RM Guidelines

First edition
WESTERN AUSTRALIAN GOVERNMENT
RISK MANAGEMENT GUIDELINES
Risk Management Guidelines
Acknowledgement
RiskCover has produced the Risk Management guidelines to assist the Western Australian State Government Agencies to implement their risk management programs.
First edition January 2007 Please direct all enquiries or comments on the contents of this document to: Risk Management Services RiskCover Insurance Commission of WA 8th Floor The Forrest Centre 221 St Georges Terrace Perth Western Australia 6000 (08) 9264 3806 riskmanagement@icwa.wa.gov.au
RiskCover
www.riskcover.wa.gov.au
Table of Contents
1. Introduction 1.1 What Is Risk Management? 1.2 Why Manage Risk? 1.3 How Do We Manage Risk? 2. Communication and Consultation 3. Risk Management Process 3.1 Step 1: Establish The Context 3.1.1 Overall Agency Context 3.1.2 Specific Risk Assessment Context 3.1.3 Summary 3.2 Step 2: Risk Identification 3.2.1 What Is A Risk? 3.2.2 Categorisation of Risk 3.2.3 Summary 3.3 Step 3: Risk Assessment - Analysis & Evaluation 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 Existing Controls & Controls Assurance Risk Analysis Risk Evaluation Risk Ownership & Risk Decision Summary 4 4 5 5 6 9 9 9 13 15 16 16 16 17 18 18 19 21 22 23 24 24 25 26 27 27 28 29 30 32 37 39 42 44 53 57
RiskCover
3.4 Step 4: Risk Treatment 3.4.1 Identify, Evaluate and Select Treatment Options 3.4.2 Prepare & Implement Treatment Plans 3.4.3 Summary 4. Monitor and Review 4.1 Focus Areas 4.2 Risk Management Performance Measures 4.3 Roles and Responsibilities 5. Risk Management Implementation Appendix I Glossary Appendix II Sample Risk Management Policy Appendix III Sample Risk Reference Tables Appendix IV Sample Risk Register Appendix V Sample Risk Management Implementation Strategy Appendix VI Strategic Risk Management Framework Appendix VII Risk Management Process Diagram
PREMIERS CIRCULAR
Number Issue Date Review Date
2006/03 08/05/2006 08/05/2008
Title
RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING
Policy
All public sector bodies must practise risk management, regularly undertake a structured risk assessment process to identify the risks facing organisations, be able to demonstrate the management of risks, and where appropriate, have continuity plans to ensure they can respond to and recover from any business disruption. Public sector bodies must submit details of their risk management policy, assessment processes and continuity plans to RiskCover in accordance with a schedule that will be provided by the Department of the Premier and Cabinet.
Background
Risk management has been a feature of the operation of the public sector for many years, with such requirements included in the Treasurers Instructions. The Insurance Commission of Western Australia through its RiskCover Division has a mandate to manage and administer risk management arrangements on behalf of public authorities and to provide advice to the Government on matters relating to risk management. Planning for major risk events received special focus in the period leading up to 1 January 2000, with a great deal of planning and mitigation work undertaken to deal with potential Y2K issues. However, it is a matter of good corporate governance that risk assessment and continuity planning are subject to continual review at the highest levels of an organisation. In more recent times the threat of terrorism and the possibility of an influenza pandemic have given a new focus to this requirement.
RiskCover
The proclamation of the Emergency Management Act 2005 together with other State initiatives such as the Western Australian Management Plan for Pandemic Influenza, are parts of the process of ensuring that the public sector and the community are well prepared for emergencies of any kind. Many agencies will already have well developed risk management processes while others may be less well prepared. RiskCover will circulate a template of the information requirements that must be provided by all public sector bodies so that the Government can be certain agencies are well prepared for emergencies. RiskCover consultants will be available to guide and assist agencies to enable them to meet the requirements. Education and training in risk management principles and business continuity planning will also be available. Agencies will be advised in due course of the implementation timelines for them to meet the requirements.
Alan Carpenter MLA Premier
For enquiries contact:
Don Williams 9264 3400 Manager RiskCover Division Insurance Commission of WA
Other relevant Circulars: Circular/s replaced by this Circular:
RiskCover
1. Introduction
These guidelines have been produced by RiskCover to assist State Government agencies in developing and implementing effective Risk Management processes. They should be read in conjunction with the WA Government Business Continuity Guidelines, as the management of critical incidents and emergencies is just one aspect of an agencys overall approach to managing risk. The purpose of these guidelines is to provide an overview and explanation of the Risk Management process, some hints to the application of the process and includes sample documents for you to use. Please do not hesitate to contact RiskCover Risk Management Services on Tel: 9264 3806 or email riskmanagement@icwa.wa.gov.au should you require any further information or assistance in implementing Risk Management within your agency.
1.1 What is Risk Management?

The management of risk is an integral part of good management practice. There is a direct relationship between risk and opportunity in all business activities, and as such, an agency needs to be able to identify, measure and manage its risks in order to be able to capitalise on those opportunities and achieve its goals and objectives. A risk can be defined as any internal or external situation or event that has the potential to impact upon an agency, preventing the agency from successfully achieving its objectives, delivering its services, or carrying out its projects or events. Risk Management is simply the practice of systematically identifying and understanding these risks and the controls that are in place to manage them. Ultimately, the process gets you to a point of deciding whether, in the context of a particular strategy, activity or function, a risk is acceptable or requires further action. The Risk Management process does not encourage managers to be risk averse. In fact, it is designed to provide managers with a degree of confidence to be able to manage risk to an acceptable level. The key
RiskCover
element in managing risk is correctly balancing risk and reward. A culture which is risk averse will create inflexibility in the business and erect barriers to the achievement of the organisations goals.
1. Why Manage Risk?

The primary reason for managing risk is to enable agencies to successfully achieve their goals. With the growing need for transparent decisionmaking, a structured, systematic risk management process demonstrates the due diligence that is required and provides an audit trail for decision making. A comprehensive understanding of the risk exposures facing an agency also facilitates effective planning and resource allocation, and encourages a proactive management culture, with flow-on benefits for every aspect of an agencys operation.
1. How Do We Manage Risk?

Risk management is most successful when it becomes fully integrated into normal operating procedures, processes and systems. Like all good management practices, it should be driven from the top down and be recognised as the responsibility of everyone. Senior Managers have a particular responsibility in demonstrating commitment to the implementation and use of the risk management process. These guidelines will take you through that process, which comprises of the following steps: 1. 2. 3. 4. Establish the context Identification of the risks Analysis and evaluation of the risks Where necessary, treatment of the risks
In addition, there are two important concepts Communication and Consultation, and Monitor and Review that apply to every aspect of risk management. These are discussed at the beginning and end of the guidelines, respectively. Implementing risk management involves a new way of thinking and a new language. It is important to use precise, common terminology to ensure the effective communication and unambiguous description of the risks within your agency and across the whole of government. To assist with this, a Glossary of Terms is provided as Appendix I.
RiskCover
. Communication And Consultation

Communication and consultation are essential elements of risk management. They are critical at every step to ensure all the participants understand, are involved in, and contribute to the process. The effectiveness of your Risk Management process depends upon, amongst other things, involving the right people at the right time. Communication is the sharing of information and viewpoints. Effective communication has the following attributes: It is multi-directional. Information, ideas and perspectives are shared across functional areas, and senior management are receptive to the views of their subordinates. It involves information and opinions. Other peoples perspectives are understood and acknowledged. Factual information is gathered from all relevant sources. No individual or department has a monopoly on the facts. It is interactive. Listening is as important as talking. Good communication involves the sharing of information, opinions and experiences. It is respectful. It focuses on ideas and information, not personalities. Communication is most effective in an environment where people are valued and their viewpoints are respected. It engages the participants, promoting their understanding and ownership of the outcomes. Consultation is a process that uses communication to make effective decisions. Importantly, consultation is not an outcome or an end in itself; it is a means by which outcomes are achieved. Consultation gives stakeholders the opportunity to influence decisions, however, it is not joint decision making, but rather an effective way to receive useful input and ensure that all relevant viewpoints are taken into account in identifying and evaluating risks.
RiskCover
Communication and consultation are essential to the overall risk management process as well as each individual step in that process. A well-structured approach to communication and consultation can provide the following benefits: Organisational coherence and a positive culture for risk management implementation Trust and understanding, resulting in better internal and external relationships The risk management process becomes tangible: people know what it is and how it works Integration of multiple perspectives Risk management embedded as an ongoing part of management and organisational practice Each step of the Risk Management process relies on communication and consultation to achieve its purpose. For instance, in setting the context, consultation with internal and external stakeholders is essential to reach a thorough understanding of the operating environment and to define the purpose and scope of the exercise. In risk identification, a diversity of input can prevent important risks being overlooked and ensure that risks are accurately described. In the risk assessment process, communication and consultation allows all perspectives to be considered in arriving at a realistic level of risk. Risk treatment is more effective because treatment plans are better understood and the monitor and review process depends upon effective communication to ensure risk information is in use and current. Communication and consultation does not mean asking everybody their opinion about everything. When developing a strategy to implement a formal risk management processes within you organisation, you may wish to consider the following in relation to communication and consultation requirements: Objectives What are the specific aims and goals of involving different parties in the process? Participants Who are the appropriate parties to be involved at each step of the process? Perspectives What particular contribution or viewpoint is anticipated and required from each participant?
RiskCover
Methods How will consultation take place? It may not always be practical to get all the parties together in one place. Hint: When agencies plan their communication and consultation for the risk management process, frequently they fail to adequately consider the needs and viewpoints of all stakeholders. Obviously, risk management involves the discussion of some matters that cannot be shared with external parties. However, if we fail to incorporate the needs and viewpoints of all stakeholders, the full benefit of risk management may not be realised.
RiskCover
. Risk Management Process

.1 Step 1: Establish the Context
There are two elements to this step: 1. 2. setting the overall agency context and establishing the specific risk assessment context.
As part of setting the overall context, the organisational-wide framework within which risk management will take place is defined and the tools to measure and assess risks within that overall context are developed. The specific context then defines the framework of any specific risk assessment exercise with the agency.
3.1.1 Overall Agency Context

An agencys risk management program should be aligned to its strategic objectives and is most effective when it is integrated with the overall planning and management functions of the organisation. In developing a framework for managing risk, an agency needs to consider the following: Core purpose, vision, mission and values - why does it exist? Strategic direction, goals, required outcomes and deliverables. These may be defined by legislation, ministerial directive, charter, etc. Internal and external environments, often assessed using a SWOT analysis. Internal and external stakeholders - who are they, what are their needs and expectations? Organisational planning, reporting & management processes Based on the outcome of this analysis, an agency will then be in a position to define how risks are to be managed across the organisation, through the development of: A Risk Management Policy Risk Management Guidelines or Procedure, which clearly defines how the Risk Management process is integrated into the planning, delivery, monitoring and reporting activities of an agency
RiskCover
Risk Reference Tables, used in the evaluation of the risk and also of any existing controls. They also include a definition of the acceptance and reporting criteria for specific levels of risk. Risk Management Implementation Strategy a plan of how the policy and guidelines are to be communicated and implemented. Risk Register Tool an electronic tool to facilitate the recording, managing and reporting of risk information. Section 5 of the guidelines discusses the implementation of the Risk Management process in more detail.
Risk Reference Tables

Risk Reference Tables are developed by an agency for the purpose of establishing guidance as to how risks are to be evaluated, assessed, measured, accepted and reported within an agency. As well as establishing a common language, the use of semi-quantitative measures removes some of the subjectivity of the assessment process and allows risks from any part of the Agency to be compared with any other, and hence prioritised. There are commonly four different tables used: a. b. c. d. Consequence or Impact Table Likelihood Table Existing Controls Rating Table Risk Acceptance Criteria Table.
Refer to the samples of risk reference tables in Appendix III. Note that these tables are examples only and need to be customised for each Agency to reflect their own organisational context and tolerance for risk. a. Consequence or Impact Rating Table Categories of Consequence Consequence categories are based upon the individual Agencys criteria for measurement of success and should reflect the Agencys economic, social and in some cases, environmental responsibility. The categories should include those key areas, which, if impacted upon, would have a significant affect on the ability of the Agency to achieve its goals. In government, these impact areas are often defined as
RiskCover
10
Financial, Injury, Service Interruption, Reputation and Image KPIs or Key Objective/Deliverables and depending on the nature of the organisation, Environment. Consequence Scale Consequences are usually rated on a scale of 1 to 5, 1 being insignificant and 5 being catastrophic. This is generally referred to as level of the consequence. For each of the consequence categories defined, an agency needs to develop criteria for each of the impact levels specified. Care must be taken to ensure that impact criteria relating to different categories (i.e. say Financial Loss or Reputation & Image) are equivalent at the same level of consequence i.e. the definition of a Catastrophic Financial Loss needs to be equivalent in terms of priority as the definition of, say, a Catastrophic Reputation & Image impact. Hints: Be aware however, that when you apply these scales a Catastrophic Reputation and Image impact does not automatically mean it is a Catastrophic Financial Loss. When establishing the scale, avoid using subjective words such as significant when defining levels of consequence, as this will lead to ambiguity. Where possible use quantitative measures such as A financial loss of $25,000 - $50.000. b. Likelihood Rating Table The other measure of risk is likelihood, and this is also commonly measured on a scale of 1 to 5, with 1 being very unlikely and 5 being almost certain. Likelihood can be considered in two aspects. In one sense, you can base the scale on how frequently a given consequence will (or is likely to) happen, e.g. more than twice per year, every year, every three years, etc. Alternatively, you can consider the probability of something happening in a defined forward timeframe, e.g. in the next five years a consequence is almost certain, probable, possible, etc. In either case, each level of the scale should be quantified.
11
RiskCover
Hint: The Consequence and Likelihood tables become part of your agencys common risk language and reflect the agencys level of risk tolerance. Calculating the Level of Risk Each risk is first analysed and evaluated in terms of the potential consequences resulting from a particular risk scenario. Then the consequence of this scenario, with the associated level of likelihood, is rated. Using 1 to 5 scales for Consequence and Likelihood results in a Level of Risk ranging from 1 to 25. The level of a risk varies as you consider the context of how that risk is being managed. All risks will have an Inherent Level of Risk this is defined as the level of risk with no formal controls in place, or the level of risk in the event of a breakdown of all controls. Some organisations choose to assess and document this level of risk prior to considering the effectiveness of existing controls. Having information available which relates to this inherent risk level means that, when considering the adequacy of controls, the inherent or worst-case scenario is known. Once the existing controls have been documented and assessed for effectiveness, the Assessed Level of Risk can be evaluated. This is the Level of Risk with current controls in place. Should the Assessed Level of Risk be unacceptable, then additional controls or improvements to existing controls, in the form of Treatments, are put in place. In order to evaluate the cost benefit of these proposed actions, a Predicted Level of Risk is estimated. This is the predicted Level of Risk after the Treatment Plan has been implemented. Finally, once a risk Treatment Plan has been implemented, the risk is once again evaluated and a Residual Level of Risk is calculated. This is the remaining level of risk exposure and should now be in a range that is acceptable to the Agency. c. Existing Controls Rating Table Hint: A Control is an established mechanism, procedure, process or practice that is used to manage a risk. It controls the risk by reducing its consequences, likelihood, or both. We say controls are in place when they are being actively applied or practiced.
1
RiskCover
This table is used to rate the adequacy of existing controls that are currently applied to a particular risk. It is usually qualitative e.g. Excellent, Adequate and Inadequate. Hint: This is a reasonableness test. Is the agency doing what is reasonable in the circumstances to reduce the likelihood and/or consequences of this risk? There may be several controls, each of which goes some way towards reducing the risk. What we are rating is the adequacy of those combined measures. d. Risk Acceptance Criteria Table This table defines the agencys risk tolerance, or risk appetite and gives guidance as to the acceptability of risk. For a given level of risk, the table defines how that risk is perceived (e.g. low, moderate, high, or extreme) and may specify the level of controls rating that is necessary to accept the risk. The criteria often defines how risks are to be reported, reviewed and who is the acceptance decision-maker. An example is shown in Appendix III. Hint: Once the tables are established, run through a couple of examples. Do they make sense? How do the examples fit with your instincts and past experience?
3.1.2 Specific Risk Assessment Context

Once the overall agency context is established, the requirements for a specific risk assessment exercise can be defined. For instance, you may be embarking on a new strategic planning cycle and wish to integrate the identification, assessment and management of risks as part of your strategic planning function. For each individual risk assessment exercise, it is important to ascertain the following: Set the parameters: what is the specific subject of the assessment? Identify the essential stakeholders who need to be involved in the assessment Ensure all workshop participants are clear about the purpose of the assessment
1
RiskCover
The specific risk assessment context can be categorised as Strategic, Operational, or Project:
Strategic Level
Strategic risks concern the whole of the agency. They are the risks associated with long-term organisational objectives and the means by which those objectives will be achieved. Strategic risk assessment is normally conducted at a Board or Executive level and is most effective when integrated with the strategic planning process.
Operational Level
Operational risks are associated with the development and implementation of operational plans. They are the risks associated with your normal business functions. Operational risks should be assessed by the parties familiar with the particular function or service with which the risks are associated.
Project Level
Project risks are associated with specific projects or discreet undertakings. Any project will go through a life cycle, for example, conception to planning, scoping, contracting, design, construction, testing/commissioning, hand-over and operation. Project risks exist at every stage, and they need to be identified and managed to ensure the successful completion of the project. Once the context for a particular risk assessment has been specified, and the particular strategy, activity or project defined, the next step is to identify the critical success factors (CSF) and key dependencies associated with it. A CSF is defined as any essential resource, expertise, input, or other factor, which is critical to the success of that particular strategy or activity. A key dependency is relationship with or reliance upon another person, section or organisation whose input is vital to a successful outcome. These success factors and dependencies become the basis to identify risk: anything that has a negative impact upon them constitutes a risk to the desired outcomes.
RiskCover
1
3.1.3 Summary
Step 1 of the risk management process is establishing the context, both for the agency as a whole and for each specific risk assessment exercise or workshop. Starting with the overall agency context, the scope and framework of risk management is defined by clearly identifying the nature, purpose, and activities of the organisation. Next, Risk Management policies and procedures are established, and specific roles are assigned. Then a set of tools, known collectively as the risk reference tables, are developed, to measure and evaluate risks and controls. These tables establish a common language to manage risk and define your agencys risk tolerance. Once the overall agency context is established, the framework for area-specific risk assessments can be developed. Key strategies, activities or functions are defined, as are the associated critical factors and dependencies.
1
RiskCover
. Step : Risk Identification

3.2.1 What is a Risk?
AS/NZS 4360 defines risk as the chance of something happening that will have impact objectives. It is measured in terms of consequence and likelihood. To ensure that all key risks within an organisation are being addressed, a structured, systematic approach to identifying risks is essential. The identification process considers each strategy, activity or function, as defined by the context set in Step 1, looks at what is critical to the success of that strategy, activity or function, and then considers what may go wrong. This is defined as the risk. For example, looking at a part of an operation that provides a consulting service, one could identify a risk as follows: Key Activities
Providing advice to clients
Critical Success Factors

Accuracy of information
Risks
Incomplete or inaccurate information provided to clients
Hint: Do not mistake risks with the consequences. Injuries, Financial Loss and Reputation Damage are not risks but consequences of a risk - i.e. if your risk was to eventuate, it could result in injuries, financial loss and/or reputation damage. For each risk, you should identify possible causes of the risk event. Each risk may have one or more causal factors which can either directly or indirectly contribute to the risk event occurring. Identifying the range of causes will help you to better understand the risk, evaluate the adequacy of existing controls and design effective risk treatments.
3.2.2 Categorisation of Risk

a. Source of Risk
A useful approach to help identify any common causes of risks across different areas of an organisation is to categorise the risks by source of risk. This facilitates the reporting and management of those systemic issues allowing common causes to be managed with agencywide controls or treatments, rather than at an area or department level.
RiskCover
1
Hint: Appropriate and useful risk categories should be determined by each agency as part of setting the organisational context. These are often linked to the categories of an agencys quality framework. Examples of categories are: Financial Information Management Health, Safety & Environment Leadership/Governance/Legal Planning Services/Production Human Resources
b. Impact Range
Another way to categorise risks is by Impact Range. The Impact Range is a classification hierarchy which indicates how wide the consequences of the risk will reach, within the agency and beyond. Hint: If the risk were to eventuate, ask yourself How wide an impact could it have? Could the risk impact a specific division/department, the whole agency, or even the whole of the State? Common Impact Range descriptors include: State-wide Agency-wide Metro-wide Directorate-wide Division-wide
3.2.3 Summary
Step 2 is about identifying your risks in a systematic fashion and categorising them so you can manage them more efficiently. The causes of risks need to be identified, so that existing controls can be appropriately evaluated. Evaluating the impact range also enhances understanding of a risk and how best to manage it.
1
RiskCover
. Step : Risk Assessment - Analysis & Evaluation

In general, agencies already have a broad range of public sector procedures and systems in place that act as risk controls. As a result, the assessment process used by most State Government agencies takes into account the effectiveness of these existing controls. Therefore, in this context, risk assessment involves: Identifying and evaluating any existing controls Analysing the risk in terms of Consequences and Likelihood Evaluating the level of risk against a pre-defined acceptance criteria.
3.3.1 Existing Controls & Controls Assurance

Controls are the measures that are currently in place i.e. at the time of the risk assessment, that reduce the likelihood and/or consequences of the risk. Hint: It is useful to cross-reference your controls with the identified causes. Are there controls in place for each potential cause of a risk? The adequacy of the controls is assessed on a common sense, qualitative basis. This can be viewed as a reasonableness test: are you doing what is reasonable under the circumstances to prevent or minimise the impacts of the risk? The recommended rating scale is as follows: Excellent Adequate - Doing more than what is reasonable under the circumstances. - Doing what is reasonable under the circumstances. under the circumstances. While it is relatively easy to identify and rate controls in a workshop environment, this does not necessarily ensure those controls are effective and being used in reality. It is essential to have a Controls Assurance process as a means to confirm their existence and effectiveness, and in doing so, consideration should be given to factors such as: Is the Control relevant? Is the Control documented? Is the Control in use? Is the Control up to date? Is the Control effective?
RiskCover
Inadequate - Not doing some or all of the thing that would be reasonable
1
If an existing control is identified as being ineffective, then the necessary improvements should be incorporated into a Treatment Action Plan. The review and sign off of existing controls is an integral part of the management of the risk; responsibility needs to be assigned to ensure there is accountability for and ownership of this important aspect of the risk management process.
3.3.2 Risk Analysis

This is the process of considering the consequences and likelihood of a particular risk scenario to determine the Level of Risk, using the Risk Reference Tables developed as part of setting the organisational context. Refer to Appendix III for sample Risk Reference Tables
Consequence Rating
A risk that eventuates may impact an agency across a number of different areas, to a greater or lesser extent. When analysing the consequences of a risk event, an Agency needs to consider the level of impact (1 to 5) in relation to each of the consequence categories defined in the Consequence Table. For example, a risk may have an impact of 5 for Financial Loss and 4 for Reputation and Image and little or no impact in the other areas. Both ratings may be recorded, but the overall level of risk calculation is based on the highest value, which in this case is a 5. Hint: Only select the Consequence Categories that are relevant to that risk. You do not have to rate every Consequence Category for each risk. Some consequences will not be applicable to a specific risk.
Likelihood Rating
This describes how likely it is that a risk will eventuate with the defined consequences. Likelihood can be defined in terms of probability or frequency, depending on what is most convenient for the agencys purposes. Hints: When you are rating the likelihood of a risk, ask yourself How likely (Likelihood Rating) is it for this risk (Risk) to occur, given the existing controls (Controls), to this extent or with this type and level of impact (Consequence Category/Rating)?
1
RiskCover
Past experience is an important guide to likelihood, but do not fall into the trap of thinking it is the only guide. There may be internal or external factors that may increase or decrease the likelihood of such an event occurring in the future.
Calculating the Level of Risk

The Level of Risk, or Risk Rating, is calculated by multiplying the Consequence and Likelihood ratings. For any risk, there may be a number of different likelihood/consequence scenarios across the different risk categories and within each category ranging from likely but not serious to less likely but more serious. It is important to rate the realistic worst-case scenario, which is the worst-case level of risk considering both consequences and likelihood. In some cases, you may consider the same Consequence Category more than once for the same risk, in order to calculate the real worst-case scenario. Where there are multiple ratings for a risk, the highest combination of Consequence/Likelihood is taken as the final rating. In the example below, the assessor has considered two different scenarios in relation to Injuries; one with a potential catastrophic impact and the other a moderate impact. However, because of the difference in likelihood of these two scenarios, the highest level of risk (9 in this example) relates to the moderate impact/moderate likely scenario, and as such determines the ranking for this risk. Consequence Category
Injuries Injuries
Consequence Likelihood Rating Rating

5 3 1 3
Level
5 9
Explanation
Multiple deaths very rarely happen. Injuries only requiring medical attention are more common. Unlikely that services could be interrupted for more than three weeks.
Service Interruption 4
RiskCover
0
Hint: When dealing with risks that result in a Service Interruption, the agency may need to formulate a Business Continuity Plan (BCP) to address the issue should the risk eventuate. If you do identify a risk that will interrupt your services, you should determine what would be a maximum acceptable outage. That is, how long can you afford to have that service interrupted before the consequences become unacceptable? The BCP is a risk treatment to facilitate the provision of critical services in a less than perfect operating environment until operations can be restored to normal.
3.3.3 Risk Evaluation

Once the Level of Risk has been determined, the next step is to evaluate the risk and see where the risk fits against the agencys overall risk criteria. An example Risk Acceptance Criteria Table is shown below. The table gives guidance as to the acceptability of the risk and the level of signoff required. Level of Risk
1-3 4-5 6-9
Criteria for Management of Risk

Acceptable Monitor Management Control Required Urgent Management Attention Unacceptable With adequate controls. With adequate controls. With adequate controls.
Who is responsible
Operational Manager Operational Manager Operational Manager
10 - 14 15 - 25
Only acceptable with excellent controls. Only acceptable with excellent controls.
Chief Executive Officer Chairman of the Board
1
RiskCover
3.3.4 Risk Ownership & Risk Decision

Each risk that is identified needs to be allocated a Risk Owner. This is the person responsible for managing the risk, and is usually the person who is directly responsible for the strategy, activity or function that relates to the risk. Some of the key responsibilities of the Risk Owner include: Sign-off on acceptance of the risk Responsible for the regular review of the risk Responsible for the regular reporting on the risk Monitoring of controls Implementation of any risk treatments Assigning risk ownership ensures a specific person is responsible and accountable for a particular risk. It is usually impractical and ineffective for risk ownership to be assigned to a body, such as a business unit or committee. Once a risk has been analysed and evaluated, the Risk Owner makes an informed decision to do one of the following: Accept the risk the reward outweighs the risk and the existing controls meet the criteria specified in the Risk Acceptance Criteria Table Avoid the risk do not carry on with the activity that is associated with the risk Treat the risk reduce either the likelihood, consequence or both by improving existing controls or adding new controls, so that the risk can be accepted The risk decision balances the issues of risk and reward. Should an opportunity be passed over because of the risks associated with it? Should more be done to manage the risk so as not to miss out on the opportunity? These are questions that the agency will need to addresses. An organisation cannot progress or improve without capitalising on opportunities, and opportunities will always have associated risks. The risk management process allows you to optimise these decisions and demonstrate you are effectively managing the risks. Hint: In some circumstances, it may be necessary for an agency to accept a high level of risk. What is important is to ensure that the agency, for their own part, is doing all things reasonable to manage the risk.
RiskCover

3.3.5 Summary
In this step, we have assigned values risk ratings to individual risks and made decisions based on those ratings. We started by evaluating existing controls and subjecting them to an assurance process. Then, taking those controls into account, rankings were assigned to each risk for consequences, likelihood and level of risk, based on the measures established in Step 1. The rated risks are then evaluated against the risk acceptance criteria to determine how to manage the risk. There are three basic choices: Accept the risk as is, accept the risk after treatment, or do not accept the risk. Finally, we discussed the importance of risk ownership to ensure that the risk is monitored and the controls remain in place.

RiskCover
. Step : Risk Treatment

In the previous step, risks were assessed and decisions were made to accept them or not. In practical terms, risk avoidance, i.e. ceasing the activity that creates the risk, is rarely a practical option. Agencies normally have their activities define by a higher authority and if there are risks associated with those activities, a way must be found to manage them. In some cases, existing controls will be deemed to be adequate and effective, and the risk will be accepted as it stands. In other instances, the risk will need to be more effectively managed before it can be accepted. This latter case requires the formulation of risk treatments. Risk treatment involves identifying a range of options to reduce the consequences and/or likelihood of a risk, or improve the controls rating, evaluating those options, preparing treatment plans, and implementing them.
3.4.1 Identify, Evaluate and Select Treatment Options

Each unacceptable risk will have a number of treatments. Other than the option of avoiding the risk entirely, treatment options will do one or all of the following: Reduce the likelihood of the risk eventuating Reduce the consequences of the risk if it eventuates Improve the controls rating to Adequate or Excellent Hints: You may see alternative treatment options in other texts such as transfer the risk and share the risk. However, the treatment resulting from transferring or sharing the risk will fit in the above categories: they reduce consequences and/or likelihood. It is not always possible or cost effective to treat all risks associated with a particular service or activity. Many government agencies are suppliers of last resort, and therefore some risks categorised as unacceptable may have to be accepted as long as the agency is doing all that is reasonable to control the risks. This situation places increased importance on controls assurance and the monitor and review process.
RiskCover

Managing risk is about doing all things reasonable, not all things possible. To evaluate the treatment options a number of selection criteria can be applied: How will the treatment impact the Level of Risk For each treatment option, a predicted level of risk should be calculated considering the impact of adding this option as a new control. Treatment options, which reduce the level of risk to an acceptable level, should be considered. Cost of implementation versus benefits derived Selecting appropriate options involves balancing the cost against the benefits derived. An option may appear to be the best option from a risk reduction perspective, but the cost of implementation may be prohibitive. Compatible with agencies objectives The options selected need to be compatible with the overall objectives of the agency. Treatments that are incompatible with existing objectives, culture, or policies are obviously unacceptable, no matter how effective they might prove.
3.4.2 Prepare & Implement Treatment Plans

The purpose of the treatment action plans is to document how the chosen options will be implemented. These plans should include the following: Proposed actions What is the selected treatment? Resource requirements What is required to implement the treatment? Responsibilities Who has responsibilities to implement the treatment i.e. Treatment Owner ? Timing What are the timeframes for treatment implementation? Performance measures What are the key indicators that will demonstrate the progress of implementation and ultimately the effectiveness of the treatment option? Reporting and monitoring requirements Who needs to be informed during and at completion of the implementation of the treatment? How will the implementation be monitored?

RiskCover
A treatment becomes a control only when it has been 100% implemented and signed off by the Treatment Owner. It is then subject to controls assurance and the regular monitoring and review process. Following the implementation of the treatment options, the level of risk needs to be reevaluated to determine if the treatment brings the risk to an acceptable level for the agency. If not, further treatment options may need to be selected.
3.4.3 Summary
Formulating and implementing Treatment Action Plans is the final step in the risk management process, but it is only the beginning of fully integrating risk management into your agency. If the process stops once it becomes a set of documents, it will generate minimal benefit, and the time you spent on Steps 1 4 will be wasted. The next section of these guidelines addresses Monitor and Review. These are the ongoing processes that ensure risk management is maintained as a fully integrated part of managing your agency.
RiskCover

. Monitor and Review

As with communication and consultation, monitoring and review is an ongoing part of risk management that is integral to every step of the process. It is also the part of risk management that is most often given inadequate focus, and as a result the risk management programs of many agencies become irrelevant and ineffective over time. Monitoring and review ensures that the important information generated by the risk management process is captured, used, and maintained. Monitoring and review are related processes, but the distinctions between them are important in the context of risk management: Monitoring is an ongoing process of routine surveillance of both internal and external environments. Review is a more periodic process that looks at the current status or situation, and is usually has a specific focus. Monitoring and review should be designed to detect both gradual and sudden change. Continuous monitoring is most likely to detect a dramatic change in a timely fashion, whereas periodic review of a particular aspect of the risk process is more oriented towards detecting trends and incremental change.
.1 Focus Areas

Monitor and Review procedures are focused on two principle areas of risk management. The first area relates to issues specific to a particular risk assessment, which would cover the following: Context the risk assessment context, which was established from a number of facts and deductions. For instance, the operational environment, agency structure, stakeholder expectations, statutory requirements, economic conditions and political environment are all based on perceptions at the time. The monitoring and review process should detect if any of these underlying assumptions have changed, or if new factors have emerged that impact upon the context of the particular risk assessment.

RiskCover
Risks & Controls numerous factors can cause the likelihood and consequences of risks, or the actual nature of the risks themselves, to change. The controls for risks can also become less effective or irrelevant. Monitoring by the risk owner and others will ensure the timely detection of these changes so that appropriate action can be taken. Treatments risk treatments need to be monitored and reviewed to ensure they are fully and correctly implemented. In some cases, treatments need to be adapted or strengthened because the risk they are designed to address has changed; in other instances, resources can be saved by discontinuing irrelevant treatments. The second area for monitor and review is the application of the risk management process across the entire agency, with specific attention to the following: Consistent application of the Risk Management process across the agency Incorporation of the Risk Management process into Strategic, Operational and Project/Event planning Adoption of risk management practices and procedures by staff at all levels
. Risk Management Performance Measures

To be able to effectively monitor and review the management of risk within an Agency, appropriate performance indicators need to be developed. These may be outcome based or process based. Outcome based PIs, by their nature, lag the event. That is, the measurement is generated some time after the event that caused it. For instance, a report on claim costs would not be available until quite some time after the incident that gave rise to the claim. However, outcome PIs tend to be relatively accurate and sensitive, so they are often more appropriate for measuring gradual change. Process PIs measure activities and processes as they occur and thus provide more timely, if less precise information about changes. For instance, an overtime report could provide an indication that staff are overextended or the agency is under-resourced. They generally do not provide precise information about the nature of the problem, but it is timely.
RiskCover

. Roles and Responsibilities

The monitoring and review of an Agencies risks is an integral part of all core business functions, and it should be seen and treated as such. The monitoring and review of the specific risk contexts, actual risk, controls and treatment is primarily the responsibility of Risk and Treatment Owners and be should be integrated into the existing reporting lines and forums of the agency. The monitoring and review of the application of the Agencys risk management policy and procedures should be integrated into the role of Senior Management, who should then ensure that the process is effective in delivering the desired outcomes. Internal and External audit may also play an important part in verifying application of the risk management process. Risk management should be fully incorporated into the operational and management processes at every level of the organisation. A final comment with regard to monitoring and review is the important role it plays in good corporate governance. All government agencies face increasing requirements for sound and transparent decision making and prudent allocation of resources. The monitoring and review process is pivotal in fulfilling these requirements. A structured Risk Management process provides a means for senior executives and directors to stay informed about the risks associated with their agencys activities and to ensure appropriate measures are in place to address those risks. It contributes transparency and objectivity to decision making, and it provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to provide good governance.

RiskCover
. Risk Management Implementation

The key steps in implementing a Risk Management process within an agency are summarised below.
1. Support of Senior Management

This involves the development of an organisational risk management philosophy and awareness of risk at senior levels and includes the nomination of an executive Sponsor who will act as a champion of the process, and a Risk Management co-ordinator who will assist the sponsor by facilitating the process.
. Development of the Risk Management Framework

The risk management framework defines the context for managing risk within an agency as discussed in Step 1. It includes: Risk Management Policy Develop a Risk Management Policy. Refer to Appendix II for sample Policy document. Risk Reference Tables Refer to Appendix III for sample Risk Reference Tables. Risk Register Tool Agencies need to determine how to capture and report on the risk information captured through this process. Refer to the RiskCover website www.riskcover.wa.gov.au for latest information regarding the RiskBase RM Database Tool
. Communication / Education
A program of staff education and communication needs to be developed which includes: dissemination of the policy and procedures raise awareness about managing risks deliver education session on the specifics of the process a performance management process a process for recognition, rewards and sanctions.
RiskCover
0
. Managing Risks at the Strategic Level

The next step in the implementation is to develop the program to identify, assess, treat, monitor and report on strategic risks as an integrated part of the strategic management process. Appendix VI shows a sample Strategic Risk Management Framework.
. Managing Risks at the Business Unit Level

Develop the program to identify, assess, treat, monitor and report on operational or project risks as an integrated part of the existing business unit management process. This may run concurrently with the strategic risk management program.
. Monitor and Review

Develop Indicators to measure the performance of the risk management process. Risk Reporting establish the process for Business Units to report on their risks and progress of treatments. Link incident and accident reporting mechanisms to the risk management process. Risk Auditing develop links to the internal audit process to ensure that the Risk Management process is efficient and effective in meeting the objectives set out in the policy and that key organisational risks are being managed. For more information, please refer to the sample Implementation Strategy shown in Appendix V.
1
RiskCover
Appendix I Glossary
Business Continuity Management (BCM)
A process that allows an organisation to recover from an event that significantly disrupts its activities. BCM focuses on three post-event phases: Disaster Recovery, Business Continuity (of essential functions), and Full Recovery.
Business Continuity Plan (BCP)

The principle output of the BCM process. A BCP is, in effect, a treatment plan for certain risks the consequences of which could disrupt core functions.
Cause (or Trigger)

The factors, either root or contributory, that may give rise to a risk event. A risk can have multiple causes.
Consequence
The impact or outcome of a risk eventuating. A risk can have multiple consequences.
Consequence Categories
These are key impact areas, which if affected as a result of a particular risk event, could have a significant impact on the ability of an Agency to deliver its outcomes. Consequence Categories are agency specific, and should reflect the Agencys economic, social and environmental responsibilities.
Control
A procedure, system, activity or process that reduces the likelihood and/or consequences of a risk. A risk may have more than one control, and a control may address more than one risk.
RiskCover

Controls Rating
A qualitative, common-sense measure of the adequacy of controls in addressing a risk.
Controls Assurance
The process whereby Control Ratings are verified through a series of questions regarding their relevance and effectiveness.
Critical Success Factor (CSF)

A factor which is essential for the successful performance of a Key Activity.
Impact Range
A measurement of how widespread the consequences of a risk may be. This measurement can assist in the assessment of controls and the formulation of treatments.
Implementation Plan
A plan created to establish how the Risk Management process is to be implemented into an organisation.
Key Activity
Any high level activity or function that is instrumental in an agency delivering required outcomes or performing its mission.
Key Dependency
Relationship with or reliance upon another party essential to delivering outcomes or services. Key dependencies can be within the agency or external.
Likelihood
A measure of how likely it is that a certain consequence will eventuate, ranging from very unlikely to almost certain.

RiskCover
Monitor
An ongoing process of surveillance of the internal and external environments to ensure that risks continue to be effectively and appropriately managed.
Operational (Context)
Deals with Operational Risks: those risks associated with normal, ongoing operations and activities.
Performance Indicators (PIs)

Clear, simple measures of performance over time used in the Monitor and Review process. PIs can measure either processes or outcomes.
Project (Context)
Deals with Project Risks: those risks associated with defined projects and other discreet undertakings.
Review
Periodic assessment of a specific aspect of the Risk Management process or a particular group of risks to determine if there have been gradual changes over time.
Risk (or Risk Event)

(from AS/NZS 4360) The chance of something happening that will have an impact on objectives.
Risk Acceptance Criteria

Agency specific standards formulated in Step 1 that delineate under what conditions risks of a certain level can be accepted. The higher the risk rating, the higher the standard of controls, monitoring, and ownership required.
Risk Assessment
Step 3 of the Risk Management Process, which involves assigning values (Risk Ratings) to individual risks and deciding how to manage them.
RiskCover

Risk Analysis
A process that assigns a Risk Rating to each risk by evaluating the effectiveness of existing controls and assigning values for Likelihood and Consequences for various scenarios.
Risk Evaluation
A decision making process which evaluates the Risk Rating against the Risk Assessment Criteria.
Risk Categories
Categorisation of risks within the agency by type, often based on source of risk. This helps identify common risks in different functional areas.
Risk Decision
The decision made after Risk Evaluation, balancing risk and reward.
Risk Identification
Step 2 of the Risk Management Process, which uses Critical Success Factors and Key Dependencies to identify risks.
Risk Management
The practice of systematically identifying, understanding, and managing the risks encountered by an organisation.
Risk Management Process

The process of implementing, maintaining and embedding Risk Management in an organisation, as set out in these guidelines. The process consists of four sequential steps plus the overarching processes of Communication & Consultation and Monitor & Review.
Risk Owner
The person specifically assigned in Step 3 to manage the risk, including monitoring the risk, its controls and any treatments that are implemented.

RiskCover
Risk Rating (or Level of Risk)

The value assigned to the risk which represents the product of Consequences and Likelihood.
Risk Reference Tables

Collective term for the various risk measurement and evaluation tools formulated in Step 1.
Risk Tolerance (or Risk Appetite)

The degree that an organization is willing to accept risk in order to achieve its objectives. Risk tolerance is a product of mission, culture, policy, and other factors that determine what an agency is and how it goes about its business.
Strategic (Context)
Deals with Strategic Risks: risks which concern the whole agency and are associated with long term organizational objectives. Strategic risk management is most effective when conducted as an integral part of the strategic planning process.
Treatment
A measure that is designed and implemented to further reduce the consequences and/or likelihood of a risk. Once a treatment is fully implemented and effective (in place), it becomes a Control.
Treatment Action Plan (TAP)

The plan formulated for the selected treatments in Step 4 to ensure they are fully and properly implemented. TAPs should identify owners, participants, resources, schedule, and PIs.
RiskCover

Appendix II Sample Risk Management Policy

SAMPLE: AGENCY NAME Risk Management Policy
It is the Policy of the Agency to achieve Best Practice in the management of all risks that threaten to adversely impact the Agency, its customers, people, assets, functions, objectives, operations or members of the public. Risk Management will form part of strategic, operational and line management responsibilities and be integrated into the Strategic and Business Planning processes. In respect of a special risk responsibility may be assigned to a nominated officer of the Agency, or a Committee Chairman, as determined by the need. There will be an Executive Risk Management Committee to determine and communicate Policy, Objectives, Procedures and Guidelines and to direct and monitor implementation, practice and performance throughout the Agency. Performance will be measured by: implementation and documentation of risk management, identification of risks and successful treatment in accordance with procedures and guidelines, mitigation and control of any losses, reduction in the costs of risks, and achievement of Best Practice. Consultants may be retained from time to advise and assist in the risk management process, or management of specific risks or categories of risk. Every employee of the Agency is recognised as having a role in risk management for vigilance in the identification of risks to treatment and shall be invited and encouraged to participate in that process.

RiskCover
Objectives
To ensure Risk Management is adopted throughout the Agency as a prudent management practice. To ensure that all employees are made aware of the need to manage risk and to promote a culture of participation in that process. To protect the Agency from adverse incidents, to reduce its exposures to loss and to mitigate and control loss should it occur. To ensure the ongoing, unimpeded capacity of the Agency to fulfil its mission, perform its key functions, meet its objectives and serve its customers. To reduce the costs of risk to both the Agency and the Western Australian State Government. To adhere to Australian Risk Management Standards and comply with Treasurers Instruction TI825.
RiskCover

Appendix III Sample Risk Reference Tables
SAMPLE: AGENCY NAME

Financial Loss
Less than 1 hour Unsubstantiated, low impact, low Little impact. profile or no news item.
Qualitative Measures Of Consequence Or Impact

Interruption To Services Reputation & Image Operational Efficiency Performance
Up to 5% Variation in KPI or objective.
Level
Rank
Injuries
Insignificant
No injuries.
Less than $50,000, or .025% of Operational Budget. 1 hour to 1 day.
Minor
Inconvenient delays.

First aid treatment.
$50,000 to $250,000, or .15% of operational Budget. 1 day to 1 week Substantiated, public embarrassment, moderate impact, moderate news profile. Substantiated, public embarrassment, high impact, high news profile, Third Party actions. Substantiated, public embarrassment, very high multiple impacts, high widespread multiple news profile, Third Party actions.
Substantiated, low impact, low news profile.
5% to 10% Variation in KPI or objective.
Moderate
Medical treatment required. 1 week to 1 month.
$250,000 to $3 million, or 2% of Operational Budget.
Delays in major deliverables.
Major
Death or extensive injuries. More than 1 month
$3 million to $10 million, or 6% of Operational Budget.
Non-achievement of major deliverables.
Catastrophic
Multiple deaths or severe permanent disablements.
More than $10 million, or more than 6% of Operational Budget.
Non-achievement of major key objectives.
More than 50% Variation in KPI or objective
RiskCover
RiskCover
Qualitative Measures of Likelihood

Example Detail Description
Less than once in 10 years At least once in 10 years At least once in 5 years At least once per 1 year More than once per year
Level
Descriptor
Frequency
Rare
The event may occur only in exceptional circumstances.
Unlikely
The event could occur at some time.
Moderate
The event should occur at some time.
Likely
The event will probably occur in most circumstances.
Almost certain
The event is expected to occur in most circumstances.
0
Existing Controls
Forseeable Example Detail Description
Controls fully in place and require only ongoing maintenance and monitoring. Protection systems are being continuously reviewed and procedures are regularly tested. Being addressed reasonably. Protection systems are in place and procedures exist for given circumstances. Periodic review. Little to no action being taken. No protection systems exist or they have not been reviewed for some time. No formalised procedures.
Level
Descriptor
Excellent
More than what a reasonable person would be expected to do in the circumstances.
Adequate
Only what a reasonable person would be expected to do in the circumstances.
Inadequate
Less than what a reasonable person would be expected to do in the circumstances.
Risk Assessment Criteria Table Risk Acceptance Criteria Table

Likelihood 2
1-3 4-5 6-9 10 - 14 15 - 25 Monitor Acceptable
Consequence 3 Moderate
3 6 9 12 15 20 25 16 20 12 15 8 10 Management Control Required Urgent Management Attention Unacceptable 4 5
1 Likely Almost Certain
Level of Risk
With adequate controls. With adequate controls. With adequate controls.
Criteria for Management of Risk
Who is responsible
Operational Manager Operational Manager Operational Manager
Rare
2 4 6 8
Unlikely
Insignificant
Minor
Moderate
1
Major
Only acceptable with excellent controls. Only acceptable with excellent controls.
Chief Executive Officer Chairman of the Board
Catastrophic
10
Approved as at
By:
Title:
RiskCover
RiskCover
Appendix IV Sample Risk Register
SAMPLE RISK REGISTER
All Risk Identified sorted by Level of Risk

Division
Information Technology Section Human Resources Section Recruitment Recruitment Human Resources Section Human Resources Section Human Resources Section Information Technology Section Information Technology Section Human Resources Section Maintenance of existing systems nformation Management and Use Maintaining a Safe Working Environment Maintain Sustainable and Skilled Workforce Maintain Sustainable and Skilled Workforce Inability to provide adequate skill mix to deliver services. Failure of recruitment staff to comply with HR policies and procedures. Non-compliance with Public Sector Standards in HR Management & Ethical codes. Inadequately skilled staff. Business interruption due to failure of IT system Inadequate technical support. Failure to comply with legislation and Act. Maintenance of existing systems Inadequate IT system - does not meet the needs of the business
Risk Ref No.
Directorate
Department
Activity
Risk
Control Rating
Inadequate Adequate Inadequate Inadequate
Level of Risk
20 20 16 16
257-1
Risk Management Commission
Information Technology
256-8
Human Resources
256-2

Human Resources
256-4
Human Resources
256-10
Human Resources
Adequate Adequate Excellent Adequate
16 16 15 15
257-2
257-3
256-11
Human Resources
Risk Ref No.

Operations Section Reporting Reports non-compliant due to lack of knowledge of government requirements Inadequate complaints, compliments and feedback processes. Incorrect payments due to inadequately trained or unmotivated staff Excellent Adequate Adequate
Directorate
Division
Department
Activity
Risk
Control Rating
Level of Risk
15
259-2
Risk Management Commission Corporate Services Finance Section Payments/Receipts Public relations Service delivery
Operations
254-1
Corporate Services
12 12
255-1
Risk Management Commission Human Resources Section Recruitment
Finance
256-1
Human Resources
Adequate
12

Recruitment staff have little or incorrect knowledge of the current and future skill requirements of the organisation leading to a mismatch between skills base and requirements. Breach of standards due to flawed recruitment process. Inadequate HR policies and procedures. Loss of key staff. Incompatible IT hardware/software. Inadequate funds to fulfill Operational requirements.
256-5 Human Resources Section Human Resources Section Information Technology Section Operations Section Human Resources Section Maintain Sustainable and Skilled Workforce Information Management and Use Budget planning Maintain Sustainable and Skilled Workforce OSH
Human Resources
Human Resources Section
Recruitment
Adequate Adequate Excellent Adequate Inadequate
12 12 9 9 6
256-6
Human Resources
256-7
Human Resources
257-5
259-1
Operations
256-12
Human Resources
Failure to apply HR management practices.
Adequate
RiskCover
Appendix V Sample Risk Management Implementation Strategy

SAMPLE: AGENCY NAME Risk Management Implementation Strategy
Objective
To enable the Agency to identify, assess, treat, monitor and report on risks consistent with an agency-wide risk management approach: Strategies to achieve this objective are: 1. To develop and implement an agency-wide risk management process for the identification and management of risks. 2. To promote the Agency risk management approach through education and awareness sessions. 3. To identify options for the ongoing management of risks throughout the agency.
Background
The primary purpose of a structured risk management approach is to have a transparent process which demonstrates managements decision making regarding the acceptance/non-acceptance of risks. Risk is defined in AS4360 as: The chance of something happening that will have an impact upon objectives. It is measured in terms of likelihood and consequences. In other words the risk is any event/incident/accident that may happen which prevents you from successfully completing what it is you are setting out to do. The management of risk should be embedded in the Agencys overall planning, reporting, decision making and management practices to the extent that risk management becomes second nature to all staff and a process applied to all aspects of the Agencys operations.
RiskCover

The risk management process should: consider risks at all levels of the agencies operations (strategic, operational and project/events); integrate with business planning objectives, decision making and other elements of the Agencys management framework; involve the whole organisation, from the board to senior management and employees. The main principles underpinning effective risk management include: the commitment of senior management to a formal, documented and fully integrated risk management process; the use of common risk language; clearly defined responsibility & accountability for functions, activities and associated risks; a process for identification and management of risk which is fully integrated with existing management processes including business planning, budgeting and reporting processes; risk management is reinforced through training and induction; the outcomes are monitored through the involvement of senior management and establishment of support functions and champions.
Steps in Implementation
1. Support of Senior Management
Development of an organisational risk management philosophy and awareness of risk at senior levels. To some extent this has been driven by the Premiers Circular in relation to Risk Management & Business Continuity, and the requirement to comply with Treasurers Instruction 825 which states:The Accountable Officer or Authority shall ensure that there are procedures in place for the periodic identification, assessment and treatment of risks inherent in the operations of the department or statutory authority, together with suitable risk management policies and practices, and that these are documented in the accounting manual or other relevant policy manuals.

RiskCover
Strategy Leadership Commitment It is understood that the CEO has committed the agency to the implementation of Risk Management. Sponsor It is proposed that ( ? ) Sponsor the initiative and that a Risk Management Co-ordinator assist him/her to facilitate the process. The Sponsors responsibilities are to ensure that an effective risk management system is established, implemented and maintained, and that the performance of the system is reported to Our Agencys executive for review and as a basis for improvement. Awareness A briefing will be provided to the Corporate Executive. This will be extended to include education and training to impart a good understanding of the Risk Management process, its rationale and program for implementation. Executive Support Communication from the CEO will be requested to notify all executive members of his/her commitment and the need to provide their full support to the process to achieve TI 825 compliance and other beneficial outcomes.
2. Development of the Risk Management Framework

Strategy Policy A suggested policy has been drafted and will be reviewed jointly by the Sponsor, Risk Management Co-ordinator and RiskCover for inclusion of :- objectives and rationale for managing risk; - links with Our Agencys strategic and operational plans; - the extent and range of issues to which it applies; - guidance on acceptable risk; - responsibilities and accountabilities for managing risks; - support and expertise available; - documentation requirements; - performance review plans.
RiskCover

The final policy will need to be presented to Executive for consideration and endorsement. Risk Reference Tables Providing guidance on acceptability of risks will require development of Risk Reference tables relevant to Our Agency. They will address the rating of Controls, Likelihood, Consequences and Level of Risk for application in the risk management process throughout the agency. Use of the Reference Tables is critical to provide a uniform measuring standard for risk and the means to aggregate and prioritise risks across the agency as a whole. The Consequences and Level of Risk tables effectively provides executive and managers with risk acceptance guidance. Risk Reference Tables will be developed by the parties reviewing the policy and will similarly be presented to Executive for consideration and endorsement. Risk Register Tool The agency has evaluated a number of options and is proposing to use the RiskBase application developed by RiskCover to collect and report on risk information. This tool will be deployed to all area managers and directors to facilitate the risk management and reporting process at both the strategic and operational levels.
3. Communication/Education
Strategy Risk Management Committee Formation of a Risk Management Committee, including the Sponsor and Risk Management Co-ordinator to develop, establish and implement arrangements to ensure that managing risk becomes an integral part of planning, management process and general culture of Our Agency, and to ensure that desired outcomes are achieved. RiskCover will provide assistance to the Committee and transfer knowledge to it.

RiskCover
The Committee will be responsible for:- communicating the policy; - raising awareness about managing risks; - communications and dialogue about the practical issues in managing risks and application of the policy; - the acquisition of risk management skills and their development throughout the agency - a performance management process; - a process for recognition, rewards and sanctions - development of the risk management documentation including manual, templates, forms and Risk Register. The Committee will be instrumental in the next three phases.
4. Managing Risks at the Strategic Level

Strategy Program Development The Committee will develop and establish a program for managing risks at the strategic level. This will include documentation of the strategic, agency and risk management context and the framework and timetable for the identification and ongoing management of strategic risks. (Refer to Appendix VI for example of Strategic Risk Management Framework) Risk Identification This step is to address strategic risks identified in the: - Strategic Performance Review - Stakeholder Profile - External and Internal Environmental Analysis - SWOT Analysis - Strategy Formulation - Strategy Implementation
RiskCover

The identified risks will be assessed and evaluated using the Risk Reference Tables. Risk Prioritisation Identified risks will be listed and prioritised by level of risk for Executive review and consideration. Treatment of Risks Risks will be treated in accordance with priorities, existing management processes and by the officers indicated by the level of risk. Treatment plans will be developed and actioned according to priorities.
5. Managing Risks at Business Unit Level : Divisional, Program, Project and Team
Strategy Program Development The Committee will develop and establish a program to manage operational risks, including insurable risks, at these levels following the same core process as above and integrating with planning and management activities. Risk Identification Workshops Workshops will be scheduled and facilitated by the agency, with the support of RiskCover, to identify, assess and evaluate risks using the Risk Reference Tables. Risk Aggregation and Prioritisation Risks identified will be aggregated into prioritised lists according to agency structure and arranged in descending level of risk and adequacy of existing controls ratings with risk acceptance decisions. Treatment of Risks Risks will be treated in accordance with priorities, existing management processes and by the officers indicated by the level of risk. Treatment plans will be developed and actioned according to priorities. Risk Register A register will be created to hold the risk listings, decisions and treatment summaries including strategic risks from Step 4.

RiskCover
6. Monitoring and Review

Strategy Development of Indicators The Committee will develop and apply appropriate mechanisms and indicators to ensure the ongoing review of risks to satisfy agency and TI 825 requirements. They will also ensure by monitoring and review that the risk management process is efficient and effective in meeting the objectives set out in the policy. Appropriate frequencies of monitoring will be determined. Risk Reporting The Committee will need to receive risk documentation and participate in the risk management process to ensure its efficiency and effectiveness. It will maintain the agency Risk Register and ensure working papers and trails are preserved for audit purposes. Whole of Agency Reviews The Committee will recommend to Executive appropriate frequencies for risk management reviews according to risk criteria, level of risk and possible consequences. Loss Performance & Incident Reporting The Committee will monitor and review any losses, however financed, or other incidents and make recommendations for improved risk treatment, where appropriate, through existing management structures. Risk Auditing The risk management process is a management process which must be audited to verify compliance with TI 825 and for reasons of governance and prudence. The agency auditors should perform an annual risk audit to check the application of the risk management process, its adequacy, the treatment of identified risks and the maintenance of the Risk Register.
Implementation Schedule
Refer to table overleaf for the proposed implementation schedule.
RiskCover
0
Conclusion
The Agency is committed to the implementation of Risk Management in accordance with Treasurers Instructions 825 and RiskCover offers its assistance to achieve that purpose. The proposed implementation strategy follows the Risk Management Standard and has been field tested in numerous organisations and proven by its completeness, its ability to add value to management practices, to assist in protecting an organisation from losses and to help maximize its opportunities.
Implementation Schedule
Step No.
1
What?
Support of Senior Management Development of Organisations RM Policy
How?
- Produce briefing paper & implementation plan - Briefing to Executive - Obtain executive sign-off - Formation of Risk Management committee (including documented terms of reference) - Draft policy - Draft Risk Reference Tables - Determine roles and responsibilities - Determine individual & corporate KPIs - Obtain executive sign-off - Arrange RM awareness sessions - Distribute policy, procedure & risk reference tables - Ensure all managers understand their responsibilities in managing risk modify JDFs where appropriate.
When?
Sept 2005
Who? (Responsibility)
RM Co-ordinator
Sept 2005
RM Co-ordinator & RM Committee
Communicating the Policy
Oct 2005
RM Co-ordinator & RM Committee
1
RiskCover
Step No.
4
What?
Managing Risks at Strategic Level (Agency)
How?
- Develop a program plan i.e. Develop a framework & procedure for identifying & managing strategic risks & obtain executive sign-off - Identify, assess and prioritise risks as part of strategic planning session. - Treat risks - Develop risk reduction strategies as part of strategic planning session - Monitor & review risks and risk reduction strategies as part of regular strategic management process
When?
2005
Who? (Responsibility)
Executive with assistance from RM Co-ordinator
2005
From 2005 Monthly at executive meetings Oct 2005
Managing Risks at Business Unit Level
- Develop a program plan i.e. Develop & agree framework & procedure for identifying & managing operational risks and reporting requirements. - Identify , assess and prioritise risks as part of operational planning session or dedicated workshop - Treat risks - Develop risk reduction strategies as part of strategic planning session - Develop risk reduction strategies as part of regular operational management process
RM Co-ordinator & RM Committee Endorsed by Executive
Oct 2005
Business Unit management team
From Oct 2005 Monthly at management meetings. From Oct 2005 Monthly at management meetings.
Business Unit management teams
- Monitor & review risks and risk reduction strategies as part of regular operational management process - Report risks and treatment strategies quarterly to RM committee as required by program plan. 6 Risk Auditing - Develop & agree an audit plan to ensure the effectiveness of the RM process and the management of key risks - Implement the audit plan
Business Unit management teams
2005
RM Co-ordinator / Executive /Audit Audit Manager
Annually
RiskCover

Appendix VI Strategic Risk Management Framework

Risk Management and Strategic Planning
Strategic management is the continuing process of aligning the internal capabilities of the organisation with the external demands of its environment. It involves the formulation and implementation of strategies to achieve the organisations goals and objectives. It is an iterative process, in which management of change, monitoring and review are important parts. A Strategic Plan is a comprehensive master plan that states how we are going to achieve our mission and objectives. Anything that has a bearing on that is strategic. Strategic management is the set of managerial decisions and actions that determines the long run performance of the organisation. Strategic Risk Management is the identification and management of risks likely to have a material impact on the organisations ability to achieve its mission and objectives. The risks identified and evaluated as a part of the strategic planning process will be risks that affect the entire agency and its ability to achieve its mission. This is the point at which the agency will identify risks which will prevent the agency from exploiting its opportunities and strengths, expose its weaknesses and fail to address the agencys threats.
Strategic Risk Management

There are two elements to the management of risks at a strategic level and these are: 1. The identification/evaluation/management of risks in the Strategic decision making process. Risks are identified at each stage of the planning process, for example; examination and evaluation of current Mission, Objectives, etc. External Environmental analysis Internal Environmental analysis development and evaluation of alternative strategies selection of strategies

RiskCover
2. The identification/evaluation/management of risks associated with particular strategies (current) and their implementation. As our businesses are going concerns, there are strategic plans in various states of implementation. Therefore, the particular approach for your agency must reflect the current situation. The following flow diagram shows how risk identification becomes an integral part of the strategic planning process.
Typical Strategic Planning Process

Strategic Risk Review Financial Performance Operational Performance Mission / Vision Existing Goals and Objectives
Achieved? Did anything go wrong?
Stakeholder Profile Stakeholder Expectations Impact if not met
Strategic Risk Profile Environment Scan of Strategic Factors Internal Structure (The Organisation) Culture (Beliefs, Expectations, Values) Resources (Assets, Skills, Competencies, Knowledge, Systems) External Societal (General Forces) Task (Industry Analysis)
Strategic Risk Profile SWOT Analysis Strengths Risks to strengths Weaknesses Risks that can arise from weaknesses Opportunities Risks that accompany opportunity Threats Outright risks
Strategic Formulation Mission / Vision Goals and Critical Success Factors Objectives and KPIs Strategies Policies
Achievable? What can go wrong? Are all threats avoided and weaknesses minimized in respect to mission, goals and objectives?
Strategic Implementation (Operational Planning) Programs Budgets Procedures
Can anything go wrong in this stage that will impact achievement?
Evaluation and Control Are there any weaknesses in information , management or control systems, or reporting?
RiskCover

The Process Explained

1. Strategic Performance Review
Review how the organisation has performed against previous Goals/ Objectives: a. Were they achieved? b. Did something prevent you from achieving your Goals/Objectives? c. Were all performance targets met? This review will highlight anything that should be taken into account for future planning.
2. Stakeholder Profile
Identify who the organisations stakeholders are and their expectations. In addition, it is important to consider what the consequences will be if their expectations are not met. This should sharpen the focus and ensure that the strategies you are adopting will meet the needs and expectations of the stakeholders.
3. Environmental Scan
Environmental scanning identifies factors which influence what the organisation will do and how it will do it. It covers both the Internal and External environmental factors. From the Environmental Scan, the organisation can assess where it sits in relation to industry, societys expectations, and how it is situated to appropriately respond to market trends or demands.
4. SWOT
A SWOT analysis is used to identify Risks to strengths Risks from weaknesses Risks from opportunities Threats which are Risks These risks are then evaluated in terms of impact upon achievement of objectives.

RiskCover
5. Strategy Formulation
In this stage, strategies are identified to achieve Goals and Objectives whilst being focused on the organisations Mission/Vision. An assessment of the risks and opportunities associated with each proposed strategy and the potential for impact upon the achievement of objectives, should be an integral part of this step. This is the creative stage of developing strategies that will deliver the organisations goals and objectives, mission and vision without exposing it to unacceptable risk.
6. Strategy Implementation
Once the strategies are decided upon, the process of implementing them carries a new set of risks. Each of these risks need to be identified and appropriate risk minimisation strategies built into the implementation plan.
7. Evaluation and Control

There needs to be system reviews which ensure that the process is implemented efficiently and effectively and progress needs to be reported. Mechanisms need to be put in place to monitor the implementation of the Strategic Plan and identify any new risks arise. The annual Strategic Review process needs to be programmed so as there is an opportunity for a formal review.
RiskCover

Appendix VII Risk Management Process Diagram
Establish The Context
Communicate and Consult
Identify Risks Monitor and Review
Analyse Risks
Evaluate Risks Assess Treat Risks
based on Australia/New Zealand standard AS 4360:2004

RiskCover
Notes
RiskCover

Notes

RiskCover
Notes
RiskCover
0

RM Guidelines

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RM Guidelines

Uploaded by

Copyright:

Available Formats

First edition

WESTERN AUSTRALIAN GOVERNMENT

RISK MANAGEMENT GUIDELINES

Risk Management Guidelines

Risk Management Guidelines

Risk Management Guidelines

Number Issue Date Review Date

2006/03 08/05/2006 08/05/2008

Risk Management Guidelines

Alan Carpenter MLA Premier

For enquiries contact:

Don Williams 9264 3400 Manager RiskCover Division Insurance Commission of WA

Other relevant Circulars: Circular/s replaced by this Circular:

Risk Management Guidelines

1.1 What is Risk Management?

Risk Management Guidelines

1. Why Manage Risk?

1. How Do We Manage Risk?

Risk Management Guidelines

. Communication And Consultation

Risk Management Guidelines

Risk Management Guidelines

Risk Management Guidelines

. Risk Management Process

3.1.1 Overall Agency Context

Risk Management Guidelines

Risk Reference Tables

Risk Management Guidelines

Risk Management Guidelines

Risk Management Guidelines

3.1.2 Specific Risk Assessment Context

Risk Management Guidelines

Risk Management Guidelines

Risk Management Guidelines

. Step : Risk Identification

Critical Success Factors

3.2.2 Categorisation of Risk

Risk Management Guidelines

Risk Management Guidelines

. Step : Risk Assessment - Analysis & Evaluation

3.3.1 Existing Controls & Controls Assurance

Risk Management Guidelines

3.3.2 Risk Analysis

Risk Management Guidelines

Calculating the Level of Risk

Consequence Likelihood Rating Rating

Risk Management Guidelines

3.3.3 Risk Evaluation

Criteria for Management of Risk

Chief Executive Officer Chairman of the Board

Risk Management Guidelines

3.3.4 Risk Ownership & Risk Decision

Risk Management Guidelines

Risk Management Guidelines

. Step : Risk Treatment

3.4.1 Identify, Evaluate and Select Treatment Options

Risk Management Guidelines

3.4.2 Prepare & Implement Treatment Plans

Risk Management Guidelines

Risk Management Guidelines

. Monitor and Review

.1 Focus Areas

1. Why Manage Risk?

1. How Do We Manage Risk?

. Communication And Consultation

. Risk Management Process

. Step : Risk Identification

. Step : Risk Assessment - Analysis & Evaluation

. Step : Risk Treatment

. Monitor and Review

.1 Focus Areas

. Risk Management Performance Measures

. Roles and Responsibilities

. Risk Management Implementation

. Development of the Risk Management Framework

. Managing Risks at the Strategic Level

. Managing Risks at the Business Unit Level

. Monitor and Review