Professional Documents
Culture Documents
Acknowledgement
RiskCover has produced the Risk Management guidelines to assist the Western Australian State Government Agencies to implement their risk management programs.
First edition January 2007 Please direct all enquiries or comments on the contents of this document to: Risk Management Services RiskCover Insurance Commission of WA 8th Floor The Forrest Centre 221 St Georges Terrace Perth Western Australia 6000 (08) 9264 3806 riskmanagement@icwa.wa.gov.au
RiskCover
www.riskcover.wa.gov.au
Table of Contents
1. Introduction 1.1 What Is Risk Management? 1.2 Why Manage Risk? 1.3 How Do We Manage Risk? 2. Communication and Consultation 3. Risk Management Process 3.1 Step 1: Establish The Context 3.1.1 Overall Agency Context 3.1.2 Specific Risk Assessment Context 3.1.3 Summary 3.2 Step 2: Risk Identification 3.2.1 What Is A Risk? 3.2.2 Categorisation of Risk 3.2.3 Summary 3.3 Step 3: Risk Assessment - Analysis & Evaluation 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 Existing Controls & Controls Assurance Risk Analysis Risk Evaluation Risk Ownership & Risk Decision Summary 4 4 5 5 6 9 9 9 13 15 16 16 16 17 18 18 19 21 22 23 24 24 25 26 27 27 28 29 30 32 37 39 42 44 53 57
RiskCover
3.4 Step 4: Risk Treatment 3.4.1 Identify, Evaluate and Select Treatment Options 3.4.2 Prepare & Implement Treatment Plans 3.4.3 Summary 4. Monitor and Review 4.1 Focus Areas 4.2 Risk Management Performance Measures 4.3 Roles and Responsibilities 5. Risk Management Implementation Appendix I Glossary Appendix II Sample Risk Management Policy Appendix III Sample Risk Reference Tables Appendix IV Sample Risk Register Appendix V Sample Risk Management Implementation Strategy Appendix VI Strategic Risk Management Framework Appendix VII Risk Management Process Diagram
www.riskcover.wa.gov.au
PREMIERS CIRCULAR
Title
RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING
Policy
All public sector bodies must practise risk management, regularly undertake a structured risk assessment process to identify the risks facing organisations, be able to demonstrate the management of risks, and where appropriate, have continuity plans to ensure they can respond to and recover from any business disruption. Public sector bodies must submit details of their risk management policy, assessment processes and continuity plans to RiskCover in accordance with a schedule that will be provided by the Department of the Premier and Cabinet.
Background
Risk management has been a feature of the operation of the public sector for many years, with such requirements included in the Treasurers Instructions. The Insurance Commission of Western Australia through its RiskCover Division has a mandate to manage and administer risk management arrangements on behalf of public authorities and to provide advice to the Government on matters relating to risk management. Planning for major risk events received special focus in the period leading up to 1 January 2000, with a great deal of planning and mitigation work undertaken to deal with potential Y2K issues. However, it is a matter of good corporate governance that risk assessment and continuity planning are subject to continual review at the highest levels of an organisation. In more recent times the threat of terrorism and the possibility of an influenza pandemic have given a new focus to this requirement.
RiskCover
www.riskcover.wa.gov.au
The proclamation of the Emergency Management Act 2005 together with other State initiatives such as the Western Australian Management Plan for Pandemic Influenza, are parts of the process of ensuring that the public sector and the community are well prepared for emergencies of any kind. Many agencies will already have well developed risk management processes while others may be less well prepared. RiskCover will circulate a template of the information requirements that must be provided by all public sector bodies so that the Government can be certain agencies are well prepared for emergencies. RiskCover consultants will be available to guide and assist agencies to enable them to meet the requirements. Education and training in risk management principles and business continuity planning will also be available. Agencies will be advised in due course of the implementation timelines for them to meet the requirements.
www.riskcover.wa.gov.au
RiskCover
1. Introduction
These guidelines have been produced by RiskCover to assist State Government agencies in developing and implementing effective Risk Management processes. They should be read in conjunction with the WA Government Business Continuity Guidelines, as the management of critical incidents and emergencies is just one aspect of an agencys overall approach to managing risk. The purpose of these guidelines is to provide an overview and explanation of the Risk Management process, some hints to the application of the process and includes sample documents for you to use. Please do not hesitate to contact RiskCover Risk Management Services on Tel: 9264 3806 or email riskmanagement@icwa.wa.gov.au should you require any further information or assistance in implementing Risk Management within your agency.
www.riskcover.wa.gov.au
element in managing risk is correctly balancing risk and reward. A culture which is risk averse will create inflexibility in the business and erect barriers to the achievement of the organisations goals.
In addition, there are two important concepts Communication and Consultation, and Monitor and Review that apply to every aspect of risk management. These are discussed at the beginning and end of the guidelines, respectively. Implementing risk management involves a new way of thinking and a new language. It is important to use precise, common terminology to ensure the effective communication and unambiguous description of the risks within your agency and across the whole of government. To assist with this, a Glossary of Terms is provided as Appendix I.
www.riskcover.wa.gov.au
RiskCover
RiskCover
www.riskcover.wa.gov.au
Communication and consultation are essential to the overall risk management process as well as each individual step in that process. A well-structured approach to communication and consultation can provide the following benefits: Organisational coherence and a positive culture for risk management implementation Trust and understanding, resulting in better internal and external relationships The risk management process becomes tangible: people know what it is and how it works Integration of multiple perspectives Risk management embedded as an ongoing part of management and organisational practice Each step of the Risk Management process relies on communication and consultation to achieve its purpose. For instance, in setting the context, consultation with internal and external stakeholders is essential to reach a thorough understanding of the operating environment and to define the purpose and scope of the exercise. In risk identification, a diversity of input can prevent important risks being overlooked and ensure that risks are accurately described. In the risk assessment process, communication and consultation allows all perspectives to be considered in arriving at a realistic level of risk. Risk treatment is more effective because treatment plans are better understood and the monitor and review process depends upon effective communication to ensure risk information is in use and current. Communication and consultation does not mean asking everybody their opinion about everything. When developing a strategy to implement a formal risk management processes within you organisation, you may wish to consider the following in relation to communication and consultation requirements: Objectives What are the specific aims and goals of involving different parties in the process? Participants Who are the appropriate parties to be involved at each step of the process? Perspectives What particular contribution or viewpoint is anticipated and required from each participant?
www.riskcover.wa.gov.au
RiskCover
Methods How will consultation take place? It may not always be practical to get all the parties together in one place. Hint: When agencies plan their communication and consultation for the risk management process, frequently they fail to adequately consider the needs and viewpoints of all stakeholders. Obviously, risk management involves the discussion of some matters that cannot be shared with external parties. However, if we fail to incorporate the needs and viewpoints of all stakeholders, the full benefit of risk management may not be realised.
RiskCover
www.riskcover.wa.gov.au
As part of setting the overall context, the organisational-wide framework within which risk management will take place is defined and the tools to measure and assess risks within that overall context are developed. The specific context then defines the framework of any specific risk assessment exercise with the agency.
RiskCover
Risk Reference Tables, used in the evaluation of the risk and also of any existing controls. They also include a definition of the acceptance and reporting criteria for specific levels of risk. Risk Management Implementation Strategy a plan of how the policy and guidelines are to be communicated and implemented. Risk Register Tool an electronic tool to facilitate the recording, managing and reporting of risk information. Section 5 of the guidelines discusses the implementation of the Risk Management process in more detail.
Refer to the samples of risk reference tables in Appendix III. Note that these tables are examples only and need to be customised for each Agency to reflect their own organisational context and tolerance for risk. a. Consequence or Impact Rating Table Categories of Consequence Consequence categories are based upon the individual Agencys criteria for measurement of success and should reflect the Agencys economic, social and in some cases, environmental responsibility. The categories should include those key areas, which, if impacted upon, would have a significant affect on the ability of the Agency to achieve its goals. In government, these impact areas are often defined as
RiskCover
10
www.riskcover.wa.gov.au
Financial, Injury, Service Interruption, Reputation and Image KPIs or Key Objective/Deliverables and depending on the nature of the organisation, Environment. Consequence Scale Consequences are usually rated on a scale of 1 to 5, 1 being insignificant and 5 being catastrophic. This is generally referred to as level of the consequence. For each of the consequence categories defined, an agency needs to develop criteria for each of the impact levels specified. Care must be taken to ensure that impact criteria relating to different categories (i.e. say Financial Loss or Reputation & Image) are equivalent at the same level of consequence i.e. the definition of a Catastrophic Financial Loss needs to be equivalent in terms of priority as the definition of, say, a Catastrophic Reputation & Image impact. Hints: Be aware however, that when you apply these scales a Catastrophic Reputation and Image impact does not automatically mean it is a Catastrophic Financial Loss. When establishing the scale, avoid using subjective words such as significant when defining levels of consequence, as this will lead to ambiguity. Where possible use quantitative measures such as A financial loss of $25,000 - $50.000. b. Likelihood Rating Table The other measure of risk is likelihood, and this is also commonly measured on a scale of 1 to 5, with 1 being very unlikely and 5 being almost certain. Likelihood can be considered in two aspects. In one sense, you can base the scale on how frequently a given consequence will (or is likely to) happen, e.g. more than twice per year, every year, every three years, etc. Alternatively, you can consider the probability of something happening in a defined forward timeframe, e.g. in the next five years a consequence is almost certain, probable, possible, etc. In either case, each level of the scale should be quantified.
www.riskcover.wa.gov.au
11
RiskCover
Hint: The Consequence and Likelihood tables become part of your agencys common risk language and reflect the agencys level of risk tolerance. Calculating the Level of Risk Each risk is first analysed and evaluated in terms of the potential consequences resulting from a particular risk scenario. Then the consequence of this scenario, with the associated level of likelihood, is rated. Using 1 to 5 scales for Consequence and Likelihood results in a Level of Risk ranging from 1 to 25. The level of a risk varies as you consider the context of how that risk is being managed. All risks will have an Inherent Level of Risk this is defined as the level of risk with no formal controls in place, or the level of risk in the event of a breakdown of all controls. Some organisations choose to assess and document this level of risk prior to considering the effectiveness of existing controls. Having information available which relates to this inherent risk level means that, when considering the adequacy of controls, the inherent or worst-case scenario is known. Once the existing controls have been documented and assessed for effectiveness, the Assessed Level of Risk can be evaluated. This is the Level of Risk with current controls in place. Should the Assessed Level of Risk be unacceptable, then additional controls or improvements to existing controls, in the form of Treatments, are put in place. In order to evaluate the cost benefit of these proposed actions, a Predicted Level of Risk is estimated. This is the predicted Level of Risk after the Treatment Plan has been implemented. Finally, once a risk Treatment Plan has been implemented, the risk is once again evaluated and a Residual Level of Risk is calculated. This is the remaining level of risk exposure and should now be in a range that is acceptable to the Agency. c. Existing Controls Rating Table Hint: A Control is an established mechanism, procedure, process or practice that is used to manage a risk. It controls the risk by reducing its consequences, likelihood, or both. We say controls are in place when they are being actively applied or practiced.
1
RiskCover
www.riskcover.wa.gov.au
This table is used to rate the adequacy of existing controls that are currently applied to a particular risk. It is usually qualitative e.g. Excellent, Adequate and Inadequate. Hint: This is a reasonableness test. Is the agency doing what is reasonable in the circumstances to reduce the likelihood and/or consequences of this risk? There may be several controls, each of which goes some way towards reducing the risk. What we are rating is the adequacy of those combined measures. d. Risk Acceptance Criteria Table This table defines the agencys risk tolerance, or risk appetite and gives guidance as to the acceptability of risk. For a given level of risk, the table defines how that risk is perceived (e.g. low, moderate, high, or extreme) and may specify the level of controls rating that is necessary to accept the risk. The criteria often defines how risks are to be reported, reviewed and who is the acceptance decision-maker. An example is shown in Appendix III. Hint: Once the tables are established, run through a couple of examples. Do they make sense? How do the examples fit with your instincts and past experience?
www.riskcover.wa.gov.au
1
RiskCover
The specific risk assessment context can be categorised as Strategic, Operational, or Project:
Strategic Level
Strategic risks concern the whole of the agency. They are the risks associated with long-term organisational objectives and the means by which those objectives will be achieved. Strategic risk assessment is normally conducted at a Board or Executive level and is most effective when integrated with the strategic planning process.
Operational Level
Operational risks are associated with the development and implementation of operational plans. They are the risks associated with your normal business functions. Operational risks should be assessed by the parties familiar with the particular function or service with which the risks are associated.
Project Level
Project risks are associated with specific projects or discreet undertakings. Any project will go through a life cycle, for example, conception to planning, scoping, contracting, design, construction, testing/commissioning, hand-over and operation. Project risks exist at every stage, and they need to be identified and managed to ensure the successful completion of the project. Once the context for a particular risk assessment has been specified, and the particular strategy, activity or project defined, the next step is to identify the critical success factors (CSF) and key dependencies associated with it. A CSF is defined as any essential resource, expertise, input, or other factor, which is critical to the success of that particular strategy or activity. A key dependency is relationship with or reliance upon another person, section or organisation whose input is vital to a successful outcome. These success factors and dependencies become the basis to identify risk: anything that has a negative impact upon them constitutes a risk to the desired outcomes.
RiskCover
1
www.riskcover.wa.gov.au
3.1.3 Summary
Step 1 of the risk management process is establishing the context, both for the agency as a whole and for each specific risk assessment exercise or workshop. Starting with the overall agency context, the scope and framework of risk management is defined by clearly identifying the nature, purpose, and activities of the organisation. Next, Risk Management policies and procedures are established, and specific roles are assigned. Then a set of tools, known collectively as the risk reference tables, are developed, to measure and evaluate risks and controls. These tables establish a common language to manage risk and define your agencys risk tolerance. Once the overall agency context is established, the framework for area-specific risk assessments can be developed. Key strategies, activities or functions are defined, as are the associated critical factors and dependencies.
www.riskcover.wa.gov.au
1
RiskCover
Risks
Incomplete or inaccurate information provided to clients
Hint: Do not mistake risks with the consequences. Injuries, Financial Loss and Reputation Damage are not risks but consequences of a risk - i.e. if your risk was to eventuate, it could result in injuries, financial loss and/or reputation damage. For each risk, you should identify possible causes of the risk event. Each risk may have one or more causal factors which can either directly or indirectly contribute to the risk event occurring. Identifying the range of causes will help you to better understand the risk, evaluate the adequacy of existing controls and design effective risk treatments.
RiskCover
1
www.riskcover.wa.gov.au
Hint: Appropriate and useful risk categories should be determined by each agency as part of setting the organisational context. These are often linked to the categories of an agencys quality framework. Examples of categories are: Financial Information Management Health, Safety & Environment Leadership/Governance/Legal Planning Services/Production Human Resources
b. Impact Range
Another way to categorise risks is by Impact Range. The Impact Range is a classification hierarchy which indicates how wide the consequences of the risk will reach, within the agency and beyond. Hint: If the risk were to eventuate, ask yourself How wide an impact could it have? Could the risk impact a specific division/department, the whole agency, or even the whole of the State? Common Impact Range descriptors include: State-wide Agency-wide Metro-wide Directorate-wide Division-wide
3.2.3 Summary
Step 2 is about identifying your risks in a systematic fashion and categorising them so you can manage them more efficiently. The causes of risks need to be identified, so that existing controls can be appropriately evaluated. Evaluating the impact range also enhances understanding of a risk and how best to manage it.
www.riskcover.wa.gov.au
1
RiskCover
Inadequate - Not doing some or all of the thing that would be reasonable
1
www.riskcover.wa.gov.au
If an existing control is identified as being ineffective, then the necessary improvements should be incorporated into a Treatment Action Plan. The review and sign off of existing controls is an integral part of the management of the risk; responsibility needs to be assigned to ensure there is accountability for and ownership of this important aspect of the risk management process.
Consequence Rating
A risk that eventuates may impact an agency across a number of different areas, to a greater or lesser extent. When analysing the consequences of a risk event, an Agency needs to consider the level of impact (1 to 5) in relation to each of the consequence categories defined in the Consequence Table. For example, a risk may have an impact of 5 for Financial Loss and 4 for Reputation and Image and little or no impact in the other areas. Both ratings may be recorded, but the overall level of risk calculation is based on the highest value, which in this case is a 5. Hint: Only select the Consequence Categories that are relevant to that risk. You do not have to rate every Consequence Category for each risk. Some consequences will not be applicable to a specific risk.
Likelihood Rating
This describes how likely it is that a risk will eventuate with the defined consequences. Likelihood can be defined in terms of probability or frequency, depending on what is most convenient for the agencys purposes. Hints: When you are rating the likelihood of a risk, ask yourself How likely (Likelihood Rating) is it for this risk (Risk) to occur, given the existing controls (Controls), to this extent or with this type and level of impact (Consequence Category/Rating)?
www.riskcover.wa.gov.au
1
RiskCover
Past experience is an important guide to likelihood, but do not fall into the trap of thinking it is the only guide. There may be internal or external factors that may increase or decrease the likelihood of such an event occurring in the future.
Level
5 9
Explanation
Multiple deaths very rarely happen. Injuries only requiring medical attention are more common. Unlikely that services could be interrupted for more than three weeks.
Service Interruption 4
RiskCover
0
www.riskcover.wa.gov.au
Hint: When dealing with risks that result in a Service Interruption, the agency may need to formulate a Business Continuity Plan (BCP) to address the issue should the risk eventuate. If you do identify a risk that will interrupt your services, you should determine what would be a maximum acceptable outage. That is, how long can you afford to have that service interrupted before the consequences become unacceptable? The BCP is a risk treatment to facilitate the provision of critical services in a less than perfect operating environment until operations can be restored to normal.
Who is responsible
Operational Manager Operational Manager Operational Manager
10 - 14 15 - 25
Only acceptable with excellent controls. Only acceptable with excellent controls.
www.riskcover.wa.gov.au
1
RiskCover
www.riskcover.wa.gov.au
3.3.5 Summary
In this step, we have assigned values risk ratings to individual risks and made decisions based on those ratings. We started by evaluating existing controls and subjecting them to an assurance process. Then, taking those controls into account, rankings were assigned to each risk for consequences, likelihood and level of risk, based on the measures established in Step 1. The rated risks are then evaluated against the risk acceptance criteria to determine how to manage the risk. There are three basic choices: Accept the risk as is, accept the risk after treatment, or do not accept the risk. Finally, we discussed the importance of risk ownership to ensure that the risk is monitored and the controls remain in place.
www.riskcover.wa.gov.au
RiskCover
RiskCover
www.riskcover.wa.gov.au
Managing risk is about doing all things reasonable, not all things possible. To evaluate the treatment options a number of selection criteria can be applied: How will the treatment impact the Level of Risk For each treatment option, a predicted level of risk should be calculated considering the impact of adding this option as a new control. Treatment options, which reduce the level of risk to an acceptable level, should be considered. Cost of implementation versus benefits derived Selecting appropriate options involves balancing the cost against the benefits derived. An option may appear to be the best option from a risk reduction perspective, but the cost of implementation may be prohibitive. Compatible with agencies objectives The options selected need to be compatible with the overall objectives of the agency. Treatments that are incompatible with existing objectives, culture, or policies are obviously unacceptable, no matter how effective they might prove.
www.riskcover.wa.gov.au
RiskCover
A treatment becomes a control only when it has been 100% implemented and signed off by the Treatment Owner. It is then subject to controls assurance and the regular monitoring and review process. Following the implementation of the treatment options, the level of risk needs to be reevaluated to determine if the treatment brings the risk to an acceptable level for the agency. If not, further treatment options may need to be selected.
3.4.3 Summary
Formulating and implementing Treatment Action Plans is the final step in the risk management process, but it is only the beginning of fully integrating risk management into your agency. If the process stops once it becomes a set of documents, it will generate minimal benefit, and the time you spent on Steps 1 4 will be wasted. The next section of these guidelines addresses Monitor and Review. These are the ongoing processes that ensure risk management is maintained as a fully integrated part of managing your agency.
RiskCover
www.riskcover.wa.gov.au
RiskCover
Risks & Controls numerous factors can cause the likelihood and consequences of risks, or the actual nature of the risks themselves, to change. The controls for risks can also become less effective or irrelevant. Monitoring by the risk owner and others will ensure the timely detection of these changes so that appropriate action can be taken. Treatments risk treatments need to be monitored and reviewed to ensure they are fully and correctly implemented. In some cases, treatments need to be adapted or strengthened because the risk they are designed to address has changed; in other instances, resources can be saved by discontinuing irrelevant treatments. The second area for monitor and review is the application of the risk management process across the entire agency, with specific attention to the following: Consistent application of the Risk Management process across the agency Incorporation of the Risk Management process into Strategic, Operational and Project/Event planning Adoption of risk management practices and procedures by staff at all levels
RiskCover
www.riskcover.wa.gov.au
www.riskcover.wa.gov.au
RiskCover
. Communication / Education
A program of staff education and communication needs to be developed which includes: dissemination of the policy and procedures raise awareness about managing risks deliver education session on the specifics of the process a performance management process a process for recognition, rewards and sanctions.
RiskCover
0
www.riskcover.wa.gov.au
www.riskcover.wa.gov.au
1
RiskCover
Appendix I Glossary
Business Continuity Management (BCM)
A process that allows an organisation to recover from an event that significantly disrupts its activities. BCM focuses on three post-event phases: Disaster Recovery, Business Continuity (of essential functions), and Full Recovery.
Consequence
The impact or outcome of a risk eventuating. A risk can have multiple consequences.
Consequence Categories
These are key impact areas, which if affected as a result of a particular risk event, could have a significant impact on the ability of an Agency to deliver its outcomes. Consequence Categories are agency specific, and should reflect the Agencys economic, social and environmental responsibilities.
Control
A procedure, system, activity or process that reduces the likelihood and/or consequences of a risk. A risk may have more than one control, and a control may address more than one risk.
RiskCover
www.riskcover.wa.gov.au
Controls Rating
A qualitative, common-sense measure of the adequacy of controls in addressing a risk.
Controls Assurance
The process whereby Control Ratings are verified through a series of questions regarding their relevance and effectiveness.
Impact Range
A measurement of how widespread the consequences of a risk may be. This measurement can assist in the assessment of controls and the formulation of treatments.
Implementation Plan
A plan created to establish how the Risk Management process is to be implemented into an organisation.
Key Activity
Any high level activity or function that is instrumental in an agency delivering required outcomes or performing its mission.
Key Dependency
Relationship with or reliance upon another party essential to delivering outcomes or services. Key dependencies can be within the agency or external.
Likelihood
A measure of how likely it is that a certain consequence will eventuate, ranging from very unlikely to almost certain.
www.riskcover.wa.gov.au
RiskCover
Monitor
An ongoing process of surveillance of the internal and external environments to ensure that risks continue to be effectively and appropriately managed.
Operational (Context)
Deals with Operational Risks: those risks associated with normal, ongoing operations and activities.
Project (Context)
Deals with Project Risks: those risks associated with defined projects and other discreet undertakings.
Review
Periodic assessment of a specific aspect of the Risk Management process or a particular group of risks to determine if there have been gradual changes over time.
Risk Assessment
Step 3 of the Risk Management Process, which involves assigning values (Risk Ratings) to individual risks and deciding how to manage them.
RiskCover
www.riskcover.wa.gov.au
Risk Analysis
A process that assigns a Risk Rating to each risk by evaluating the effectiveness of existing controls and assigning values for Likelihood and Consequences for various scenarios.
Risk Evaluation
A decision making process which evaluates the Risk Rating against the Risk Assessment Criteria.
Risk Categories
Categorisation of risks within the agency by type, often based on source of risk. This helps identify common risks in different functional areas.
Risk Decision
The decision made after Risk Evaluation, balancing risk and reward.
Risk Identification
Step 2 of the Risk Management Process, which uses Critical Success Factors and Key Dependencies to identify risks.
Risk Management
The practice of systematically identifying, understanding, and managing the risks encountered by an organisation.
Risk Owner
The person specifically assigned in Step 3 to manage the risk, including monitoring the risk, its controls and any treatments that are implemented.
www.riskcover.wa.gov.au
RiskCover
Strategic (Context)
Deals with Strategic Risks: risks which concern the whole agency and are associated with long term organizational objectives. Strategic risk management is most effective when conducted as an integral part of the strategic planning process.
Treatment
A measure that is designed and implemented to further reduce the consequences and/or likelihood of a risk. Once a treatment is fully implemented and effective (in place), it becomes a Control.
RiskCover
www.riskcover.wa.gov.au
www.riskcover.wa.gov.au
RiskCover
Objectives
To ensure Risk Management is adopted throughout the Agency as a prudent management practice. To ensure that all employees are made aware of the need to manage risk and to promote a culture of participation in that process. To protect the Agency from adverse incidents, to reduce its exposures to loss and to mitigate and control loss should it occur. To ensure the ongoing, unimpeded capacity of the Agency to fulfil its mission, perform its key functions, meet its objectives and serve its customers. To reduce the costs of risk to both the Agency and the Western Australian State Government. To adhere to Australian Risk Management Standards and comply with Treasurers Instruction TI825.
RiskCover
www.riskcover.wa.gov.au
www.riskcover.wa.gov.au
Level
Rank
Injuries
Insignificant
No injuries.
Minor
Inconvenient delays.
$50,000 to $250,000, or .15% of operational Budget. 1 day to 1 week Substantiated, public embarrassment, moderate impact, moderate news profile. Substantiated, public embarrassment, high impact, high news profile, Third Party actions. Substantiated, public embarrassment, very high multiple impacts, high widespread multiple news profile, Third Party actions.
Moderate
Major
Catastrophic
RiskCover
RiskCover
Level
Descriptor
Frequency
Rare
Unlikely
Moderate
Likely
Almost certain
0
Existing Controls
Forseeable Example Detail Description
Controls fully in place and require only ongoing maintenance and monitoring. Protection systems are being continuously reviewed and procedures are regularly tested. Being addressed reasonably. Protection systems are in place and procedures exist for given circumstances. Periodic review. Little to no action being taken. No protection systems exist or they have not been reviewed for some time. No formalised procedures.
Level
Descriptor
Excellent
Adequate
Inadequate
www.riskcover.wa.gov.au
www.riskcover.wa.gov.au
Consequence 3 Moderate
3 6 9 12 15 20 25 16 20 12 15 8 10 Management Control Required Urgent Management Attention Unacceptable 4 5
Level of Risk
With adequate controls. With adequate controls. With adequate controls.
Who is responsible
Operational Manager Operational Manager Operational Manager
Rare
2 4 6 8
Unlikely
Insignificant
Minor
Moderate
1
Major
Only acceptable with excellent controls. Only acceptable with excellent controls.
Catastrophic
10
Approved as at
By:
Title:
RiskCover
RiskCover
Directorate
Department
Activity
Risk
Control Rating
Inadequate Adequate Inadequate Inadequate
Level of Risk
20 20 16 16
257-1
Information Technology
256-8
Human Resources
256-2
Human Resources
256-4
Human Resources
256-10
Human Resources
16 16 15 15
257-2
Information Technology
257-3
Information Technology
256-11
Human Resources
www.riskcover.wa.gov.au
www.riskcover.wa.gov.au
Directorate
Division
Department
Activity
Risk
Control Rating
Level of Risk
15
259-2
Risk Management Commission Corporate Services Finance Section Payments/Receipts Public relations Service delivery
Operations
254-1
Corporate Services
12 12
255-1
Finance
256-1
Human Resources
Adequate
12
Recruitment staff have little or incorrect knowledge of the current and future skill requirements of the organisation leading to a mismatch between skills base and requirements. Breach of standards due to flawed recruitment process. Inadequate HR policies and procedures. Loss of key staff. Incompatible IT hardware/software. Inadequate funds to fulfill Operational requirements.
256-5 Human Resources Section Human Resources Section Information Technology Section Operations Section Human Resources Section Maintain Sustainable and Skilled Workforce Information Management and Use Budget planning Maintain Sustainable and Skilled Workforce OSH
Human Resources
Recruitment
12 12 9 9 6
256-6
Human Resources
256-7
Human Resources
257-5
Information Technology
259-1
Operations
256-12
Human Resources
Adequate
RiskCover
Background
The primary purpose of a structured risk management approach is to have a transparent process which demonstrates managements decision making regarding the acceptance/non-acceptance of risks. Risk is defined in AS4360 as: The chance of something happening that will have an impact upon objectives. It is measured in terms of likelihood and consequences. In other words the risk is any event/incident/accident that may happen which prevents you from successfully completing what it is you are setting out to do. The management of risk should be embedded in the Agencys overall planning, reporting, decision making and management practices to the extent that risk management becomes second nature to all staff and a process applied to all aspects of the Agencys operations.
RiskCover
www.riskcover.wa.gov.au
The risk management process should: consider risks at all levels of the agencies operations (strategic, operational and project/events); integrate with business planning objectives, decision making and other elements of the Agencys management framework; involve the whole organisation, from the board to senior management and employees. The main principles underpinning effective risk management include: the commitment of senior management to a formal, documented and fully integrated risk management process; the use of common risk language; clearly defined responsibility & accountability for functions, activities and associated risks; a process for identification and management of risk which is fully integrated with existing management processes including business planning, budgeting and reporting processes; risk management is reinforced through training and induction; the outcomes are monitored through the involvement of senior management and establishment of support functions and champions.
Steps in Implementation
1. Support of Senior Management
Development of an organisational risk management philosophy and awareness of risk at senior levels. To some extent this has been driven by the Premiers Circular in relation to Risk Management & Business Continuity, and the requirement to comply with Treasurers Instruction 825 which states:The Accountable Officer or Authority shall ensure that there are procedures in place for the periodic identification, assessment and treatment of risks inherent in the operations of the department or statutory authority, together with suitable risk management policies and practices, and that these are documented in the accounting manual or other relevant policy manuals.
www.riskcover.wa.gov.au
RiskCover
Strategy Leadership Commitment It is understood that the CEO has committed the agency to the implementation of Risk Management. Sponsor It is proposed that ( ? ) Sponsor the initiative and that a Risk Management Co-ordinator assist him/her to facilitate the process. The Sponsors responsibilities are to ensure that an effective risk management system is established, implemented and maintained, and that the performance of the system is reported to Our Agencys executive for review and as a basis for improvement. Awareness A briefing will be provided to the Corporate Executive. This will be extended to include education and training to impart a good understanding of the Risk Management process, its rationale and program for implementation. Executive Support Communication from the CEO will be requested to notify all executive members of his/her commitment and the need to provide their full support to the process to achieve TI 825 compliance and other beneficial outcomes.
www.riskcover.wa.gov.au
The final policy will need to be presented to Executive for consideration and endorsement. Risk Reference Tables Providing guidance on acceptability of risks will require development of Risk Reference tables relevant to Our Agency. They will address the rating of Controls, Likelihood, Consequences and Level of Risk for application in the risk management process throughout the agency. Use of the Reference Tables is critical to provide a uniform measuring standard for risk and the means to aggregate and prioritise risks across the agency as a whole. The Consequences and Level of Risk tables effectively provides executive and managers with risk acceptance guidance. Risk Reference Tables will be developed by the parties reviewing the policy and will similarly be presented to Executive for consideration and endorsement. Risk Register Tool The agency has evaluated a number of options and is proposing to use the RiskBase application developed by RiskCover to collect and report on risk information. This tool will be deployed to all area managers and directors to facilitate the risk management and reporting process at both the strategic and operational levels.
3. Communication/Education
Strategy Risk Management Committee Formation of a Risk Management Committee, including the Sponsor and Risk Management Co-ordinator to develop, establish and implement arrangements to ensure that managing risk becomes an integral part of planning, management process and general culture of Our Agency, and to ensure that desired outcomes are achieved. RiskCover will provide assistance to the Committee and transfer knowledge to it.
www.riskcover.wa.gov.au
RiskCover
The Committee will be responsible for:- communicating the policy; - raising awareness about managing risks; - communications and dialogue about the practical issues in managing risks and application of the policy; - the acquisition of risk management skills and their development throughout the agency - a performance management process; - a process for recognition, rewards and sanctions - development of the risk management documentation including manual, templates, forms and Risk Register. The Committee will be instrumental in the next three phases.
RiskCover
www.riskcover.wa.gov.au
The identified risks will be assessed and evaluated using the Risk Reference Tables. Risk Prioritisation Identified risks will be listed and prioritised by level of risk for Executive review and consideration. Treatment of Risks Risks will be treated in accordance with priorities, existing management processes and by the officers indicated by the level of risk. Treatment plans will be developed and actioned according to priorities.
5. Managing Risks at Business Unit Level : Divisional, Program, Project and Team
Strategy Program Development The Committee will develop and establish a program to manage operational risks, including insurable risks, at these levels following the same core process as above and integrating with planning and management activities. Risk Identification Workshops Workshops will be scheduled and facilitated by the agency, with the support of RiskCover, to identify, assess and evaluate risks using the Risk Reference Tables. Risk Aggregation and Prioritisation Risks identified will be aggregated into prioritised lists according to agency structure and arranged in descending level of risk and adequacy of existing controls ratings with risk acceptance decisions. Treatment of Risks Risks will be treated in accordance with priorities, existing management processes and by the officers indicated by the level of risk. Treatment plans will be developed and actioned according to priorities. Risk Register A register will be created to hold the risk listings, decisions and treatment summaries including strategic risks from Step 4.
www.riskcover.wa.gov.au
RiskCover
Implementation Schedule
Refer to table overleaf for the proposed implementation schedule.
RiskCover
0
www.riskcover.wa.gov.au
Conclusion
The Agency is committed to the implementation of Risk Management in accordance with Treasurers Instructions 825 and RiskCover offers its assistance to achieve that purpose. The proposed implementation strategy follows the Risk Management Standard and has been field tested in numerous organisations and proven by its completeness, its ability to add value to management practices, to assist in protecting an organisation from losses and to help maximize its opportunities.
Implementation Schedule
Step No.
1
What?
Support of Senior Management Development of Organisations RM Policy
How?
- Produce briefing paper & implementation plan - Briefing to Executive - Obtain executive sign-off - Formation of Risk Management committee (including documented terms of reference) - Draft policy - Draft Risk Reference Tables - Determine roles and responsibilities - Determine individual & corporate KPIs - Obtain executive sign-off - Arrange RM awareness sessions - Distribute policy, procedure & risk reference tables - Ensure all managers understand their responsibilities in managing risk modify JDFs where appropriate.
When?
Sept 2005
Who? (Responsibility)
RM Co-ordinator
Sept 2005
Oct 2005
www.riskcover.wa.gov.au
1
RiskCover
Step No.
4
What?
Managing Risks at Strategic Level (Agency)
How?
- Develop a program plan i.e. Develop a framework & procedure for identifying & managing strategic risks & obtain executive sign-off - Identify, assess and prioritise risks as part of strategic planning session. - Treat risks - Develop risk reduction strategies as part of strategic planning session - Monitor & review risks and risk reduction strategies as part of regular strategic management process
When?
2005
Who? (Responsibility)
Executive with assistance from RM Co-ordinator
2005
- Develop a program plan i.e. Develop & agree framework & procedure for identifying & managing operational risks and reporting requirements. - Identify , assess and prioritise risks as part of operational planning session or dedicated workshop - Treat risks - Develop risk reduction strategies as part of strategic planning session - Develop risk reduction strategies as part of regular operational management process
Oct 2005
From Oct 2005 Monthly at management meetings. From Oct 2005 Monthly at management meetings.
- Monitor & review risks and risk reduction strategies as part of regular operational management process - Report risks and treatment strategies quarterly to RM committee as required by program plan. 6 Risk Auditing - Develop & agree an audit plan to ensure the effectiveness of the RM process and the management of key risks - Implement the audit plan
2005
Annually
RiskCover
www.riskcover.wa.gov.au
RiskCover
2. The identification/evaluation/management of risks associated with particular strategies (current) and their implementation. As our businesses are going concerns, there are strategic plans in various states of implementation. Therefore, the particular approach for your agency must reflect the current situation. The following flow diagram shows how risk identification becomes an integral part of the strategic planning process.
Strategic Risk Profile Environment Scan of Strategic Factors Internal Structure (The Organisation) Culture (Beliefs, Expectations, Values) Resources (Assets, Skills, Competencies, Knowledge, Systems) External Societal (General Forces) Task (Industry Analysis)
Strategic Risk Profile SWOT Analysis Strengths Risks to strengths Weaknesses Risks that can arise from weaknesses Opportunities Risks that accompany opportunity Threats Outright risks
Strategic Formulation Mission / Vision Goals and Critical Success Factors Objectives and KPIs Strategies Policies
Achievable? What can go wrong? Are all threats avoided and weaknesses minimized in respect to mission, goals and objectives?
Evaluation and Control Are there any weaknesses in information , management or control systems, or reporting?
RiskCover
www.riskcover.wa.gov.au
2. Stakeholder Profile
Identify who the organisations stakeholders are and their expectations. In addition, it is important to consider what the consequences will be if their expectations are not met. This should sharpen the focus and ensure that the strategies you are adopting will meet the needs and expectations of the stakeholders.
3. Environmental Scan
Environmental scanning identifies factors which influence what the organisation will do and how it will do it. It covers both the Internal and External environmental factors. From the Environmental Scan, the organisation can assess where it sits in relation to industry, societys expectations, and how it is situated to appropriately respond to market trends or demands.
4. SWOT
A SWOT analysis is used to identify Risks to strengths Risks from weaknesses Risks from opportunities Threats which are Risks These risks are then evaluated in terms of impact upon achievement of objectives.
www.riskcover.wa.gov.au
RiskCover
5. Strategy Formulation
In this stage, strategies are identified to achieve Goals and Objectives whilst being focused on the organisations Mission/Vision. An assessment of the risks and opportunities associated with each proposed strategy and the potential for impact upon the achievement of objectives, should be an integral part of this step. This is the creative stage of developing strategies that will deliver the organisations goals and objectives, mission and vision without exposing it to unacceptable risk.
6. Strategy Implementation
Once the strategies are decided upon, the process of implementing them carries a new set of risks. Each of these risks need to be identified and appropriate risk minimisation strategies built into the implementation plan.
RiskCover
www.riskcover.wa.gov.au
Analyse Risks
www.riskcover.wa.gov.au
RiskCover
Notes
RiskCover
www.riskcover.wa.gov.au
Notes
www.riskcover.wa.gov.au
RiskCover
Notes
RiskCover
0
www.riskcover.wa.gov.au