risk management procedure

8/10/2019 Risk Management Procedure

1/33

APPENDIX D:

Risk Management Procedure Template


2/33

255269787.DO

Ta!le o" ontents

Risk Management Procedure.....................................................................................#Template...................................................................................................................... #Ta!le o" ontents........................................................................................................2$ntroduction.................................................................................................................%Definitions.....................................................................................................................3Objectives of Risk Management...................................................................................4

Benefits of Risk Management.......................................................................................4Roles and responsi!ilities..........................................................................................5Risk Management Governance Structure.....................................................................5Relations&ip 'it& ot&er processes............................................................................7(e) Process *teps......................................................................................................8One: Communicate an Consu!t..................................................................................."#$o: %stab!is& t&e Conte't.........................................................................................()#&ree: *entif+ Risks...................................................................................................((,our: -na!+se Risks....................................................................................................(,ive: %va!uate Risks...................................................................................................(3Si': #reat Risks...........................................................................................................(4Seven: Monitor an Revie$........................................................................................(5Risk Reporting..........................................................................................................#8Risk Management Re/orting Res/onsibi!ities.............................................................(0Risk %sca!ation...........................................................................................................("Risk Re/orts an Reci/ients......................................................................................("Revie$ an -//rova!..................................................................................................)

-ccess to Risk Management Re/orting ,rame$ork )


3/33

255269787.DO

$ntroduction

The role of this risk management procedure is to provide staff with guidance in how toapply consistent and comprehensive risk management This procedure provides informationon how to identify! analyse! evaluate and treat risks

In addition! it identifies other key activities needed for an effective risk managementapproach The risk management process contained in this procedure aligns with theAustralian "tandard for #isk $anagement %A"&N'" I"()*+++:,++-.

#isk is the chance of something happening that will have an impact on o/0ectives It isimportant that we manage risks in order that the negative impact of risks upon achievementof our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised

"et out /elow is a diagram illustrating how this procedure interacts with other key riskmanagement documents:

De"initions

Risk Managementis theculture! processes andstructures that are directedtowards realising potential

t iti hil t


4/33

255269787.DO

O!1ecties o" Risk Management

#isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated todifferent groups and levels within the organisation It is important to have complete andcurrent risk information availa/le as this information assists the to make more informeddecisions around /oth strategic direction and operational o/0ectives

#isk management is not a stand3alone discipline /ut re4uires integration with e1isting/usiness processes such as /usiness planning and Internal Audit! in order to provide us with

the greatest /enefits

The o/0ectives of a risk management framework are to:

Provide a systematic approach to the early identification and management of risks5

Provide consistent risk assessment criteria5

$ake availa/le accurate and concise risk information that informs decision making

including /usiness direction5

Adopt risk treatment strategies that are cost effective and efficient in reducing risk toan accepta/le level5 and

$onitor and review risk levels to ensure that risk e1posure remains within an

accepta/le level

3ene"its o" Risk Management

#isk management will support us in /eing a/le to meet our values and deliver upon our

o/0ectives Application of a consistent and comprehensive risk management process will:


5/33

255269787.DO

Roles and responsi!ilities

An organisation2s a/ility to conduct effective risk management is dependent upon having anappropriate risk governance structure and well3defined roles and responsi/ilities

It is important for everyone to /e aware of his or her individual and collective riskmanagement responsi/ilities In order for risks to /e effectively managed! it is essential tohave people /ehaving in a way that is consistent with the organisation2s approved approach

This indicates that risk management is not merely a/out having a well3defined process /utalso a/out effecting the /ehavioural change necessary for risk management to /e em/eddedin all organisational activities

"et out /elow is risk management governance structure This structure illustrates thatrisk management is not the sole responsi/ility of one individual /ut rather occurs and issupported at all organisational levels

Risk Management 4oernance *tructure

# i s k 6 o m m i t t e e

9 o a r d

3 p r o v i d e s o v e r s ig h t a n d r e v i e w


6/33

255269787.DO

Provide a high level description of the roles of the various people or groups involvedin the risk governance structure This will /e e1panded in the procedures

Boar

Indicate the detailed responsi/ilities of the 9oard %if applica/le.

Committee

Indicate the detailed responsi/ilities of the relevant committee %if applica/le.

C&ief %'ecutive Officer

Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if

applica/le.

Risk Committee

Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant

group & forum %if applica/le.


7/33

255269787.DO

Relations&ip 'it& ot&er processes

#isk management is not a stand3alone discipline Inorder to ma1imie risk management /enefits andopportunities! it needs to /e integrated with e1isting/usiness processes

"ome of the key /usiness processes with which risk alignment is necessary are:

$nternal ,udit7 Internal Audit reviews the effectiveness of controls

Alignment /etween the Internal Audit function and that of the controls within the#isk $anagement process is critical! and the role of #isk 8 6ompliance $anagerwill seek to align these core processes

3usiness Planning including !udget7 Identifying risk during the /usiness

planning process allows us to set realistic delivery timelines for strategies&activities or to choose to remove a strategy& activity if the associated risks are toohigh or unmanagea/le The impact of changing risk levels over the year can then/e mapped to the relevant o/0ective! ena/ling us to conduct more timely

t ti t ith k t k h ld


8/33

255269787.DO

(e) Process *teps

#isk management is a continual process that involves thefollowing key steps:

6ommunicate and consult

Esta/lish the conte1t

Identify risks

Analyse risks Evaluate risks

Treat risks

$onitor and review

It is important to follow this process when conducting risk management as this ensures thatthe approach to risk management is /oth comprehensive and consistent

This process is formally conducted across the entire organisation on an annual /asis Thisoccurs in con0unction with the corporate and /usiness planning process and involves thereview and update of risk profiles for the enterprise as a whole includes a review for eachindividual division This illustrates a ;top3down< and a


9/33

Process *tep Oerie' Process

One ommunicateand onsult

6ommunication and consultation with internal ande1ternal stakeholders is important throughout the riskmanagement process to ensure the organisation has acomprehensive picture of the risks we face

-ternal communication and consultationis targetedat informing e1ternal stakeholders of:

The organisation2s risk management approach

The effectiveness of our risk management

approach

#e4uesting feed/ack where appropriate

#isk management is a key governance andmanagement function! which e1ternal stakeholders!including =overnment and industry! are paying!increased attention to "atisfying these stakeholders

that we use appropriate risk management practices willinfluence their perception of the organisation

$nternal communication and consultationis aimed atinforming internal stakeholders of:

The risk management process

"eeking feed/ack in relation to the process

>ey risks and their responsi/ilities relating to

management of these


10/33


T'o sta!lis& t&eonte-t

This means considering:

#. T&e e-ternal conte-t

9uilding an understanding of our e1ternal stakeholdersand hence the e1tent to which this e1ternal environmentwill impact on our a/ility to achieve corporate o/0ectives:

9usiness! "ocial! #egulatory! 6ultural!

6ompetitive! ?inancial and Political Environmentsin which we operate

It also involves considering our strengths!

weaknesses! opportunities and threats

2. T&e internal conte-t

This is aimed at understanding organisational elementsand the way they interact! such as:

6ulture! internal stakeholders! structure!capa/ilities %in terms of resources such as people!systems! processes and capital.! goals ando/0ectives and the strategies in place to achievethese

%. T&e risk management conte-t

The goals! o/0ectives! strategies! scope and parametersfor the risk management process itself must also /econsidered

oteThe ;Esta/lish the 6onte1t< part of the risk managementprocess will only need to /e repeated when there aresignificant changes to either our e1ternal environment or/usiness operations


11/33


T&ree $denti") Risks#isk identification is a key step in the risk managementprocess to ensure a complete list of risks is identified

#isks can /e identified using various tools andtechni4ues including:

Part of risk identification also involves identifying risksthat may arise ;over the horion


12/33


our ,nal)se Risks(nce a risk is identified! it is important to ade4uatelydescri/e it The components of a comprehensive riskdescription are:

Event eg igh staff turnover5

6ause eg "taff 0o/ dissatisfaction5 and

Impact ie Ina/ility to achieve strategic o/0ectives

#isk analysis involves:

Identifying controls currently in place to

manage the risk /y either reducing theconse4uence or likelihood of the risk5

Assessing the effectiveness of current

controls5

Identifying the likelihood of the risk occurring5

and

Identifying the potential conse4uence or

impact that would result if the risk was tooccur

@hen evaluating the effectiveness of current controls! thefactors to consider include consistency of application!understanding of control content and documentation ofcontrols where appropriate 6ontrols are aimed at/ringing the risk within an accepta/le level Theevaluation of current controls can occur through severaldifferent processes including:

6ontrol self assessment5

Internal Audit reviewing the effectiveness ofcontrols5 and

E1ternal Audit reviewing the effectiveness of

controls

The conse4uence and likelihood ratings! as identifiedafter consideration of current controls! are com/ined todetermined the overall risk level


13/33


ie aluate Risks#isk evaluation involves considering the risk2s overall risklevel This allows determination of whether further risktreatment actions are re4uired to /ring the risk within alevel accepta/leThe output of the risk evaluation phase is a prioritised list

of risks

There may /e times when the action re4uired will differfrom that identified a/ove5 however where this is thecase! the 6hief E1ecutive (fficer must approve deviationfrom the a/ove action


14/33


*i- Treat Risks#isk treatment involves e1amining possi/le treatmentoptions to determine the most appropriate action formanaging a risk Treatment actions are re4uired wherethe current controls are not managing the risk withindefined tolerance levels Treatment options could involve

improving e1isting controls and implementing additionalcontrols

Possi/le risk treatment options include:

Avoid the risk 7 change /usiness process or

o/0ective so as to avoid the risk5

6hange the likelihood 7 undertake actions aimed

at reducing the cause of the risk5

6hange the conse4uence 7 undertake actions

aimed at reducing the impact of the risk5

"hare&transfer the risk 7 transfer ownership and

lia/ility to a third party5 and #etain the risk 7 accept the impact of the risk

@hen determining the preferred treatment option!consideration should /e given to the cost of the treatmentas compared to the likely risk reduction that will result%cost /enefit analysis.(n selecting the preferred treatment option! the followingshould occur:

The cost of any actions should /e incorporated

into the relevant /udget planning process5

A responsi/le person should /e identified fordelivery of the action! with this e1pectation /eingcommunicated to them5

A realistic due date should /e set5 and

Performance measures should /e determined


15/33


*een Monitor andReie'

#isk information re4uires regular monitoring and reviewto ensure currency The environment in which weoperate is constantly changing and so therefore are ourrisks If risk information is inaccurate! we may make poordecisions that could otherwise have /een avoided

Therefore #isk (wners and #isk Treatment (wners havekey risk and control review and update responsi/ilities toensure continued currency of information pertaining totheir particular risks In addition! on an annual /asis! theentire risk register will /e reviewed! with reviewparticipation /eing /roader than solely #isk (wners and#isk Treatment (wners

It is also important for the effectiveness of the riskmanagement framework to monitored and reviewed Thisframework drives the e1tent to which risks will /eade4uately managed throughout the organisation$onitoring implementation of the #isk $anagement"trategy is one availa/le monitoring mechanism

In addition! the risk management framework itself will /ereviewed annually! with results /eing reported to the A#6and the 9oard As risk management developments areconstantly occurring! this review mechanism will provideus with information on current risk managementdevelopments! facilitating us making continuous riskmanagement improvements


16/33

Risk Reporting

"et out /elow is a diagram illustrating how the risk management reporting process fits intooverall risk management framework

#isk management reporting is a key element of the B$onitorand #eview2 phase of the risk management process! andneeds to occur at each step of the process This riskmanagement reporting process supports a formalised!structured and comprehensive approach /y to themonitoring and review of its risks! there/y enhancing its riskmanagement process

Risk Management Reporting Responsi!ilities

4roup Responsi!ilities9oard #eview reports

6ommunicate risk information issues /ack to the organisation

Identify new and emerging risksAudit and #isk6ommittee

#eview reports

6ommunicate risk information issues /ack to the organisation

6ommunicate key risk issues to the 9oard

Identify new and emerging risks

6E( #eview reports

6losely monitor e1treme risks


6orporatePlan,++C3 ,+*+

9usinessPlan,++C3 ,++D

#iskPolicy

#isk $anagement Process

#isk Tools

#isk$anagement#eporting?ramework

#isk"trategy,++C 3,++D


17/33


Risk scalation

#isk escalation is an important tool for ensuring that risks are known and understood /y thepeople with the authority to appropriately manage them If a risk poses an e1treme risk andre4uires allocation of su/stantial risk treatment resources! then it would not /e appropriate for thisto /e managed at the divisional level The 9oard has overall accounta/ility for managing risks andtherefore! where a risk poses such a high threat! the 9oard should /e immediately informed of it

Everyone has the a/ility to identify risks at any time of the year @hen these risks are identifiedoutside of the formal annual risk review process! escalation of the risk to the appropriate recipient

needs to occur The ta/le set out /elow indicates the appropriate escalation process Thewill act as the conduit /etween the person who has identified the risk and the relevant escalationrecipient Therefore if you identify a risk which re4uires escalation please report it directly to the

The will assess and review the risk information provided to them and escalate the risk in linewith the re4uirements set out in the /elow ta/le

Risk /eel scalation Recipient Timingigh

"ignificant

$edium

ow

Risk Reports and Recipients


18/33

Reie' and ,pproal

The #isk $anagement #eporting ?ramework and report templates will /e reviewedannually /y the and approved at least every /y the

,ccess to Risk Management Reporting rame'ork

The #isk $anagement #eporting ?ramework will /e made availa/le to each employee of

The #isk $anagement #eporting ?ramework will /e availa/le as follows:

Re"erences

?or further information on risk management! the following documents provide acomprehensive and practical overview:

A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines

I"( =uide C):,++- 7 #isk management 3 Foca/ulary

IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues

9 ),C:,+*+ 7 6ommunicating and consulting a/out risk

A"&N'" G+G+ ,+*+ 9 i ti it $ i di ti l t d i k


19/33

,ppendi- Risk ontrol /ikeli&ood onse0uence Rating

The following were endorsed /y the in for These will /e su/0ect to review in

ontrol ""ectieness Rating riteriaRating De"inition $ndicators

/ikeli&ood Rating riteria

Rating Descriptor re0uenc) Description

onse0uence Rating *cale

Description

Rating

inancial *erice:ualit)

Reputation People ;(no'ledge

*take&olders ompliance

risk management procedure

Documents