risk management procedure
TRANSCRIPT
-
8/10/2019 Risk Management Procedure
1/33
APPENDIX D:
Risk Management Procedure Template
-
8/10/2019 Risk Management Procedure
2/33
255269787.DO
Ta!le o" ontents
Risk Management Procedure.....................................................................................#Template...................................................................................................................... #Ta!le o" ontents........................................................................................................2$ntroduction.................................................................................................................%Definitions.....................................................................................................................3Objectives of Risk Management...................................................................................4
Benefits of Risk Management.......................................................................................4Roles and responsi!ilities..........................................................................................5Risk Management Governance Structure.....................................................................5Relations&ip 'it& ot&er processes............................................................................7(e) Process *teps......................................................................................................8One: Communicate an Consu!t..................................................................................."#$o: %stab!is& t&e Conte't.........................................................................................()#&ree: *entif+ Risks...................................................................................................((,our: -na!+se Risks....................................................................................................(,ive: %va!uate Risks...................................................................................................(3Si': #reat Risks...........................................................................................................(4Seven: Monitor an Revie$........................................................................................(5Risk Reporting..........................................................................................................#8Risk Management Re/orting Res/onsibi!ities.............................................................(0Risk %sca!ation...........................................................................................................("Risk Re/orts an Reci/ients......................................................................................("Revie$ an -//rova!..................................................................................................)
-ccess to Risk Management Re/orting ,rame$ork )
-
8/10/2019 Risk Management Procedure
3/33
255269787.DO
$ntroduction
The role of this risk management procedure is to provide staff with guidance in how toapply consistent and comprehensive risk management This procedure provides informationon how to identify! analyse! evaluate and treat risks
In addition! it identifies other key activities needed for an effective risk managementapproach The risk management process contained in this procedure aligns with theAustralian "tandard for #isk $anagement %A"&N'" I"()*+++:,++-.
#isk is the chance of something happening that will have an impact on o/0ectives It isimportant that we manage risks in order that the negative impact of risks upon achievementof our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised
"et out /elow is a diagram illustrating how this procedure interacts with other key riskmanagement documents:
De"initions
Risk Managementis theculture! processes andstructures that are directedtowards realising potential
t iti hil t
-
8/10/2019 Risk Management Procedure
4/33
255269787.DO
O!1ecties o" Risk Management
#isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated todifferent groups and levels within the organisation It is important to have complete andcurrent risk information availa/le as this information assists the to make more informeddecisions around /oth strategic direction and operational o/0ectives
#isk management is not a stand3alone discipline /ut re4uires integration with e1isting/usiness processes such as /usiness planning and Internal Audit! in order to provide us with
the greatest /enefits
The o/0ectives of a risk management framework are to:
Provide a systematic approach to the early identification and management of risks5
Provide consistent risk assessment criteria5
$ake availa/le accurate and concise risk information that informs decision making
including /usiness direction5
Adopt risk treatment strategies that are cost effective and efficient in reducing risk toan accepta/le level5 and
$onitor and review risk levels to ensure that risk e1posure remains within an
accepta/le level
3ene"its o" Risk Management
#isk management will support us in /eing a/le to meet our values and deliver upon our
o/0ectives Application of a consistent and comprehensive risk management process will:
-
8/10/2019 Risk Management Procedure
5/33
255269787.DO
Roles and responsi!ilities
An organisation2s a/ility to conduct effective risk management is dependent upon having anappropriate risk governance structure and well3defined roles and responsi/ilities
It is important for everyone to /e aware of his or her individual and collective riskmanagement responsi/ilities In order for risks to /e effectively managed! it is essential tohave people /ehaving in a way that is consistent with the organisation2s approved approach
This indicates that risk management is not merely a/out having a well3defined process /utalso a/out effecting the /ehavioural change necessary for risk management to /e em/eddedin all organisational activities
"et out /elow is risk management governance structure This structure illustrates thatrisk management is not the sole responsi/ility of one individual /ut rather occurs and issupported at all organisational levels
Risk Management 4oernance *tructure
# i s k 6 o m m i t t e e
9 o a r d
3 p r o v i d e s o v e r s ig h t a n d r e v i e w
-
8/10/2019 Risk Management Procedure
6/33
255269787.DO
Provide a high level description of the roles of the various people or groups involvedin the risk governance structure This will /e e1panded in the procedures
Boar
Indicate the detailed responsi/ilities of the 9oard %if applica/le.
Committee
Indicate the detailed responsi/ilities of the relevant committee %if applica/le.
C&ief %'ecutive Officer
Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if
applica/le.
Risk Committee
Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant
group & forum %if applica/le.
-
8/10/2019 Risk Management Procedure
7/33
255269787.DO
Relations&ip 'it& ot&er processes
#isk management is not a stand3alone discipline Inorder to ma1imie risk management /enefits andopportunities! it needs to /e integrated with e1isting/usiness processes
"ome of the key /usiness processes with which risk alignment is necessary are:
$nternal ,udit7 Internal Audit reviews the effectiveness of controls
Alignment /etween the Internal Audit function and that of the controls within the#isk $anagement process is critical! and the role of #isk 8 6ompliance $anagerwill seek to align these core processes
3usiness Planning including !udget7 Identifying risk during the /usiness
planning process allows us to set realistic delivery timelines for strategies&activities or to choose to remove a strategy& activity if the associated risks are toohigh or unmanagea/le The impact of changing risk levels over the year can then/e mapped to the relevant o/0ective! ena/ling us to conduct more timely
t ti t ith k t k h ld
-
8/10/2019 Risk Management Procedure
8/33
255269787.DO
(e) Process *teps
#isk management is a continual process that involves thefollowing key steps:
6ommunicate and consult
Esta/lish the conte1t
Identify risks
Analyse risks Evaluate risks
Treat risks
$onitor and review
It is important to follow this process when conducting risk management as this ensures thatthe approach to risk management is /oth comprehensive and consistent
This process is formally conducted across the entire organisation on an annual /asis Thisoccurs in con0unction with the corporate and /usiness planning process and involves thereview and update of risk profiles for the enterprise as a whole includes a review for eachindividual division This illustrates a ;top3down< and a
-
8/10/2019 Risk Management Procedure
9/33
Process *tep Oerie' Process
One ommunicateand onsult
6ommunication and consultation with internal ande1ternal stakeholders is important throughout the riskmanagement process to ensure the organisation has acomprehensive picture of the risks we face
-ternal communication and consultationis targetedat informing e1ternal stakeholders of:
The organisation2s risk management approach
The effectiveness of our risk management
approach
#e4uesting feed/ack where appropriate
#isk management is a key governance andmanagement function! which e1ternal stakeholders!including =overnment and industry! are paying!increased attention to "atisfying these stakeholders
that we use appropriate risk management practices willinfluence their perception of the organisation
$nternal communication and consultationis aimed atinforming internal stakeholders of:
The risk management process
"eeking feed/ack in relation to the process
>ey risks and their responsi/ilities relating to
management of these
-
8/10/2019 Risk Management Procedure
10/33
Process *tep Oerie' Process
T'o sta!lis& t&eonte-t
This means considering:
#. T&e e-ternal conte-t
9uilding an understanding of our e1ternal stakeholdersand hence the e1tent to which this e1ternal environmentwill impact on our a/ility to achieve corporate o/0ectives:
9usiness! "ocial! #egulatory! 6ultural!
6ompetitive! ?inancial and Political Environmentsin which we operate
It also involves considering our strengths!
weaknesses! opportunities and threats
2. T&e internal conte-t
This is aimed at understanding organisational elementsand the way they interact! such as:
6ulture! internal stakeholders! structure!capa/ilities %in terms of resources such as people!systems! processes and capital.! goals ando/0ectives and the strategies in place to achievethese
%. T&e risk management conte-t
The goals! o/0ectives! strategies! scope and parametersfor the risk management process itself must also /econsidered
oteThe ;Esta/lish the 6onte1t< part of the risk managementprocess will only need to /e repeated when there aresignificant changes to either our e1ternal environment or/usiness operations
-
8/10/2019 Risk Management Procedure
11/33
Process *tep Oerie' Process
T&ree $denti") Risks#isk identification is a key step in the risk managementprocess to ensure a complete list of risks is identified
#isks can /e identified using various tools andtechni4ues including:
Part of risk identification also involves identifying risksthat may arise ;over the horion
-
8/10/2019 Risk Management Procedure
12/33
Process *tep Oerie' Process
our ,nal)se Risks(nce a risk is identified! it is important to ade4uatelydescri/e it The components of a comprehensive riskdescription are:
Event eg igh staff turnover5
6ause eg "taff 0o/ dissatisfaction5 and
Impact ie Ina/ility to achieve strategic o/0ectives
#isk analysis involves:
Identifying controls currently in place to
manage the risk /y either reducing theconse4uence or likelihood of the risk5
Assessing the effectiveness of current
controls5
Identifying the likelihood of the risk occurring5
and
Identifying the potential conse4uence or
impact that would result if the risk was tooccur
@hen evaluating the effectiveness of current controls! thefactors to consider include consistency of application!understanding of control content and documentation ofcontrols where appropriate 6ontrols are aimed at/ringing the risk within an accepta/le level Theevaluation of current controls can occur through severaldifferent processes including:
6ontrol self assessment5
Internal Audit reviewing the effectiveness ofcontrols5 and
E1ternal Audit reviewing the effectiveness of
controls
The conse4uence and likelihood ratings! as identifiedafter consideration of current controls! are com/ined todetermined the overall risk level
-
8/10/2019 Risk Management Procedure
13/33
Process *tep Oerie' Process
ie aluate Risks#isk evaluation involves considering the risk2s overall risklevel This allows determination of whether further risktreatment actions are re4uired to /ring the risk within alevel accepta/leThe output of the risk evaluation phase is a prioritised list
of risks
There may /e times when the action re4uired will differfrom that identified a/ove5 however where this is thecase! the 6hief E1ecutive (fficer must approve deviationfrom the a/ove action
-
8/10/2019 Risk Management Procedure
14/33
Process *tep Oerie' Process
*i- Treat Risks#isk treatment involves e1amining possi/le treatmentoptions to determine the most appropriate action formanaging a risk Treatment actions are re4uired wherethe current controls are not managing the risk withindefined tolerance levels Treatment options could involve
improving e1isting controls and implementing additionalcontrols
Possi/le risk treatment options include:
Avoid the risk 7 change /usiness process or
o/0ective so as to avoid the risk5
6hange the likelihood 7 undertake actions aimed
at reducing the cause of the risk5
6hange the conse4uence 7 undertake actions
aimed at reducing the impact of the risk5
"hare&transfer the risk 7 transfer ownership and
lia/ility to a third party5 and #etain the risk 7 accept the impact of the risk
@hen determining the preferred treatment option!consideration should /e given to the cost of the treatmentas compared to the likely risk reduction that will result%cost /enefit analysis.(n selecting the preferred treatment option! the followingshould occur:
The cost of any actions should /e incorporated
into the relevant /udget planning process5
A responsi/le person should /e identified fordelivery of the action! with this e1pectation /eingcommunicated to them5
A realistic due date should /e set5 and
Performance measures should /e determined
-
8/10/2019 Risk Management Procedure
15/33
Process *tep Oerie' Process
*een Monitor andReie'
#isk information re4uires regular monitoring and reviewto ensure currency The environment in which weoperate is constantly changing and so therefore are ourrisks If risk information is inaccurate! we may make poordecisions that could otherwise have /een avoided
Therefore #isk (wners and #isk Treatment (wners havekey risk and control review and update responsi/ilities toensure continued currency of information pertaining totheir particular risks In addition! on an annual /asis! theentire risk register will /e reviewed! with reviewparticipation /eing /roader than solely #isk (wners and#isk Treatment (wners
It is also important for the effectiveness of the riskmanagement framework to monitored and reviewed Thisframework drives the e1tent to which risks will /eade4uately managed throughout the organisation$onitoring implementation of the #isk $anagement"trategy is one availa/le monitoring mechanism
In addition! the risk management framework itself will /ereviewed annually! with results /eing reported to the A#6and the 9oard As risk management developments areconstantly occurring! this review mechanism will provideus with information on current risk managementdevelopments! facilitating us making continuous riskmanagement improvements
-
8/10/2019 Risk Management Procedure
16/33
Risk Reporting
"et out /elow is a diagram illustrating how the risk management reporting process fits intooverall risk management framework
#isk management reporting is a key element of the B$onitorand #eview2 phase of the risk management process! andneeds to occur at each step of the process This riskmanagement reporting process supports a formalised!structured and comprehensive approach /y to themonitoring and review of its risks! there/y enhancing its riskmanagement process
Risk Management Reporting Responsi!ilities
4roup Responsi!ilities9oard #eview reports
6ommunicate risk information issues /ack to the organisation
Identify new and emerging risksAudit and #isk6ommittee
#eview reports
6ommunicate risk information issues /ack to the organisation
6ommunicate key risk issues to the 9oard
Identify new and emerging risks
6E( #eview reports
6losely monitor e1treme risks
Identify new and emerging risks
6orporatePlan,++C3 ,+*+
9usinessPlan,++C3 ,++D
#iskPolicy
#isk $anagement Process
#isk Tools
#isk$anagement#eporting?ramework
#isk"trategy,++C 3,++D
-
8/10/2019 Risk Management Procedure
17/33
Identify new and emerging risks
Risk scalation
#isk escalation is an important tool for ensuring that risks are known and understood /y thepeople with the authority to appropriately manage them If a risk poses an e1treme risk andre4uires allocation of su/stantial risk treatment resources! then it would not /e appropriate for thisto /e managed at the divisional level The 9oard has overall accounta/ility for managing risks andtherefore! where a risk poses such a high threat! the 9oard should /e immediately informed of it
Everyone has the a/ility to identify risks at any time of the year @hen these risks are identifiedoutside of the formal annual risk review process! escalation of the risk to the appropriate recipient
needs to occur The ta/le set out /elow indicates the appropriate escalation process Thewill act as the conduit /etween the person who has identified the risk and the relevant escalationrecipient Therefore if you identify a risk which re4uires escalation please report it directly to the
The will assess and review the risk information provided to them and escalate the risk in linewith the re4uirements set out in the /elow ta/le
Risk /eel scalation Recipient Timingigh
"ignificant
$edium
ow
Risk Reports and Recipients
-
8/10/2019 Risk Management Procedure
18/33
Reie' and ,pproal
The #isk $anagement #eporting ?ramework and report templates will /e reviewedannually /y the and approved at least every /y the
,ccess to Risk Management Reporting rame'ork
The #isk $anagement #eporting ?ramework will /e made availa/le to each employee of
The #isk $anagement #eporting ?ramework will /e availa/le as follows:
Re"erences
?or further information on risk management! the following documents provide acomprehensive and practical overview:
A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines
I"( =uide C):,++- 7 #isk management 3 Foca/ulary
IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues
9 ),C:,+*+ 7 6ommunicating and consulting a/out risk
A"&N'" G+G+ ,+*+ 9 i ti it $ i di ti l t d i k
-
8/10/2019 Risk Management Procedure
19/33
,ppendi- Risk ontrol /ikeli&ood onse0uence Rating
The following were endorsed /y the in for These will /e su/0ect to review in
ontrol ""ectieness Rating riteriaRating De"inition $ndicators
/ikeli&ood Rating riteria
Rating Descriptor re0uenc) Description
onse0uence Rating *cale
Description
Rating
inancial *erice:ualit)
Reputation People ;(no'ledge
*take&olders ompliance