is no risk. Figure 1 shows the
key risk components and how they link with the internal control environment (preventative,
detective and corrective controls).
Figure 1: Key components of a risk
Corporate Assurance and Risk Management
Page 4 of 28
Types of risk
The DSITIA risk governance model defines four types of risk.
Strategic risks are the high level, long-term risks of most concern to the Board of Management
and senior executive and will likely have a material impact on the department’s ability to achieve its
strategic objectives.
Departmental risks take a horizontal view of risk across the department and predominantly relate
to corporate services that support the department’s service delivery objectives, e.g. finance,
procurement, people, audit, information management and technology.
Business area risks are operational risks that relate to the business area’s purpose, objectives
and operations.
Program and project risks are those risks likely to have an impact on a project team's ability to
complete a project or program.
The risk management process
The department’s risk management process provides a systematic approach to identifying, assessing and treating risks. The department has adopted the seven-step process outlined in AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines depicted in Figure 2.
Figure 2: AS/NZS ISO 31000 risk management process
DSITIA risk management guideline
Page 5 of 28
Step 1: Communication and
Consultation
What is the purpose of this step?
Communication, consultation and regular feedback
must take place at all stages of the risk management
process. Effective communication and consultation
throughout the process will ensure that those involved in managing risk, including affected
stakeholders, are aware of, and understand why particular actions are necessary.
It is important to identify all stakeholders who should be involved in the risk management activity
prior to the risk assessment being undertaken because this will assist in:
bringing together different areas of expertise for identifying and analysing risk
ensuring that different views are appropriately considered in evaluating risks
ensuring risks are adequately identified
securing endorsement and support for treatment plans.
How do we do it?
It is important that risk management communication and consultation is undertaken using existing
management communication and decision-making processes within the department or business
area.
The key stakeholders should be consistent for both business planning and business risk
management, to ensure that the two functions are integrated. Business areas should identify if
there are additional stakeholders who will be required to participate in the business risk
management process, and if so, should ensure these stakeholders are included in the planning
and risk process.
Corporate Assurance and Risk Management
Page 6 of 28
Step 2: Establish the Context
What is the purpose of this step?
The purpose of this phase is to define the
parameters within which risks will be managed and
to set the scope for the rest of the process. This
phase is concerned with developing an
understanding of the internal and external context
within which the department or business area
operates and the factors that may influence the achievement of objectives.
How do we do it?
Corporate Assurance and Risk Management (CARM) have established the context for DSITIA risk
management in the departmental policy and framework as set out in Queensland Treasury: a guide
to risk management. By considering the external and internal environment in which DSITIA
operates, CARM has established:
the DSITIA risk appetite / risk tolerance levels
the DSITIA risk assessment matrix (including risk consequence definitions and risk responses)
the DSITIA roles and responsibilities for risk management.
These elements also need to be established by each individual business area after taking into
account the internal and external environment in which the business area operates.
Understand the internal and external environment
Understanding the external and internal environment is part of a broader scanning activity and provides the platform for building strategic, business and operational objectives and understanding how we operate.
The strategic plan defines the purpose and vision of the department, its strategic objectives and
strategies and the environment the department is operating in. It is important to understand the
internal and external environment as this influences the risks the department or business area has
in relation to achieving its purpose and objectives. In addition to the information in the Strategic
Plan, business areas should ensure they have a good understanding of the external and internal
environments they are operating in.
Internal environment1 External environment
2
Strategy: the plan devised to maintain and build competitive advantage over the competition.
Political
1 The McKinsey 7S Framework
2 PESTLE model
DSITIA risk management guideline
Page 7 of 28
Internal environment1 External environment
2
Structure: the way the organisation is structured and who reports to whom.
Economic & financial
Systems: the daily activities and procedures that staff members engage in to get the job done.
Socio-cultural
Shared Values: the core values of the organisation evidenced in the corporate culture and the general work ethic.
Technological
Style: the style of leadership adopted. Legal & regulatory
Staff: the employees and their general capabilities. Environmental
Skills: the actual skills and competencies of the employees working for the organisation.
Key drivers impacting the organisation
Relationships with, perceptions and values of key external stakeholders.
Risk consequence definitions
The DSITIA risk consequence definitions are defined in the DSITIA risk assessment matrix in
Appendix C. These consequence definitions are set at the departmental level; similarly, each
business area should develop their own consequence definitions for ‘severe’, ‘major’, ‘moderate’
and ‘minor’ as appropriate to their business. A ‘severe’ consequence for a business area will in
most cases be vastly different to a ‘severe’ consequence at the departmental level. Defining
consequences at both the departmental and business area levels will allow for reporting and
escalation of risks that exceed the set tolerances.
Co
ns
eq
ue
nc
e
Likelihood
Unlikely Possible Likely
Almost
certain
Severe Medium High Extreme Extreme
Major Medium High High Extreme
Moderate Low Medium High High
Minor Low Low Medium Medium
Risk rating responses
Appendix D provides the departmental criteria for responding to risks once the risk rating has
been determined. This ensures that the right people are informed of the potential risk and
appropriate actions are taken according to the risk level. The risk response ratings also need to be
determined at the business area level.
Corporate Assurance and Risk Management
Page 8 of 28
Step 3: Risk assessment – Identify risk
What is the purpose of this step?
Risk identification involves identifying the possible risk
events that may impact on the department or business
area, what is most likely to cause these, and the
consequence or impact of the event.
How do we do it?
Risk identification involves the following steps:
Identify possible risks
Categorise the risk
Determine the risk owner
Flag whether the risk relates to fraud or corruption
Identify possible risks
Identification of risk involves considering what, why, when, where and how things can happen
(including potential for fraud and corruption) and what the impact might be if it does happen. One
way of identifying risks is to hold a workshop with key stakeholders using a structured approach
designed to identify risks. Techniques that could be used are described in Appendix A.
A risk is made up of three elements – the event (what could happen), the cause/s (the possible
triggers for the event) and the consequence/s (the end results of the event).
Event
What could go
wrong?
Cause
Why could the
event happen?
Consequence
What is the impact
of the event?
RISK
For consistency, risks should be written using the format:
There is a risk that [something may happen] due to [these cause/s] resulting in [these
consequence/s].
An example is:
There is a risk that the petty cash could be stolen due to lack of security resulting in financial loss.
Categorise the risk
The risk category enables reporting to the individuals or governance committees who have the
power to perform actions and make decisions to affect the risk rating. Each risk should be allocated
to the risk category which represents the main cause of the risk (refer to Appendix B). The risk
category can also be used to analyse the risks within the register to:
identify common risk themes
check for patterns across business areas
trace back to primary root causes of the risks
better identify cause and effect relationships
DSITIA risk management guideline
Page 9 of 28
identify extreme and high level risks that should be brought to the attention of the relevant governance committees or the Board of Management.
Determine the risk owner
Once the risk has been identified, a single risk owner must be nominated. The risk owner is a
position title (not a person’s name) and is the position that has the authority to manage a particular
risk and has the accountability and authority to deploy and assign resources to manage the risk.
The risk owner must:
ensure accurate and complete risk information is recorded in the risk register
ensure risk is managed to an acceptable level (target level)
ensure risk is regularly reviewed and reported.
The risk owner is not the treatment owner (the person responsible for managing a specific risk
treatment action), although they may be assigned specific risk treatment actions. A risk may have
multiple treatments and therefore multiple treatment owners. The treatment owners are responsible
to report to the risk owner about the action/s they are performing to treat the risk.
Flag whether the risk relates to fraud or corruption
Where the risk relates to a potential for fraud and corruption, this will be flagged within the risk
register to allow all fraud and corruption risks to be identified, reported and monitored.
When performing a specific risk assessment for fraud and corruption risks, refer to Appendix F.
Corporate Assurance and Risk Management
Page 10 of 28
Step 4: Risk assessment –
Analyse risk
What is the purpose of this step?
Risk analysis is about developing an understanding
of the risk in order to determine the level of risk and
make decisions about how the risk should be
treated.
The purpose of risk analysis is to determine the risk level or risk rating (refer to Appendix C). It
involves developing an understanding of each risk, its consequences and the likelihood of the risk
occurring. The risk analysis will inform the evaluation of risks, whether risks need to be treated and
the selection of the most appropriate risk treatment strategy.
How do we do it?
Risk analysis involves:
identify the controls that are already in place (existing controls)
determine the likelihood of the risk occurring (refer Appendix C)
determine the consequence of the risk occurring (refer Appendix C)
calculate the risk rating (likelihood x consequence) (refer Appendix C).
Identify existing controls
Controls are typically the department’s policies,
strategies and procedures and should effectively
modify the risk level by either reducing the
consequence of the risk, should it occur, or the
likelihood of the risk occurring. Treatments are
then added (in step 5 – Evaluate risk) where it is perceived that the existing controls do not
maintain the risk at an acceptable level. The current risk likelihood, consequence and risk rating
are initially determined once existing controls have been taken into account.
To identify existing controls, think about the controls that are currently in place that are in some
way already reducing the overall risk. This could include controls or strategies that may not be set
up to address this risk specifically but still influence the likelihood and/or consequence of the risk
occurring. If a policy, program, project, initiative or action has been developed then it is treated as
an existing control if it is implemented and effective (refer Appendix E for additional detail).
Note: Many risk management methodologies refer to ‘inherent risk’ and ‘residual risk’. ‘Inherent
risk’ is defined as the initial risk level prior to any controls being considered and does not change
during the life of the risk. ‘Current risk’ (commonly known as ‘residual risk’) is the risk remaining
once any existing controls have been taken into account, and this measure is dynamic because it
changes as treatments are implemented, or controls are removed or deemed ineffective. Inherent
risk is less relevant for entities with an established operating environment and some degree of pre-
existing internal controls, and has therefore been omitted from the DSITIA risk management
framework as it is considered that all risks will have some form of existing control and to avoid
confusion surrounding the term ‘inherent risk’.
CONTROL
an existing mechanism that is modifying the risk
TREATMENT
an additional mechanism required to further modify the
risk
DSITIA risk management guideline
Page 11 of 28
Consider whether the following types of controls exist:
Type of control
Definition Examples
Preventative
controls
controls that manage the causes of the
risk to decrease the likelihood of the risk
occurring (or increase it in the case of an
opportunity)
training programs
contract conditions
processes and operating procedures
security
Detective
controls
controls that produce evidence that
preventative controls are functioning, or
identifies events after they have occurred
audit and compliance programs
reviews
reconciliations
Corrective
controls
controls that decrease the extent of the
consequence once it has occurred (or
increase it in the case of an opportunity)
business continuity plan
disaster recovery plan
crisis plan
insurance
Determine the likelihood of the risk occurring
Determining the likelihood of a risk eventuating is a subjective consideration. When determining
the likelihood of the risk, the risk owner should consider:
existing controls and how effective they are at mitigating the risk
past records and experience
any results of research or consultation.
The DSITIA risk assessment matrix (refer to Appendix C) defines the likelihood of the risk
occurring, based on the information available at the time of assessment, as either ‘unlikely’,
‘possible’, ‘likely’ or ‘almost certain’.
Determine the consequence of the risk occurring
Determining the risk consequence is a two-step process. First, the risk owner should consider
whether the impact of the risk on the department or business area will be:
Financial
Service delivery
Reputation
People or workplace health and safety
Environmental
Second, consult the DSITIA risk assessment matrix (refer to Appendix C) and use the
consequence definitions to find the most suitable consequence level.
Calculate the Risk Rating
The risk rating is the combination of the likelihood of the risk occurring and the size of the consequence of the risk event. For DSITIA, the risk rating can either be ‘low’, ‘medium’, ‘high’ or ‘extreme’ (refer to Appendix C). The risk rating determines how to treat a risk as well as any requirement for reporting or escalation.
Corporate Assurance and Risk Management
Page 12 of 28
Step 5: Risk assessment – Evaluate
risk
What is the purpose of this step?
The purpose of risk evaluation is to make decisions
based on the outcomes of risk analysis about
which risks are acceptable, which risks need
treatment and the treatment priorities. The highest
priority should be given to those risks that are evaluated as being the least acceptable. To treat
unacceptable risks, we may improve existing controls or develop and implement new controls.
How do we do it?
The risk evaluation stage involves the following key steps:
determine treatment actions using risk rating responses
determine the risk target
determine the treatment decision
Determine treatment actions using risk rating responses
The risk rating of ‘extreme’, ‘high’, ‘medium’ or ‘low’ calculated during analysis of the risk will
determine the required response. The risk rating responses can be found in Appendix D.
Determine the risk target
The risk target is the level of risk after treatment that is tolerable to the department or business area. Risk targets should be determined by the risk owner.
When identifying the risk target for each risk it is important to consider the following:
the risk appetite of the department or business area
the determination of the acceptable level for each risk given:
o the nature of the risk and the level of control the department or business area has over the causes of the risk
o the benefits of expending cost and effort to mitigate the risk effectively.
Determine the treatment decision
The decision about how to treat a risk is based on the relationship between the current risk rating
and the target risk rating.
Where the current risk rating is higher than the target risk rating, risk treatment actions should be undertaken to reduce the risk to the required target.
Where the current risk rating is the same or lower than the target risk rating, the risk can be accepted and monitored.
It is important that risks are treated appropriately to reduce the risk to a level that is tolerable to the
department or business area. It is also important that mitigation efforts are focussed on priority risk
areas. In some instances the risk target may be high despite the risk tolerance of the Department
DSITIA risk management guideline
Page 13 of 28
or business area. This could occur in situations where no amount of reasonable mitigation
treatment will effectively reduce the risk to a normally tolerable level.
When determining the treatment decision consider:
The causes of the risk and whether they are within the department’s or business area’s ability to manage
The effectiveness of existing detective and preventative controls to manage the causes of the risk
What resources would be required to implement treatment actions and what is the expected change in risk level?
The cost of implementing each treatment option against the benefits derived from it
The gap between the current risk rating and the risk target
The following treatment decisions are possible:
Treatment Definition
Reduce Apply a risk treatment that reduces either the likelihood or consequence of the risk occurring. Also known as risk mitigation or modify.
Avoid An informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk.
Share
The agreed distribution of risk with other parties.
Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Risk sharing can be carried out through insurance or other contracts.
The extent to which risk is distributed can depend on the reliability and clarity of the sharing arrangements.
Risk transfer is a form of risk sharing. Note: The accountability for meeting business objectives or achieving outcomes cannot be transferred.
Accept Acceptance of the potential benefit of gain or burden of loss from a risk. The risk is monitored in case the risk rating changes, possibly resulting in the need for a different treatment strategy.
Corporate Assurance and Risk Management
Page 14 of 28
Step 6: Treat risk
What is the purpose of this step?
The purpose of the risk treatment step is to ensure
that risks considered to be unacceptable are
treated appropriately to reduce the risk to an
acceptable level. This is achieved through the
development of appropriate actions, known as a
risk treatment plan.
How do we do it?
The DSITIA risk rating responses table (refer to Appendix D) indicates the course of action
required for risks in response to their risk rating. Once it is determined that a risk level is
unacceptable and needs to be reduced, the next step is to develop the treatment plan.
Treating risks involves selecting one or more options to reduce the likelihood and/or the
consequence. Treatments could also include the redesign and re-implementation of existing
controls that are currently deemed to be ineffective. Some risk is unavoidable and it is not within
the ability of the department or business area to completely manage all risks to a level
commensurate to the risk appetite of the department or business area. For example, agencies
have limited control over risks associated with terrorist activity or natural disasters. In these
instances, the only action that can be taken by the agency is the preparation of contingency plans
for business continuity. A business continuity plan should include appropriate crisis management
plans that can be activated as required and these plans should be tested periodically to ensure
their effectiveness.
Consider the following when planning for the most appropriate treatment of a risk:
1. Attempt to reduce the likelihood of the risk occurring by treating the cause/s of the risk
2. If the cause/s are not able to be treated, or their implementation still causes the risk rating to
remain at an unacceptable level, treat the level or size of the consequence by putting in place a
contingency plan
3. Balancing the costs and efforts of treatment against the benefits derived
4. Be aware of the possible introduction of new or secondary risks as a result of implementing
treatments.
Fraud Controls
The department has adopted the Crime and Misconduct Commission’s 10 point best practice fraud control model. Point 2 requires that fraud and corruption risk assessments are conducted on a regular basis. The fraud risk should not be looked at in isolation from the general business of the department, and may be integrated with business risk assessments. Particularly as there is considerable overlap between business risk, audit risk, security risk and fraud risk.
For fraud and corruption-related risks the risk treatment is the fraud control plan. The Auditor-
General of Queensland’s Results of audits – Internal control systems report 5:2012 states that
“departments should provide specific fraud training to staff, customised to their particular fraud
risks”. Based on this recommendation, all treatment plans for fraud and corruption-related risks
should include a training component related to the specific risk.
DSITIA risk management guideline
Page 15 of 28
Step 7: Monitor and Review
What is the purpose of this step?
Risks must be monitored and reviewed regularly to
ensure a proactive approach to managing risks as
new risks emerge and existing risks change.
The purpose of the monitor and review step is to
ensure that departmental and business area risks are effectively managed, appropriately reported,
and that the changing nature of risk is taken into account. This will ensure that risk registers are a
dynamic, current and accurate record of departmental and business area risk exposure, and that
risks are escalated to appropriate senior management when required.
How do we do it?
The Corporate Assurance and Risk Management (CARM) unit owns the departmental risk register
and will request business area’s to provide an update of their ‘extreme’ and ‘high’ risks on a
quarterly basis for reporting to the DSITIA governance committees and Board of Management.
Business areas should therefore ensure that they are vigilant in monitoring their high-level risks.
Business area’s should also review and update their risk registers consistent with the schedule of
their own governance committee meetings.
Reviewing the risk register
At a minimum the following elements of risks should be reviewed to ensure the risk register
remains current and accurate:
Risk cause/s
o Are these still relevant?
o Are there any additional causes?
Risk consequence/s
o Has this changed from last review?
Existing controls
o Are these still in place and effective?
o Are there any additional controls?
Status and effectiveness of treatments
o Has there been any progress?
o Are the treatment actions still effective or has something changed that would mean another action may be more effective?
Consequence rating
o Has the completion of risk treatment actions or any other factor reduced the consequence of the risk or have additional causes or impacts been identified which have increased the risk?
Likelihood rating
o Has the completion of risk treatment actions or any other factor reduced the likelihood of the risk or have additional causes or impacts been identified which have increased the risk?
Corporate Assurance and Risk Management
Page 16 of 28
Additional risks
o Have any new risks emerged since the last review?
Reporting
When reporting risks consider the audience and their requirements:
Do they want to know all the risks or just the significant ones?
Do they want to know the risks under control or just the exceptions, i.e. those not responding to treatment?
Do they just want to know new risks or variances in the risk rating?
Do they want to know risks relating to a specific category?
DSITIA risk management guideline
Page 17 of 28
Appendix A Risk identification techniques
Brainstorming
The term brainstorming is often used very loosely to mean any type of group discussion. However, effective facilitation is very important to the success of this technique and includes stimulation of the discussion, prompting and capture of the issues arising from the discussion.
Structured or Semi-structured interviews
In a structured interview individual interviewees are asked a set of prepared questions which encourages the interviewee to view a situation from a different perspective, and therefore identify risks from that perspective. A semi-structured interview is similar but allows more freedom for a conversation to explore issues which arise.
SWOT (Strengths, Weaknesses, Opportunities, Threats) Analysis
SWOT is a strategic planning tool used to evaluate the strengths, weaknesses (internal), opportunities and threats (external) to an organisation. It involves considering objectives and identifying the internal and external factors that are favourable and unfavourable to achieving those objectives.
PESTLE (Political, Economic, Sociocultural, Technological, Legal, Environmental) Analysis
PESTLE analysis is a technique which can be used in conjunction with a SWOT analysis. It is used to help organisations identify and understand the external environment in which they operate and how it is perceived to operate in the future in relation to Political, Economic, Sociocultural, Technological, Legal and Environmental categories.
Check lists
Check lists are lists of hazards, risks or control failures that have been developed usually from experience, either as a result of a previous risk assessment or as a result of past failures. A check list can be used to identify hazards and risks or to assess the effectiveness of controls. They can also be used at any stage of the lifecycle of a product, process or system.
Scenario Analysis
Scenario analysis is a name given to the development of descriptive models of how the future might turn out. It consists of defining a simplified model of a real system, and using the model to consider what might happen given various possible future developments. Scenario analysis may be used to anticipate how both threats and opportunities might develop and may be used for all types of risk with both short and long term time frames.
Business Impact Analysis (BIA)
The BIA provides an analysis of how key disruption risks could affect an organisation’s operations and identifies and quantifies the capabilities that would be required to manage it. The BIA is used to determine the criticality and recovery timeframes of processes and supporting resources (people, equipment, ICT) to ensure the continued achievement of objectives. It is typically used for business continuity planning. For further details on risk management techniques refer to the Standards Australia HB 89–2012 Risk Management – Guidelines on risk assessment techniques.
Corporate Assurance and Risk Management
Page 18 of 28
Appendix B Risk cause categories
Cause category Including: Report risks to
committee
Asset management
Performance of assets Protection of assets Potential for fraud and corruption Finance
Budgeting & resource allocation Budget management Resource allocation Finance
Change management Departmental culture Organisational and Government changes People
Changing demographics Changing demographics of the organisation or the wider community BoM
Communications
Marketing Publication and Web Management Internal and External Communication Public Affairs Management People
Compliance with laws, regulations & policies
compliance with whole-of-Government and departmental regulatory and legislative requirements and policies BoM
Environmental protection Environmental protection BoM
Expenditure management Financial expenditure Finance
Financial management
Corporate Finance Financial Strategy and Policy Grants Management Financial reporting Finance
Governance
Strategic Management Risk Management Accountability Legislation, Regulation and Policy Policy development & implementation BoM
Government priorities Government priorities BoM
Human resources
Workforce relations Attraction and retention Recruitment and selection Staff development Diversity Payroll Services HR Policy People
ICT asset management
Performance of ICT assets Protection of ICT assets Potential for fraud and corruption ISC
Industry developments Industry developments BoM
Information & knowledge
Information and knowledge management Loss of information Damage to information Modification of information Disclosure of information Inaccessibility of information
ISC
Information technology
Information and communication technology Business systems
ISC
Inventory management Inventory management Potential for fraud and corruption Finance
Legal liabilities & litigation Legal BoM
Machinery of government changes Machinery of government changes BoM
Management skills Management skills People
Media relations Media relations BoM
Natural disasters Natural disasters BoM
Performance management Performance Planning and Reporting Finance
DSITIA risk management guideline
Page 19 of 28
Cause category Including: Report risks to
committee
Planning & priority setting
Achieving the policy outcomes required Effectiveness of the policy Implementation of policy Unintended consequences of the policy Strategic Planning Operational Planning BoM
Procurement & contracting
Compliance with State Procurement Policy Procurement capability Procurement planning and processes Contract management Sourcing Potential for fraud and corruption Procurement
Program delivery (ICT)
Program deliverables Implementation Unintended consequences
ISC
Program delivery (non-ICT)
Program deliverables Implementation Unintended consequences
BoM
Project delivery (ICT)
Project deliverables Implementation Unintended consequences
ISC
Project delivery (non-ICT)
Project deliverables Implementation Unintended consequences
BoM
Public expectations Public expectations BoM
Reputation Reputation BoM
Revenue & cost recovery Revenue & cost recovery Finance
Security threats & terrorism Security threats & terrorism BoM
Security, privacy & confidentiality Security, privacy & confidentiality ISC
Stakeholder relations
Community Relationship External Stakeholders Client, Industry and Customer Services BoM
Statutory reporting Statutory reporting BoM
Technical skills Technical skills People
Technology trends Technology trends ISC
Workplace health & safety
People Machinery and equipment Manual tasks / ergonomics Facilities/ built environment Accident management WH&S
DSITIA risk management guideline
Page 20 of 28
Appendix C DSITIA risk assessment matrix Likelihood level
Unlikely
Occurrence is
conceivable, but not expected to
occur.
A < 30% chance of this risk
eventuating
Possible
The event may
occur at some time
A 30-60%
chance of this risk eventuating
Likely
The event may
occur at least once over the
coming year
A 61-90% chance of risk
eventuating
Almost certain
Can probably
expect it to occur in most
circumstances.
A >90% chance of this risk
eventuating
DSITIA Consequence Description
Co
ns
eq
ue
nc
e l
evel
Severe Threatens the department’s ability to meet government priorities, deliver public value or achieve strategic objectives.
Financial – Long term impact on departmental finances. Losses not recoverable beyond the next financial budget jeopardising
critical business functionality and services. Or, exposure of >$500k to unfunded financial commitments3 .
Service Delivery – Disruption to multiple critical deliverables4. Causes acute and protracted problems for clients and
stakeholders.
Reputation – Affects the department’s long term credibility with clients and stakeholders. Loss of public trust. Severe political
consequences that incur Parliamentary enquiries or prolonged public scrutiny / media attention.
People/WHS – Reduced workforce capability /capacity threatens long term service viability. Death or permanent disablement.
Environmental – Permanent damage to the environment.
Medium High Extreme Extreme
Major Financial – Impact on departmental finances. Losess not recoverable within current financial budget. Or, exposure of between
$100-$500k to unfunded financial commitments3.
Service Delivery – Disruption to a critical deliverable2. Threaten the completion of strategic program/project and business case
benefits. Causes problems for clients and stakeholders in fulfilling their obligations.
Reputation – Have a detrimental effect on the department’s short term credibility with clients and stakeholders. Political
consequences for the department, incurring independent enquiry or short term public scrutiny / media attention.
People/WHS – Reduced workforce capability/capacity unable to support key services. Serious bodily injury or work caused
illness.
Environmental – Long term detrimental impact on the environment.
Medium High High Extreme
Moderate Financial – Impact on departmental finances. Losses recoverable within the current financial budget. Or, exposure of <$100k
to unfunded financial commitments3.
Service Delivery – Interruption to essential support deliverables and associated service performance targets. Threatens the
realisation of some program or project benefits.
Reputation – Cause client and stakeholder dissatisfaction, and has a detrimental affect on the business area’s credibility and
stakeholder relations. Incur significant review or change manner of delivery.
People/WHS – Reduced workforce capability/capacity affects service quality. Injury/illness requires medical treatment.
Environmental –Short term impact on the environment. Able to be contained with specialist assistance.
Low Medium High High
Minor Financial – Noticeable impact on departmental finances. Losses recoverable within current financial budget. It would have
some minor financial implications requiring a review of financial internal controls.
Service Delivery – Minor interruption to a service/s and associated service performance targets. It would be detrimental for
some aspects of the program or project.
Reputation – It would cause some client or stakeholder complaints requiring additional management.
People/WHS – Reduced workforce capability/capacity affects operational processes. Localised first aid required.
Environmental – Minimal detrimental impact on the environment.
Low Low Medium Medium
3 The $ value is a guide. Where necessary, advice should be sought from DSITIA Finance department to estimate materiality consequences
4 Definitions have been taken from the Business Continuity and Disaster Management Policy and Guideline.
Corporate Assurance and Risk Management
Page 21 of 28
Appendix D DSITIA risk rating responses
Risk rating Response Risk
acceptability
Extreme
Reported to Director-General via DDG/ADG and existing management structures within 48 hours of identification.
Risk owner assigned.
Risk target established and risk treatment actions developed including contingency plan.
Board of Management/Governance committees to be made aware and provide guidance.
Progress regularly reported to Board of Management.
Unacceptable
High
Reported to Director-General via DDG/ADG and existing management structures.
Risk owner assigned.
Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan (where relevant).
Progress reported to Board of Management, DDG/ADG or Functional Heads.
Unacceptable
Medium
Reported to General Manager/ Executive Director/Director via existing management structures.
Risk owner assigned.
Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan, (where relevant).
Progress reported regularly to GM/ ED/ Director or Functional Heads.
Risk
eventuation
may be
tolerable
under certain
circumstances
Low
Monitor the risk.
Should be managed via routine procedures and internal reporting mechanisms
Risk owner assigned.
Acceptable
DSITIA risk management guideline
Page 22 of 28
Appendix E Risk controls and treatments
The effective management of risk involves considering risk treatment and control effectiveness.
Controls are typically the department’s policies and procedures and should effectively modify the
risk level by either reducing the consequence of the risk, should it occur, or the likelihood of the risk
occurring. The current risk rating is initially based on the level of risk with controls implemented and
effective.
When the current risk level is deemed to be intolerable by the department, treatments need to be
applied to further modify the risk to an acceptable level. Treatments need to be analysed when
implemented to check that they are assisting to manage the risk at a tolerable level.
Control Effectiveness
Controls are mechanisms that modify risk and can exist at the organisational and process level.
There can be more than one control for each identified risk. They are designed to address the root
cause of risk and are (typically) policies, processes, procedures, and strategies. Controls are used
to calculate the current risk level and identify the extent to which controls are modifying the risk.
Controls need to be:
regularly monitored and/or updated
reconsidered when a change occurs which might impact on the objectives and associated risks
measured for effectiveness.
Controls may not always achieve the desired modifying effect. Control gaps or ineffective controls
can lead to the same outcomes as having no controls at all.
Controls require ongoing monitoring, and informal and formal testing (where practical) to review
their effectiveness. As a quick guide to control effectiveness, the department uses a simple set of
descriptors that focus on the design and application of controls as well as management confidence
in the reliability of the control.
Control rating Description
Adequate Controls address the risk. Little scope for improvement. No convincing cost/benefit justification to change approach
Opportunities for improvement
Controls have deficiencies. Improvements identified. Some cost/benefit justification to change approach.
Inadequate Controls do not appropriately address the risk. Immediate need for improvement actions. Significant cost/benefit justification to change approach.
DSITIA risk management guideline
Page 23 of 28
Appendix F Fraud and corruption risk assessment
A complete identification of fraud and corruption risk exposure will only come from a thorough
search for all potential risks. The DSITIA Fraud and Corruption Control Gap Analysis Tool can be
used as a starting point for identification of fraud risks. The tool acts as a check or prompt list,
identifying the common inherent risks in work areas susceptible to fraud and corruption, and
suggesting standard controls that could be used to manage the risks.
The broader the range of stakeholders involved in this process the more likely it is that all potential
risks will be identified.
Fraud and corruption may be perpetrated by:
departmental employees or contractors
clients, suppliers or members of the public or
collusion involving both departmental employees and external parties.
To identify fraud and corruption risks consider the following questions:
How could fraud and corruption occur?
What circumstances or events could cause this?
What would be the impact or consequence?
Sources of information which can be used to identify fraud and corruption risks include:
1. Contextual information
For example:
the current goals and strategies of the business area
main business activities and processes
organisational levels and locations e.g. remote location vs. central business district
major cost or revenue items
significant things happening in the business area’s environment
risks and issues identified in audit reports
reasons for material losses (recorded in the Material Losses Register)
circumstances of officers being offered or receiving gifts and benefits (recorded in the Gifts and
Benefits Register)
feedback from stakeholders e.g. Assistant /Deputy Directors-General, client agencies,
Queensland Audit Office.
Corporate Assurance and Risk Management
Page 24 of 28
2. Past instances of fraud and corruption in government departments
Types of fraud experienced by government departments have included:
Misappropriation e.g. changing account details on a departmental system to deposit funds into
a personal account
Falsifying official documents e.g. purposely recording inaccuracies on a timesheet to obtain a
benefit, falsely claiming for overtime, falsifying medical certificates to obtain paid sick leave
Collusion e.g. staff colluding with a contractor to approve invoices (knowing that the work had
not been undertaken) in return for kickbacks from the contractor.
3. Areas of perceived high fraud and corruption risk in the public sector
The CMC survey “Profiling the Queensland public sector” outlines operational areas and functions
perceived to have high fraud and corruption risk, including:
financial functions such as the receipt of cash, revenue collection and payment systems,
salaries and allowances and entertainment expenses
construction, development and planning functions ranging from land rezoning or development
applications to construction and building activities
regulatory functions involving the inspection, regulation or monitoring of facilities; and
operational practices, including the issue of fines or other sanctions
licensing functions such as the issue of qualifications or licences to indicate proficiency or
enable the performance of certain activities
demand-driven or allocation-based functions where demand often exceeds supply, including
the allocation of services or grants of public funds; or the provision of subsidies, financial
assistance, concessions or other relief
procurement and purchasing functions including e-commerce activities, tendering, contract
management and administration
other functions involving the exercise of discretion, or where there are regular dealings
between public sector and private sector personnel (especially operations that are remotely
based or have minimal supervision).
Other items to consider when considering fraud and corruption risks
Please keep the following points in mind when undertaking fraud and corruption risk assessment.
1. Analyse risks and consider further prevention opportunities in relation to:
the allocation of grants (and subsidies) of public funds
relationships and dealings with the private sector
inspecting, regulating or monitoring standards of premises, businesses, equipment and
products
the issuing of fines or other sanctions
DSITIA risk management guideline
Page 25 of 28
the training and support of staff working specifically in high risk areas
falsifying official documents e.g. timesheets, leave forms
misuse of departmental resources e.g. car, phone, computer misappropriation, including in
relation to:
misuse of corporate credit cards
misuse of Cabcharge vouchers
failure to return departmental property after a person has left the department.
2. Encourage managers to be proactive in supporting disclosers and initiating strategies for
dealing with misconduct rather than relying on and reacting to complaints.
3. Raising awareness about conflicts of Interest and other/secondary employment.
4. Raising awareness about responsibilities for identifying and reporting misconduct.
Corporate Assurance and Risk Management
Page 26 of 28
Appendix G Glossary
These definitions are consistent with the terms used in AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
Term Description
Business area
A departmental unit that reports to an Assistant/Deputy Director-General
Business area risk
Risks that relate to the business areas purpose, objectives and operations. Also see Operational risk.
Cause Something that results in an event.
Consequence The outcome of an event or circumstance affecting the achievement of objectives. Note 1: An event can lead to a range of consequences Note 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives Note 3: Consequences can be expressed qualitatively or quantitatively Note 4: Initial consequences can escalate through knock-on effects.
Control Measure that is modifying risk. Note 1: Controls include any process, policy, device or practice, or other actions which modify risk Note 2: Controls may not always exert the intended or assumed modifying effect.
Corruption Involves a breach of trust in the performance of official duties and includes conduct which does or could adversely affect the honest or impartial exercise of official functions by an employee, whether or not for the benefit of the person. It also includes conduct by an employee involving dishonesty or failure to impartially exercise an official function.
Current risk The risk remaining after risk treatment. It is the level of risk that remains after assessing the effectiveness of the controls, treatments and any management strategies and other mechanisms currently in place to modify a particular risk. Note: this is the same definition as ‘residual risk’ in the ISO Guide 73. Efforts have been made to use everyday language rather than purist risk management speak.
Departmental risk
Operational risks that relate to the department as a whole, sometimes referred to as 'corporate risk'. These risks are common across multiple business areas or potentially interagency.
Division A group of service areas that report to a Deputy/Assistant Director-General.
Division Head
Deputy Director-General or Assistant Director-General responsible for a number of service areas.
Existing control
Controls that are in place at the time of risk identification and at the time of initial risk rating.
Fraud Refers to an intentional dishonest act or omission done with the intent of deceiving. It may have the object of obtaining a benefit for some person or causing a detriment. It includes the situation where a person makes a false representation about something and lacks belief in the truth of the representation or makes it recklessly, not caring whether it is true or false.
Hazard Possible source of danger or conditions physical or operational that have a capacity to produce a particular type of adverse effect.
Impact See “Consequence”
Interagency A risk that relates to more than one agency (for example, collaborative projects)
DSITIA risk management guideline
Page 27 of 28
Term Description
risk and requires treatment by multiple agencies to be effective.
Level of risk The magnitude of a risk measured in terms of the combination of the consequences and likelihood.
Likelihood The chance of something happening.
Operational risk
Those risks that arise in day to day operations, and which require specific and detailed response and monitoring regimes. If not treated and monitored organisational risk could potentially results in major adverse consequences for the department. The Treasury’s guide to risk further expands on this definition, stating: A risk that may arise in day to day operations and could have an impact on the achievement of:
the department’s strategic objectives from the perspective of actions undertaken by a particular division, business area, branch or work unit.
Program or project management objectives Also see Business Area risk.
Program A grouping or list of projects and activities planned and managed in a coordinated way in order to achieve outcomes and realise benefits.
Project A temporary process or endeavour which has a clearly defined start and end time, a structured set of activities and tasks, a budget and a specified business case.
Project management
The management of the full project life cycle to ensure stakeholders are fully engaged, risk is actively managed and outputs are delivered. It is the planning, monitoring and control of all aspects of the project to achieve the project objectives on time and to the specified cost, quality and performance.
Residual risk See Current risk
Risk The effect of uncertainty on objectives. Note 1: An effect is a deviation from the expected – positive and/or negative Note 2: Objectives can have different aspects and can apply at different levels (such as strategic, organisation wide, project, product and process) Note 3: Risk is often characterised by reference to potential events and consequences or a combination of these Note 4: Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.
Risk acceptance & monitoring
Acceptance of the potential benefit of gain or burden of loss from a risk. The risk is monitored in case the risk rating changes, possibly resulting in the need for a different treatment strategy.
Risk analysis The systematic process to comprehend the nature of risk and level of risk.
Risk appetite The amount and type of risk the department/service area is prepared to pursue or take to achieve an objective.
Risk assessment
The three process steps of risk identification, risk analysis and risk evaluation form the risk assessment.
Risk avoidance
An informed decision not to be involved in, or to withdraw from, an activity in order to not be exposed to a particular risk.
Risk category A way of categorising a risk to enhance risk identification and analysis and risk reporting.
Risk criteria Terms of reference against which the significance of a risk is assessed.
Risk description
Statement of risk, which describes the risk in terms of the risk event, causes and consequences of the risk.
Corporate Assurance and Risk Management
Page 28 of 28
Term Description
Risk escalation
Process facilitating a change of risk ownership to a next higher management level in cases where the approval and management of additional controls is beyond the delegation/authority of the management level at which the risk was identified.
Risk evaluation
Process of comparing the results of the risk analysis against risk criteria to determine the level of risk and whether it is tolerable or not.
Risk event An uncertain occurrence or set of circumstances, that should it occur will have an effect on the achievement of an objective. Note 1: An event can consist of something not happening Note 2: An event can be one or more occurrences, and can have several causes.
Risk management
Coordinated activities to direct and control an organisation with regard to risk.
Risk Management Framework
Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
Risk owner Person or entity with the accountability and authority to manage the risk.
Risk rating Magnitude of a risk or combination of risks expressed in terms of the combination of consequence and their likelihood.
Risk reduction
Application of a risk treatment that reduces either the likelihood or consequence of the risk occurring. Also known as risk mitigation.
Risk register record of information about identified risks.
Risk sharing the agreed distribution of risk with other parties.
Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Risk sharing can be carried out through insurance or other contracts.
The extent to which risk is distributed can depend on the reliability and clarity of the sharing arrangements.
Risk transfer is a form of risk sharing. Note: The accountability for meeting business objectives or achieving outcomes cannot be transferred.
Risk tolerance
Organisation or stakeholder readiness to bear the risk after risk treatment in order to achieve its objectives (risk tolerance can be influenced by legal or regulatory requirements).
Risk treatment action
Any specific action designed to reduce the likelihood or consequence of a risk.
Strategic risk Risks that may affect the department’s ability to meet its overall purpose and strategic objectives and require direct oversight by the Board of Management.
References
AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
Standards Australia HB 89–2012 Risk Management – Guidelines on risk assessment
techniques
ISO Guide 73:2009 – Risk Management - Vocabulary
A Guide to Risk Management
Results of audits – Internal control systems report 5:2012