risk management procedure template
TRANSCRIPT
-
8/16/2019 Risk Management Procedure Template
1/39
APPENDIX D:
Risk Management Procedure – Template
-
8/16/2019 Risk Management Procedure Template
2/39
319305228
Table of Contents
Risk Management Procedure..............................................................................................
Template............................................................................................................................. ..
Table of Contents.................................................................................................................
Introduction........................................................................................................................ ..Definitions............................................................................................................................ ..
Objectives of Risk Management............................................................................................
Benefits of Risk Management................................................................................................
Roles and responsibilities...................................................................................................
Risk Management Governance Structure..............................................................................
Relationship with other processes.....................................................................................
Key Process teps...............................................................................................................
One: Communicate and Consult............................................................................................
To: !stablis" t"e Conte#t..................................................................................................
T"ree: $dentif% Risks
-
8/16/2019 Risk Management Procedure Template
3/39
319305228
!ppendi"# Risk assessment templates and heat map....................................................
Risk 'ssessment Tem(late..................................................................................................Risk 'ssessment Treatment +lan Tem(late.........................................................................
!ppendi"# Risk Reporting – potential risk reports............................................................
Tem(lates ,!#am(les-.........................................................................................................
Risk +rofile..........................................................................................................................
Risk Treatment 'ctions Status Detailed............................................................................
'ssurance Coverage of /e% Risks......................................................................................
Risk Management 'nnual 'ctivit% Sc"edule and $m(rovement $nitiatives...........................
0e and !merging T"reats and O((ortunities....................................................................
Detailed Risk Register.........................................................................................................
-
8/16/2019 Risk Management Procedure Template
4/39
319305228
Introduction
The role of this risk management procedure is to provide staff with guidance in how to
apply consistent and comprehensive risk management This procedure provides information
on how to identify! analyse! evaluate and treat risks
In addition! it identifies other key activities needed for an effective risk management
approach The risk management process contained in this procedure aligns with the
Australian "tandard for #isk $anagement %A"&N'" I"()*+++:,++-.
#isk is the chance of something happening that will have an impact on o/0ectives It is
important that we manage risks in order that the negative impact of risks upon achievement
of our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised
"et out /elow is a diagram illustrating how this procedure interacts with other key risk
management documents:
-
8/16/2019 Risk Management Procedure Template
5/39
319305228
'b(ecti)es of Risk Management
#isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated to
different groups and levels within the organisation It is important to have complete and
current risk information availa/le as this information assists the to make more informed
decisions around /oth strategic direction and operational o/0ectives
#isk management is not a stand3alone discipline /ut re4uires integration with e1isting/usiness processes such as /usiness planning and Internal Audit! in order to provide us with
the greatest /enefits
The o/0ectives of a risk management framework are to:
• Provide a systematic approach to the early identification and management of risks5
• Provide consistent risk assessment criteria5
• $ake availa/le accurate and concise risk information that informs decision making
including /usiness direction5
• Adopt risk treatment strategies that are cost effective and efficient in reducing risk to
an accepta/le level5 and
-
8/16/2019 Risk Management Procedure Template
6/39
319305228
Roles and responsibilities
An organisation2s a/ility to conduct effective risk management is dependent upon having an
appropriate risk governance structure and well3defined roles and responsi/ilities
It is important for everyone to /e aware of his or her individual and collective risk
management responsi/ilities In order for risks to /e effectively managed! it is essential tohave people /ehaving in a way that is consistent with the organisation2s approved approach
This indicates that risk management is not merely a/out having a well3defined process /ut
also a/out effecting the /ehavioural change necessary for risk management to /e em/edded
in all organisational activities
"et out /elow is risk management governance structure This structure illustrates that
risk management is not the sole responsi/ility of one individual /ut rather occurs and is
supported at all organisational levels
Risk Management +o)ernance tructure
9 o a r d
-
8/16/2019 Risk Management Procedure Template
7/39
319305228
Board
• Indicate the detailed responsi/ilities of the 9oard %if applica/le.
Committee
•Indicate the detailed responsi/ilities of the relevant committee %if applica/le.
C"ief !#ecutive Officer
• Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if
applica/le.
Risk Committee
• Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant
group & forum %if applica/le.
-
8/16/2019 Risk Management Procedure Template
8/39
319305228
Relationship with other processes
#isk management is not a stand3alone discipline In
order to ma1imie risk management /enefits and
opportunities! it needs to /e integrated with e1isting
/usiness processes
"ome of the key /usiness processes with which risk alignment is necessary are:
•
Internal !udit 7 Internal Audit reviews the effectiveness of controls
Alignment /etween the Internal Audit function and that of the controls within the #isk
$anagement process is critical! and the role of #isk 8 6ompliance $anager will seek to
align these core processes
-
8/16/2019 Risk Management Procedure Template
9/39
319305228
Key Process teps
#isk management is a continual process that involves the
following key steps:
• 6ommunicate and consult
• Esta/lish the conte1t
• Identify risks
• Analyse risks
• Evaluate risks
• Treat risks
• $onitor and review
It is important to follow this process when conducting risk management as this ensures that
the approach to risk management is /oth comprehensive and consistent
-
8/16/2019 Risk Management Procedure Template
10/39
319305228
Process tep ')er)iew Process
comprehensive picture of the risks we face
"ternal communication and consultation is targeted
at informing e1ternal stakeholders of:
• The organisation2s risk management approach
• The effectiveness of our risk management
approach
• #e4uesting feed/ack where appropriate
#isk management is a key governance and
management function! which e1ternal stakeholders!
including =overnment and industry! are paying!
increased attention to "atisfying these stakeholders
that we use appropriate risk management practices will
influence their perception of the organisation
I t l i ti d lt ti i i d t
-
8/16/2019 Risk Management Procedure Template
11/39
319305228
Process tep ')er)iew Process
Conte"t /. The e"ternal conte"t
9uilding an understanding of our e1ternal stakeholders
and hence the e1tent to which this e1ternal environment
will impact on our a/ility to achieve corporate o/0ectives:
• 9usiness! "ocial! #egulatory! 6ultural!
6ompetitive! ?inancial and Political Environmentsin which we operate
• It also involves considering our strengths!
weaknesses! opportunities and threats
0. The internal conte"tThis is aimed at understanding organisational elements
and the way they interact! such as:
• 6ulture! internal stakeholders! structure!
capa/ilities %in terms of resources such as people!
systems! processes and capital.! goals and
o/0ectives and the strategies in place to achieve
th
-
8/16/2019 Risk Management Procedure Template
12/39
319305228
Process tep ')er)iew Process
Part of risk identification also involves identifying risks
that may arise ;over the horion
-
8/16/2019 Risk Management Procedure Template
13/39
319305228
Process tep ')er)iew Process
• Identifying controls currently in place to
manage the risk /y either reducing the
conse4uence or likelihood of the risk5
• Assessing the effectiveness of current
controls5
• Identifying the likelihood of the risk occurring5and
• Identifying the potential conse4uence or
impact that would result if the risk was to
occur
@hen evaluating the effectiveness of current controls! thefactors to consider include consistency of application!
understanding of control content and documentation of
controls where appropriate 6ontrols are aimed at
/ringing the risk within an accepta/le level The
evaluation of current controls can occur through several
different processes including:
• 6 t l lf t
-
8/16/2019 Risk Management Procedure Template
14/39
319305228
Process tep ')er)iew Process
-
8/16/2019 Risk Management Procedure Template
15/39
319305228
Process tep ')er)iew Process
Possi/le risk treatment options include:
• Avoid the risk 7 change /usiness process or
o/0ective so as to avoid the risk5
• 6hange the likelihood 7 undertake actions aimed
at reducing the cause of the risk5
• 6hange the conse4uence 7 undertake actions
aimed at reducing the impact of the risk5
• "hare&transfer the risk 7 transfer ownership and
lia/ility to a third party5 and
•#etain the risk 7 accept the impact of the risk
@hen determining the preferred treatment option!
consideration should /e given to the cost of the treatment
as compared to the likely risk reduction that will result
%cost /enefit analysis.
( l ti th f d t t t ti th f ll i
-
8/16/2019 Risk Management Procedure Template
16/39
319305228
Process tep ')er)iew Process
entire risk register will /e reviewed! with review
participation /eing /roader than solely #isk (wners and
#isk Treatment (wners
It is also important for the effectiveness of the risk
management framework to monitored and reviewedThis framework drives the e1tent to which risks will /e
ade4uately managed throughout the organisation
$onitoring implementation of the #isk $anagement
"trategy is one availa/le monitoring mechanism
In addition! the risk management framework itself will /e
reviewed annually! with results /eing reported to the A#6and the 9oard As risk management developments are
constantly occurring! this review mechanism will provide
us with information on current risk management
developments! facilitating us making continuous risk
management improvements
-
8/16/2019 Risk Management Procedure Template
17/39
Risk Reporting
6orporatePlan,++B 3,+*+
9usinessPlan,++B 3,++C
#isk Policy
#isk $anagementProcess
#isk Tools
#isk$anagement
#eporting?ramework
#isk"trategy,++B 3,++C
"et out /elow is a diagram illustrating how the risk managementreporting process fits into overall risk management framework
#isk management reporting is a key element of the $onitor and #eview2 phase of the riskmanagement process! and needs to occur at each step of the process This risk managementreporting process supports a formalised! structured and comprehensive approach /y to themonitoring and review of its risks! there/y enhancing its risk management process
Risk Management Reporting Responsibilities
+roup Responsibilities
9oard • #eview reports
-
8/16/2019 Risk Management Procedure Template
18/39
• Identify new and emerging risks
#isk (wners •
$onitor and review the risks which they own
• Prepare reports for the risks which they own
• Provide the #isk and 6ompliance $anager with information on
the risks which they own
• Identify new and emerging risks
=eneral $anager!?inance and
6orporate "ervices
•#eview reports prepared /y the #isk and 6ompliance $anager
• Provide e1ecutive support to the #isk and 6ompliance
$anager! for e1ample! re4uiring timely provision of risk
information from the organisation to the #isk and 6ompliance
$anager
• Identify new and emerging risks
#isk and 6ompliance$anager
• Prepare reports
• =ather risk information from the relevant organisational people!
for e1ample! #isk (wners
• Identify new and emerging risks
$anagement and "taff • Provide risk information to those that re4uest it
-
8/16/2019 Risk Management Procedure Template
19/39
Risk $e)el scalation Recipient Timing
igh
"ignificant
$edium
ow
Risk Reports and Recipients
Report
Type
-
8/16/2019 Risk Management Procedure Template
20/39
!ccess to Risk Management Reporting 3ramework
The #isk $anagement #eporting ?ramework will /e made availa/le to each employee of
The #isk $anagement #eporting ?ramework will /e availa/le as follows:
•
•
References
?or further information on risk management! the following documents provide a comprehensive
and practical overview:
• A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines
• I"( =uide B):,++- 7 #isk management 3 Foca/ulary
• IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues
• 9 ),B:,+*+ 7 6ommunicating and consulting a/out risk
•
A"&N'" G+G+ ,+*+ 9 i ti it $ i di ti l t d i k
-
8/16/2019 Risk Management Procedure Template
21/39
!ppendi"# Risk Control $ikelihood Conse%uence Rating
The following were endorsed /y the in for These will /e su/0ect to review in
Control ffecti)eness Rating Criteria
Rating &efinition Indicators
$ikelihood Rating Criteria
Rating &escriptor 3re%uency &escription
Conse%uence Rating cale
&escriptio
n
Rating
3inancial er)ice
4uality
Reputation People 5
Knowledge
takeholders Compliance6
+o)ernance
5 $egal
ystems 5
Processes
18
-
8/16/2019 Risk Management Procedure Template
22/39
&escriptio
n
Rating
3inancial er)ice
4uality
Reputation People 5
Knowledge
takeholders Compliance6
+o)ernance
5 $egal
ystems 5
Processes
19
-
8/16/2019 Risk Management Procedure Template
23/39
!ppendi"# Risk assessment templates and heat map
RIK 3'R
7 PDATED AND END(#"ED 9J TE
'wner Risk &escription Risk
Category
2o Conse%uence$ikelihood Risk
Rating
-
8/16/2019 Risk Management Procedure Template
24/39
Risk !ssessment Template
Title# Risk !ssessment
Completed *y#
Category# &ate !ssessed#
Identify Risks !nalyse Risks )aluate !ction
Risk –&escription :Impact
Cause "isting Controls Control!ssessment
Risk !ssessment Treat Risk;
Conse%uence Avoid #isk
Accept #isk
#educe #isk
Transfer #isk
Increase #isk
$ikelihood
Risk Rating
Risk !ssessment Treatment Plan Template
Risk 'wner#
Preferred Risk Treatment and 'b(ecti)e
18
-
8/16/2019 Risk Management Procedure Template
25/39
Treat Risks Monitor 5Re)iew
Insurance KRI KCI
Risk Treatment : !ctionPlan
!ccountabilities
Timelines
Risk Rating Re)iew : Monitor Insurancetatus
Measurement andmonitoring
Insura/leK
InsuredK
19
-
8/16/2019 Risk Management Procedure Template
26/39
319305228
!ppendi"# Risk Reporting – potential risk reports
Risk Profile
Purpose
The #isk Profile #eport provides a graphical representation of the placement of key risks on aheat map This report provides a 4uick reference for Directors and E1ecutives as to the
organisation2s risk e1posure It helps to guide the allocation of resources to treat those risks! which
pose the /iggest threat! /oth in terms of likelihood and conse4uence This report is a snapshot of
the organiations current organisational risk profile
In addition! the #isk Profile #eport will document the e1tent of risk rating changes that have
occurred and e1plain the known or likely reasons for the change The types of reasons that might
/e presented include:
• 6hange in operations
• Internal Audit findings indicate that controls are less effective than anticipated
• Implementation of risk treatment actions
-
8/16/2019 Risk Management Procedure Template
27/39
-
8/16/2019 Risk Management Procedure Template
28/39
319305228
Risk treatment actions status - detailed
Purpose
The #isk Treatment Actions #eport contains a status update on progress against approved risk
treatment actions People are more likely to deliver upon what they are measured against
Therefore this report increases accounta/ility for delivery against agreed risk management
actions It also provides comfort to Directors and E1ecutives that risks are /eing treated as
anticipated
Information included
• #isk description
• #isk rating
• Description of the risk treatment action
• Date for completion of risk treatment
• Person%s. responsi/le
• "tatus %eg in progress! completed.
• Additional comments %eg specific detail around the status.
-
8/16/2019 Risk Management Procedure Template
29/39
319305228
• Description of the assurance activities 7 Previous year
•
Description of the assurance activities 7 6urrent year
The key findings of assurance activities! as they influence risk! would /e reflected in the
organisation2s #isk Profile #eport within the reason for change2 column
Risk management annual activity schedule and improvement Initiatives
Purpose
The #isk $anagement Improvement Initiatives #eport tracks progress against the risk
management improvement initiatives approved to /e implemented over the coming year It
provides assurance around the continual improvement of the risk management processes and
practices
Information included
• Description of the initiative5
•
-
8/16/2019 Risk Management Procedure Template
30/39
319305228
This report is a summary risk register that includes the following information:
•
#isk description5• #isk category5
• #isk rating5
• 6auses5
• Impacts5 and
• 6urrent controls
The would then determine whether the risks contained in this report warranted inclusion in
the risk register @here risks are included in the risk register! the Audit and #isk 6ommittee and
the 9oard would have visi/ility of the new risk information in the #isk Profile #eport
Detailed risk register
Purpose
The Detailed #isk #egister #eport contains all information contained in the risk register All
information provided in other risk reports should /e reflected in the risk register This report is only
-
8/16/2019 Risk Management Procedure Template
31/39
319305228
Templates ,"amples-
Risk Profile
!lmost Certain H
$ikely ,!) C
Possible * *G -!G!*+
8nlikely B *) *,!L
Remote *L **
$IK$I9''&:
C'2482CInsignificant Minor Moderate Ma(or "treme
Rank Ref Risk Category Risk &escription Rating Trend Reason for
Change
Impro)ement
Re%uired;
Impro)ement
tatus
/ H 9igh
Mreason for change
-
8/16/2019 Risk Management Procedure Template
32/39
319305228
Rank Ref Risk Category Risk &escription Rating Trend Reason for
Change
Impro)ement
Re%uired;
Impro)ement
tatus
= G ignificant
Mreason for change *+ ignificant
Mreason for change No
? *, ignificant
Mreason for change No
@ L ignificant
Mreason for change
-
8/16/2019 Risk Management Procedure Template
33/39
319305228
P A=E ,+ (? L)
-
8/16/2019 Risk Management Procedure Template
34/39
319305228
/. Risk Treatment !ctions tatus – &etailed
Ref Risk &escription Rating Treatment !ctions &ue &ate Responsible
Person
tatus Comments
H 9igh * Mdate Mperson
responsi/le
In progress -GO complete
%e1ample.
, Mdate Mperson
responsi/le
6ompleted
) Mdate Mperson
responsi/le
In progress
L Mdate Mperson
responsi/le
6ompleted
- ignificant * Mdate Mperson
responsi/le
In progress
, Mdate Mperson
responsi/le
In progress
) Mdate Mperson
responsi/le
6ompleted
L Mdate Mperson
responsi/le
In progress
Completed
In Progress
verdue
-
8/16/2019 Risk Management Procedure Template
35/39
319305228
!ssurance Co)erage of Key Risks
Rank Risk &escription Control :
Treatment
Risk
Rating
Trend !ssurance !cti)ities – Pre)ious
-
8/16/2019 Risk Management Procedure Template
36/39
319305228
Risk Management !nnual !cti)ity chedule and Impro)ement Initiati)es
Impro)ement
Initiati)e
!ction Responsible
Person
&ue date !chie)ed Comments
-
8/16/2019 Risk Management Procedure Template
37/39
319305228
2ew and merging Threats and 'pportunities
Title# Risk !ssessment
Completed *y#
Category# &ate !ssessed#
Identify Risks !nalyse Risks )aluate !ction
Risk –
&escription :Impact
Cause "isting Controls Control
!ssessment
Risk !ssessment Treat Risk;
Conse%uence
Avoid #isk.
Accept #isk
#educe #isk
Transfer #isk
Increase #isk
$ikelihood
-
8/16/2019 Risk Management Procedure Template
38/39
319305228
Risk Rating
&etailed Risk Register
Title# Risk !ssessment
Completed *y#
Category# &ate !ssessed#
Identify Risks !nalyse Risks )aluate !ction
Risk –&escription :Impact
Cause "isting Controls Control!ssessment
Risk !ssessment Treat Risk;
Conse%uence Avoid #isk
Accept #isk
#educe #isk
Transfer #isk
Increase #isk
$ikelihood
Risk Rating
-
8/16/2019 Risk Management Procedure Template
39/39
319305228
Risk 'wner#
Preferred Risk Treatment 5 'b(ecti)e
Treat Risks Monitor 5
Re)iew
Insurance KRI KCI
Risk Treatment : !ctionPlan
!ccountabilities Timelines Risk Rating Re)iew :Monitor
Insurancetatus
Measurement andmonitoring
Insura/leK
InsuredK