Risk framework

Guide

Risk Management Developing & Implementing a Risk Management Framework

March 2010

Disclaimer

This document provides general information, current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information.

The VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk.

Principal Author Victorian Managed Insurance Authority (VMIA)

Version Date: 1 March 2010

Reviewed by: Stephen Owen

Approved by: Steve Marshall

Distribution: VMIA Public Sector clients

Document Owner

Stephen Owen

Manager: Strategic Risk (VMIA)

Contents

1 Foreword.......................................................................................................................5

2 Introduction .................................................................................................................. 6

2.1 Purpose ................................................................................................................. 6

2.2 How has the guide been developed? .................................................................... 6

2.3 Scope of the guide ................................................................................................ 7

2.4 Overview of document........................................................................................... 8

2.5 Key definitions and terminology ............................................................................ 9

2.6 The role of the VMIA ........................................................................................... 10

2.7 The need for a risk management guide............................................................... 11

3 Developing a risk management framework ............................................................. 18

3.1 Overview ............................................................................................................. 18

3.2 Key considerations when developing a risk management framework................. 27

3.3 Documenting a framework .................................................................................. 37

3.4 Risk management governance............................................................................ 45

3.5 Risk management information systems............................................................... 52

3.6 Checklist – Developing a risk management framework....................................... 57

4 Implementing a risk management framework ......................................................... 59

4.1 Overview of the risk management process ......................................................... 59

4.2 Implementing a risk management process.......................................................... 68

4.3 Risk and risk management reporting................................................................. 114

4.4 Developing desired risk management culture ................................................... 129

4.5 Checklist – Implementing a risk management framework ................................. 132

5 Monitoring and enhancing the risk management framework .............................. 135

5.1 Monitoring and reviewing a risk management framework ................................. 135

5.2 Risk management attestation............................................................................ 159

5.3 Continuous improvement .................................................................................. 165

5.4 Checklist – Monitoring and reviewing a risk management framework............... 167

6 Risk management toolkit......................................................................................... 168

6.1 Appendix A: Risk management glossary........................................................... 168

6.2 Appendix B: Risk management strategy – template ......................................... 168

6.3 Appendix C: Risk management policy – template ............................................. 168

6.4 Appendix D: Risk management procedure – template...................................... 168

6.5 Appendix E: Risk rating criteria – template ....................................................... 168

6.6 Appendix F: Common risk categories for the public sector ............................... 168

6.7 Appendix G: Communication and consultation plan – template ........................ 168

6.8 Appendix H: Risk training slides........................................................................ 168

6.9 Appendix I: Common example risks.................................................................. 168

6.10 Appendix J: Risk assessment – template.......................................................... 168

6.11 Appendix K: Risk management database – MS Access tool............................. 168

6.12 Appendix L: Risk register – MS Excel template................................................. 168

6.13 Appendix M: Risk management register – worked example ............................. 168

6.14 Appendix N: Risk reporting – MS Word templates ............................................ 169

6.15 Appendix O: Risk management checklist .......................................................... 169

6.16 Appendix P: Risk management information system – checklist ........................ 169

6.17 Appendix Q: VAGO good practice guide........................................................... 169

1 Foreword Managing risk is an increasingly important facet of public sector governance, and one that supports the achievement of public sector objectives.

In July 2007, the Government issued the Victorian Government Risk Management Framework. The framework provided clarity around risk management roles and responsibilities across the public sector.

Importantly, it also served to engage senior executives in risk management processes through the introduction of an attestation in annual reports of operations. The attestation requires departmental Secretaries and Chief Executive Officers to certify that risk management processes are in place, risks are effectively controlled and managed and that the risk profile of the organisation has been critically reviewed within the last twelve months.

The Guide for developing and implementing your risk management framework has been developed in consultation with department and agency representatives to support the implementation of risk management requirements and enhance the practice of risk management throughout the public sector.

It is anticipated that the guidelines will assist public sector entities to develop an organisation-wide approach and embed a culture of risk management at all levels of the organisation.

This guide is designed to enable individual entities to build upon, and enhance their risk management frameworks, recognising that risk management is a continuous journey of improvement.

Steve Marshall

Chief Executive Officer

Victorian Managed Insurance Authority

GUIDE-DEVELOPING-RISK-FRAMEWORK 5

2 Introduction

2.1 Purpose The guide aims to provide practical guidance to Victorian Public Sector Departments and Agencies (referred to hereafter as organisations) for developing, implementing and enhancing their risk management frameworks.

The guide aligns with the Australian/New Zealand Standard: Risk management – Principles and guidelines (AS/NZS ISO 31000:2009) which was released 20th November 2009.

The guide complements the Victorian Government Risk Management Framework and existing legislation, such as the Financial Management Act 1994 and the Victorian Managed Insurance Authority Act 1996 which prescribe risk management requirements within the Victtorian Pubic Sector.

The guide is primarily targeted at risk managers or equivalent and designed to assist them to better embed risk management practices within their respective organisations. The guide may also be used by other stakeholder groups including the board, executive, and employees during the execution of their risk management responsibilities.

The guide is primarily developed for large organisations, however the majority of the content is applicable to smaller organisations. Some of the more ‘advanced’ risk management framework attributes may not be feasible or appropriate for smaller organisations.

The guide is developed to support organisations with varying degrees of risk management maturity, recognising that risk management is a continuous journey. The guide includes a number of examples aimed at illustrating how organisations with less mature risk management practices can incrementally enhance and progress their risk management frameworks.


2.2 How has the guide been developed? This guide was originally developed in 2008 based on the AS/NZS 4360:2004 and the Draft ISO 31000 Risk Standard. This version has been updated to reflect changes to the Risk Standard, notably the adoption of ISO 31000 as the Australian Standard.

The original guide was developed in consultation with a broad range of stakeholders, including entities with responsibility for co-ordinating risk management in the Victorian Public Sector and a range of Victorian departments and selected agencies.

2.3 Scope of the guide

The scope of the Guide is focused primarily on providing generic guidance on the management of organisational-level risk. Some guidance is provided on effective management of state-wide and inter-agency risk.

The principles and practices described in the Guide follow the Australian/New Zealand Standard: Risk management – Principles and guidelines (AS/NZS ISO 31000:2009) and are applicable to all Victorian Public Sector departments and agencies.


Scope

Generic Risk Management Guide & Tools

Generic Risk Management Guide & Tools

Sector Specific Risk Management Guide/s & Tools

Sector Specific Risk Management Guide/s & Tools

Whole of Government Risk Management Guide

Whole of Government Risk Management Guide

Organisation-level risks Organisation-level risks Organisation-level risks Organisation-level risks Inter-agency risks State-wide risks

Inter-agency risks State-wide risks

2.4 Overview of document The document is structured into three key sections:

Developing a risk management framework (Section 3)

Implementing the risk management framework (Section 4)

Monitoring and enhancing the risk management framework (Section 5).

Each section provides guidance on specific topics of developing, implementing, and monitoring/enhancing a risk management framework. The guideline document includes references to templates and good practice examples that are included in the toolkit (see Appendices).

Toolkit references are marked as follows:


Toolkit Reference:

Appendix XYZ: Appendix name

Document Structure

Developing a Risk Management Framework


Implementing the Risk Management Framework

Implementing the Risk Management Framework

Monitoring and Enhancing the Risk Management Framework

Monitoring and Enhancing the Risk Management Framework

Guidelines

Risk management overview

Core elements of a risk management framework

Risk management information systems

Guidelines

Risk management overview

Core elements of a risk management framework

Risk management information systems

Guidelines

Practical application of AS/NZS 31000 process

Risk and risk management reporting

Developing and progressing your risk management culture

Guidelines

Practical application of AS/NZS 31000 process

Risk and risk management reporting

Developing and progressing your risk management culture

Guidelines

Monitoring and reviewing your framework

Attestation process

Guidelines

Monitoring and reviewing your framework

Attestation process

Toolkit Toolkit Toolkit

Practical examples and quotes from those involved in risk management processes, illustrating the experiences of Victorian Public Sector organisations have been included in the guide. These illustrate how organisations have adapted and customised their risk management systems to meet unique organisational and sector requirements.

At the end of each section, a series of questions are asked of the reader relating to the topics covered within the section. These questions serve as a guide to check whether your current risk management framework is in line with key risk management principles, processes and outcomes.


2.5 Key definitions and terminology The risk management ‘glossary’ based on the Risk Standard is appended to this document. However, some more common definitions are noted below:

Risk – Effect of uncertainty on objectives

Risk is often characterized by reference to potential events and consequences, or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

Risk management – Coordinated activities to direct and conrtrol an organisation with regard to risk.

Risk management framework – Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

Australian/ New Zealand Risk Management Standard (AS/NZS ISO 31000: 2009) (The Standard) – The Standard is a generic and flexible standard that is not specific to any government or industry sector. The Standard identifies elements or steps in the risk management process that can be applied to a wide range of activities at any stage of implementation (from the Victorian Government Risk Management Framework).

Organisation – The term ‘organisation’ as used within this guide, includes all Victorian Public Sector departments, agencies and entities required to, or expected to implement sound risk management systems. The term organisation includes the individual business units, subsidiaries or affiliate entities that fall under an agency’s direct authority and/or responsibility.

Victorian Government Risk Management Framework (VGRMF) – Guidance document released by the Department of Treasury and Finance in July 2007, that was developed to support good practice in public sector risk management. Specifically the framework provides for a minimum common risk management standards for public sector entities and attestation by accountable officers that risk management processes are consistent with

that standard in annual reports” (Victorian Government Risk Management Framework).

Toolkit Reference:

Appendix A: Risk management glossary

2.6 The role of the VMIA Under the Victorian Managed Insurance Authority Act 1996 and as evidenced in the ‘Victorian Government Risk Management Framework’ the Victorian Managed Insurance Authority (VMIA) has a key role to play as a central advisor and source of support for the Victorian State Government in relation to non-financial, insurable and non-insurable risks.

The VMIA provides the following services:

advice to Government on whole-of-government downside and upside risks and to be a conduit of risk and risk management information through advice to the Minister for Finance

development and maintenance of a statewide risk register

ensure clients have a risk management framework in place, identify opportunities for improvement and development of the framework

maintain a centre of excellence in risk management for the Victorian State Government and for public sector entities across Victoria including provision of products and services that enable entities to develop and improve their risk management frameworks

educate clients to increase the knowledge and capability across government in risk management.

The VMIA’s internal structure is based on the delivery of best practice risk management and insurance products and services to our clients. These services will assist in lifting the level of risk management skills and aid the improvement of risk management practice across the public sector.

Due to the VMIA’s role in developing a centre of excellence in risk management for the Victorian State Government, it is well placed to develop organisation wide risk management guidelines for the public sector.


2.7 The need for a risk management guide The effective management of risks across the Victorian Public Sector (VPS) is critical to ensuring that organisations can deliver on their commitment to the Victorian community. Greater scrutiny over service delivery standards and the expenditure of public funds has required an increased emphasis on the design and implementation of robust risk management practices to enable public agencies to minimise risks in relation to their activities.

A number of factors have contributed to increased focus on risk management among Victorian Public Sector organisations. The key factors are:

Victorian Auditor-General’s Office (VAGO) Risk Management Audits

The Victorian Government Risk Management Framework.

These are described further below.

2.7.1 Victorian Auditor-General’s Office risk management audits

An audit “Managing Risk Across the Public Sector” conducted by the Victorian Auditor-General’s Office (VAGO) in 2003, found that risk management was not yet an established or mature business discipline and that public sector organisations did not rigorously assess risks and evaluate risk controls.

The 2003 audit recommended that the public sector be provided with risk management guidelines, processes and procedures. It also recommended that agencies formally identify, assess and manage risks, and that risk criteria link to government policy and organisational objectives.

VAGO conducted a follow-up audit in 2007 “Managing risk across the public sector: Toward Good Practice” to determine whether satisfactory progress


It is important to emphasise that the Guide is not intended to duplicate or replace the Risk Management Standard or the companion guidelines to the standard, which are excellent documents, endorsed and supported by the VMIA.

The guide is intended to reinforce the key elements and principles of risk management with pragmatic advice, tips and guidance, tools and enablers to support the advancement of risk management across the Victorian Public Sector.

We recommend those interested in promoting risk management familiarise themselves with the Risk Management Standard and any associated companion guidance documents.

had been made by departments and selected agencies in developing appropriate risk management frameworks and in applying risk management principles in their organisation.

The key findings of the audit included:

central agencies have provided guidance on risk management through legislation, ministerial directions, and portfolio guidelines, but these are not comprehensive

departments and agencies have adopted adequate risk management strategies, frameworks and processes that enable them to apply risk management across their organisations

most departments and almost all agencies did not align their risk assessments to their corporate goals

departments and agencies prepared risk reports, most of which did not contain sufficient details to enable a clear understanding of how risks are being managed

all departments and agencies have an audit committee with responsibility to provide oversight of risk management. Almost all of them did not formally endorse the organisation’s risk management framework and risk profile for currency and appropriateness

almost all audited organisations use the standard, but have placed more emphasis on risk assessment (identification, analysis, and evaluation) than on the management of risks (risk treatment, monitoring, review).


VAGO noted in its report that the public sector needs clear guidelines, including minimum standards, about what is expected from them when managing risks. VAGO requested specific guidance on:

The content of policy and risk management frameworks

The roles of the secretary, board and executive management; the risk coordination unit/branch; the audit committee; and internal audit

Applying risk management standards throughout the whole organisation

Linking risk assessments to corporate goals

Developing risk registers and risk profiles

The content of risk reports to executive management and audit committee.

2.7.2 Victorian Government Risk Management Framework (VGRMF)

The Department of Treasury and Finance released the Victorian Government Risk Management Framework (VGRMF). The framework has been developed in consultation with a broad range of stakeholders, including government departments, the State Services Authority and the VMIA.

A key benefit of the framework is that it brings together information on governance policies, accountabilities and roles and responsibilities for all those involved in risk management. It also provides a central resource with links to a wide range of risk management information sources.

Key elements of the framework include the adoption of the Standard across public sector entities. An attestation by the accountable officer that risk management processes are in place, risks are effectively controlled and managed and that the risk profile of the organisation has been critically reviewed within the last 12 months.

This framework formalises and builds upon existing processes, as part of the Government’s commitment to continuous improvement in public sector governance. The framework also seeks to provide a reference for agencies with regard to the use and application of the standard from an organisation wide perspective.

These requirements are documented in Standing Direction 4.5.5 of the Minister for Finance.

2.7.2.1 Key elements

The framework seeks to strengthen risk management through the key elements noted below:

1. All risk management frameworks and processes must as a minimum requirement, be consistent with the key principles of the Standard, or designated equivalent.

2. An attestation from agency heads in annual reports that:

risk management processes are in place consistent with the Standard

an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures

the risk profile of the department or agency has been critically reviewed within the last 12 months


a responsible body or audit committee verifies that view.

3. The framework also promotes the need to address interagency and statewide risks when developing and implementing risk management processes.

It is recommended that all public sector agencies adopt the framework as a part of good governance and corporate planning processes. However, application of the framework is required by those agencies that report in the Annual Financial Report (AFR) for the State of Victoria. This represents approximately 300 public bodies. The majority of these agencies are VMIA clients.

The framework also seeks to provide a reference for agencies with regard to the use and application of the standard from an organisation wide perspective.

2.7.2.2 Interagency and statewide risks

The VGRMF promotes the need to address interagency and statewide risks when developing and implementing risk management processes.

The boundaries between the public and private sectors are becoming more porous requiring a more holistic view of project or service delivery risk. Equally the public sector is operating in an environment of shared accountabilities, which cut across specific agency responsibilities and require a coordinated interagency approach to risk management.

In this context it is important that risks with the potential to impact across agencies or at a whole-of-government level are communicated or escalated through to potentially affected agencies to enable a coordinated, effective and timely approach to risk management.

2.7.2.3 Risk definitions

Whole-of-government or statewide risks are those risks that will affect the Victorian Community at large. They may be beyond the boundary of one agency to respond to and require a collective, central agency or whole of government response.

Interagency risks are those risks affecting the operations of one or more departments or agencies and which may impact the service delivery of other departments or agencies.


Example: climate change. Climate change will affect the whole community at almost every conceivable level. It requires strong leadership from government in establishing policy parameters and actions plans for a coordinated response.

Risks that impact more than one agency and cannot be managed by one agency or at interagency level such as the impact of an ageing population or climate change may require central government coordination of policy initiatives and implementation strategies.

Agency risks are those risks specific to the operations of a single department or agency.

2.7.2.4 Existing whole-of-government processes for managing risk

Current legislation that defines and assigns risk management responsibilities and accountabilities for monitoring and reporting risk includes the:

Victorian Managed Insurance Authority Act 1996 Financial Management Act 1994 Public Administration Act 2004.

Existing whole-of-government processes for managing risk are aligned with legislative requirements, so that oversight of financial, insurable and non-financial risks is undertaken at the whole-of-government level by the:

Department of Treasury and Finance (DTF) Department of Premier and Cabinet (DPC) Victorian Managed Insurance Authority (VMIA).

Department of Treasury and Finance

Whole-of-government economic and financial risk management is supported by the Department of Treasury and Finance in partnership with departments and agencies so that financial matters requiring government decisions are escalated to the Treasurer, the Minister for Finance and/or the Expenditure Review Committee of Cabinet. Committee membership includes the Premier, the Treasurer and the Minister for Finance.

Department of Premier and Cabinet

There are a number of ways in which risks unable to be managed at agency level are currently escalated or reviewed at a whole-of-government level. These include regular monitoring and reporting processes and reports and submissions to Cabinet and Cabinet Committees. The Department of Premier and Cabinet plays a role in this process by providing briefings on submissions and secretariat support to Cabinet committees.


Example: Department A changes the funding conditions attaching to community service organisation funding models which ultimately result in a loss of funding and thus withdrawal of services provided by community service organisations. Withdrawal of services results in a shift in demand and impacts upon service demands placed upon Department B.

The Victorian Managed Insurance Authority

The role of the VMIA includes the provision of strategic and operational risk management advice, tools and training to support increased awareness of the risk exposure at the agency, interagency and whole-of-government level. The VMIA’s risk management functions include:

assist departments and agencies establish programs for the identification, quantification and management of risk

monitor risk management by departments and agencies

provide risk management advice to the State

provide risk management advice to departments and agencies.

As noted in the Victorian Government Risk Management Framework the VMIA is also charged with developing and maintaining a statewide risk register.

It is widely recognised that the complexity and connectivity of government and the private sector make the management of interagency and statewide risk a significant challenge and one not likely to be achieved through a single systemic solution.

In supporting its risk advisory role to the State the VMIA currently captures risk information in a number of ways, including but not limited to:

Risk framework quality review process includes identification of top five agency, interagency and statewide risks

site risk survey process examines public liability and property exposures

identifying national and international research

collaboration with interstate peers, industry experts and consultants

participation in national and international forums on risk and insurance


Inter-agency risks – Joined-up government

1.6 That departments and agencies ensure that risk management arrangements are established for all joined-up government initiatives, particularly in the governance arrangements for the initiatives.

Statewide risk management framework

1.8 That DTF, DPC and the VMIA, in consultation with other key stakeholders, develop guidelines for identifying, assessing, managing, escalating and reporting statewide risks.

collaboration/participation with departments and agencies involved with risk initiatives and projects

analysis of insurance claims, trends and litigation.

Departments and agencies are encouraged to actively engage in the processes noted above and support the VMIA in efforts to improve risk management across the state and raise interagency and whole-of-government risks to the attention of government.


In line with good risk management practice, agencies with responsibility for supporting the government in management of risk at a whole-of-government level will continue to investigate and apply systems to improve the coordination of processes for identifying, assessing, managing, escalating and reporting interagency and multi agency risks.

3 Developing a risk management framework

3.1 Overview

A risk management framework aims to assist an organisation to manage its risks effectively through the application of the risk management process at varying levels and within specific contexts of the organisation. Such a framework should ensure that risk information derived from these processes is adequately reported and used as a basis for decision making at all levels.

3.1.1 What is a risk management framework?

A risk management framework is defined by the Australian Standard as:

Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

The Standard notes that the framework can include:

The policy, objectives, mandate and commitment to manage risk. The organisational arrangements include plans, relationships,

accountabilities, resources, procesess and activities And should be embedded within the organisation’s overall strategic and operational policies and practices.


Developing a Risk M anagement Framew ork

Implem enting a Risk M anagem ent Fram ew ork

M onitoring and Enhancing a Risk M anagement Framew ork

Overview – R isk Managem ent Framew ork

Key Considerations When Design ing a F ramework

Docum enting a Framew ork

Risk M anagemen t Governance

Risk M anagemen t Information S ystems

Overview of a Risk Managem ent P rocess

Risk Managem ent Process

Risk and Risk Managem ent R eporting

Developing Desired R isk Management Cu lture

Mon itoring and R eviewing a Risk M gt Framew ork

Attestation P rocess

Con tinuous Imp rovement

3.1.1.1 Purpose of a risk management framework

The purpose of establishing an organisational risk management framework is to ensure that key risks are effectively identified and responded to in a manner that is appropriate to:

Ultimately risk needs to be managed so that the organisation maximises its ability to meet its strategic objectives as well as associated operational targets and goals.

3.1.1.2 “Hard” versus “soft” aspects of risk management

For a risk management framework to be effective, there must be an appropriate balance in focus on both the “hard” aspects of risk management (i.e. processes and structures) and the “soft” aspects (i.e. culture and people).

For example, an organisation may have highly sophisticated processes and structures established to manage risks. However, unless these structures and processes are supported by management and staff with the appropriate competencies, attitudes and behaviours, the framework will most likely be ineffective.

The Standard defines risk management as the culture, processes, and structures that are directed towards realising potential opportunities whilst managing adverse effects. This is illustrated in the following figure.


the nature of the risks faced by the organisation

the organisation’s ability to accept and/or manage risk/s

the resources available to manage risks within the organisation

the organisation’s culture.

This guide encapsulates both “hard” and “soft” risk management aspects:

Section 3 (Developing a risk management framework) focuses primarily on designing the hard aspects of a framework (structures and processes)

Section 4 (Implementing a risk management framework) focuses on developing tailored risk management processes in accordance with The Standard and on developing an appropriate risk reporting regime (both from a procedural and structural perspective). Section 5.4, which focuses on the soft aspects of risk management, provides guidance on how organisations can develop and enhance a risk management culture.

Section 5 (Monitoring and enhancing a risk management framework) focuses on review, monitoring and continuous improvement of risk management structures and processes, as well as risk management culture and capabilities.

3.1.2 What are the minimum requirements?

In accordance with the Victorian Government Risk Management Framework, an organisation’s risk management framework and processes must at a minimum be consistent with the key elements of The Standard.


The “Soft” and “Hard” aspects of risk management

Culture (people)

Processes

Risk Management: Coordinated activities to direct and control an organisation with regard to risk. (AS/NZS 31000:2009)

Structures

The key elements of the risk management standard are:

Communicate and consult – communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole

Establish the context – establish the external, internal, and risk management context in which the rest of the process will take place. Criteria against which risk will be assessed should be established and the structure of the analysis defined

Identify risks – identify where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of organisational objectives

Analyse risks – identify and evaluate existing controls. Determine consequences and likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur

Evaluate risks – compare estimated level of risk against the pre-established criteria and consider the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities

Treat risks – develop and implement specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs

Monitor and review – monitor the effectiveness of all steps of the risk management process. This is important for continuous improvement. Risks and the effectiveness of controls and risk treatments need to be monitored to ensure changing circumstances do not alter priorities.

Section 4 provides further guidance on how the key principles and elements of The Standard and can be practically applied for various areas/levels within an organisation.


establish context

identify risks

analyse risks

evaluate risks

treat risks

Com

mun

icat

e a

nd

Con

sult

Mo

nito

r an

d R

evie

w

Assess Risk

3.1.3 Linking risk management with other processes

Risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with existing business processes. The following lists some of the key business processes with which risk alignment is necessary.

Internal audit

Internal audit reviews the effectiveness of controls. Alignment between the internal audit function and that of the controls within the risk management process is critical, and the role/s of risk and compliance/ internal audit manager will seek to align these core processes.

The requirement to follow a risk-based approach to internal audit planning, means that risk management outputs, particularly risk assessment outcomes and risk profiles need to be available as an input to the internal audit function.

Similarly, internal audit plays a critical role in the risk management process, specifically in identifying and assessing operational risks, as well as providing assurance that specific risk controls are well designed and are operating effectively.

Business planning (including budgeting)

Identifying risk during the business planning process allows realistic delivery timelines to be set for strategies/ activities or the choice of removing a strategy/ activity if the associated risks are too high or unmanageable. The impact of changing risk levels over the year can then be mapped to the


Client Comment:

What benefits can now be seen from establishing a Risk Management Framework?

“The benefits are manifold:

At a simplistic level, we are now compliant with the Whole of Victorian Government risk management framework and are aligned to the Risk Standard 4360, so can fulfill the requirements of the risk attestation.

It has made explicit the management of risk and therefore resources can be diverted towards management and monitoring.

It has provided objective support for making risk a priority and for aligning it more closely with the audit function.”

…Risk Manager Department of Justice

relevant objective, enabling us to conduct more timely expectation management with key stakeholders.

Performance management

Individual performance plans should include all risk responsibilities, whether a general responsibility to use the risk management process or specific responsibilities such as risk ownership or implementation of risk treatments.

3.1.4 Linking strategic planning and risk

Risk management is a process that aims to enhance an organisation’s ability to meet its strategic and operational objectives. Equally, risk management outputs provide boards, executive and management with valuable insights and information that support improved decision making and planning.

To maximise the benefits of risk management, it is important that risk management processes be integrated as closely as possible into existing strategic planning and operational processes.

Strategic and operational planning is about the formulation, implementation and evaluation of cross-functional decisions that will enable the organisation to achieve its objectives. Risk management is designed to identify, analyse, evaluate, treat and monitor those risk that have been identified from strategic and operational planning process that could prevent the achievement of its objectives.

The diagram below shows how the strategic and operational planning process should be integrated and linked to the risk management process. Integrating both strategic planning and risk management improves performance and helps organisations implement strategies and achieving objectives.

Identify ObjectivesStrategy

FormulationStrategy

ImplementationFeedback Update Strategy

Establish Context Identify Risks Analyse Risks Evaluate Risk Treat Risk

Strategic & Operational Planning ProcessRisk Management Process

Monitor Control & Execution Gap

Linking strategic planning and risk



Client Comment:

“Our hospital produces a strategic plan every three years that guides the organisation’s future direction, and reflects the government’s broad healthcare

objectives and vision. In addition a business plan is produced annually, which is translated into annual business unit targets, budgets and performance

scorecards.

Before finalising the strategic and operational plans, the Executive and Board jointly discuss and score the ‘big-ticket’ risks that could hinder our ability to

deliver on the strategy, operational plans and budgets. This is usually done in a formal ‘risk workshop’ that is facilitated by an external facilitator.

Based on these debates we may decide to: revise the strategy or operational plans, or to implement additional controls or monitoring mechanisms for high risk

areas/ processes.

When brainstorming and rating the organisation’s strategic risks the Board and Executive prefer to start with a blank page rather than work through all of the

risks in the risk register. Our risk officer subsequently updates the risk register to incorporate any new risks identified and adjustments to risk information

already in the register.

Since involving the Board in annual risk workshops, I have noticed that they are more supportive of risk reporting initiatives and take a specific interest in progress on managing risks that they have identified during the planning

workshops.”

Executive Management Team Member

Regional Hospital

3.1.5 Incorporating risk management within projects

Many public sector agencies, particularly in the infrastructure cluster, use projects and project management approaches to delivering on their mandates. Projects can be distinguished from normal business processes by the fact that projects have a:

Defined start and end date

Clearly documented set of deliverables or outputs that need to be delivered on time, within an agreed budget and in accordance with pre-defined quality criteria for the project to succeed.

Project success criteria and budgets and accountabilities are defined and agreed before the project commences.

Many of the principles of project management are now being applied to ongoing business processes to improve accountability, monitoring and business performance.

Organisations that regularly undertake significant projects should already have project management methodologies in place. Common methodologies include: The Victorian Public Sector’s Gateway standard, PRINCE and PMBOK. Such methodologies commonly stipulate the requirement and approach to managing risk within the project (project risk).

When establishing your organisational risk framework, consider:

Including project management risk as a category of risk against which you report.

Whether all project risks are reported in the organisational risk register or whether the project/ programme manager should maintain a separate risk register per project, with only strategic or extreme risks being incorporated into the main risk register, and project risk profiles being reported to the project steering committee. The VMIA recommends the latter option.

Establishing customised Likelihood and Consequence scales for major projects – a cost over-run of 100% of a project budget may be Extreme within the context of the project, but only Moderate or Low within the broader organisational context. Similarly, many organisations use project-specific Consequence descriptors, for example:

− Time/ Timeframes exceeded

− Cost (budget over-runs)

− Quality (project does not deliver pre-defined quality/ functionality criteria


− Reputation (adverse publicity, laws breached etc.)

Frequency of reporting on project risk – typically more frequent than organisational risk updates and reporting. It is common for risk updates to be provided to the steering committee whenever they meet.

The VMIA will, in future, be working with Public Sector stakeholders, on developing a more comprehensive approach to managing project risk.


Client/ VMIA Perspective:

Is project risk well managed in departments and agencies?

“In my experience, many organisations do not dedicate adequate priority and resources to managing risks on major infrastructure or IT projects, or do not

have the capacity to implement and adhere to project risk management systems.

A common mistake is to perform project risk assessments and risk monitoring/ treatment techniques too late in the project lifecycle – for example by performing risk assessments after project implementation has started, or

even after the project is completed (i.e. a post-implementation review).

Experience has shown that the best time to initiate a project risk process is during the project planning/ scoping phase. This prevents ‘risk or mistakes’

being designed into the project plan, budget or deliverables.

Another area where clients could improve project risk management is by clearly defining both the risk governance and escalation criteria for major

projects. An organisation can deliver successful projects by defining thresholds or triggers that help identify an unacceptable or potentially severe risk, as well as identifying the project/ organisational management that need

to be informed of these risks.

For example, a particular project risk management plan might specify tolerance and escalation thresholds for project risk that meet the following

criteria are escalated to appropriate authorities/ stakeholders:

Budget over run in excess of 30% of project/ program budget

Completion date exceeded by more than 2 months

Core project outcomes at risk

Risk of significant damage to organisation’s reputation or breach of legislative requirements.”

3.2 Key considerations when developing a risk management framework

Most Victorian departments and agencies have already adopted risk management practices and frameworks, which, to a greater or lesser extent, are consistent with the Risk Standard.

Before developing or revising a risk management framework, the organisation should critically review and assess those elements of the risk management process that are already in place.

Some of the key questions that need to be answered are:

These questions are explored in further detail in the following sections.

3.2.1 How advanced should a risk management framework be?

An organisation’s risk management framework should ensure that key risks are effectively identified and responded to in a manner that is appropriate to the organisation.

No single risk framework will be appropriate for all organisations. Every organisation’s board and executive should decide on the appropriate level of risk management sophistication that they aspire to achieve. The desired level of risk maturity may change over time to reflect changes in the organisation’s complexity, size and risk appetite.


How advanced should the risk management framework be?

How effective are current risk management practices?

What is the most effective and efficient way of closing the gap?


Implementing a Risk Management Framework

Monitoring and Enhancing a Risk Management Framework

Overview – Risk Management Framework

Key Considerations When Designing a Framework

Documenting a Framework

Risk Management Governance

Risk Management Information Systems

Overview of a Risk Management Process

Risk Management Process

Risk and Risk Management Reporting

Developing Desired Risk Management Culture

Monitoring and Reviewing a Risk Mgt. Framework

Attestation Process

Continuous Improvement

A number of external and internal factors would need to be considered to determine the appropriate level of risk management maturity. Some of the most important factors are discussed in the following sections.

Figure 2.2: Context for Risk Management

Understanding the Context for

Risk Management

Understanding the Context for

Risk Management

Cultural Political Regulatory Financial Economic

Cultural Political Regulatory Financial Economic

External Environment

Strategies Objectives Capabilities Processes Structure Systems Culture

Strategies Objectives Capabilities Processes Structure Systems Culture

Internal Environment

3.2.2 How effective are current risk management practices?

When reviewing the effectiveness of current risk management practices, it is necessary to consider both the “hard” and the “soft” aspects of risk management. The two key questions that need to be answered are:

Are the current risk management practices and framework “fit-for-purpose” given the organisational context (e.g. objectives, size, complexity, structure, culture, risk appetite etc.)?

Are they operating as anticipated (i.e. do people do what they are expected to do)?

There are many approaches that an organisation can adopt when assessing the appropriateness of its current risk management practices. For example:

VMIA’s self assessment questionnaire used during the Risk Framework Quality Review (RFQR)

VAGO’s Good Practice Guide

HB158 Providing Assurance on 4360 Risk Management.

HB158 Providing Assurance on 4360 Risk Management can be purchased from Standards Australia at www.standardsaustralia.com.au.


Toolkit reference:

Appendix Q: VAGO Good Practice Guide

http://www.standardsaustralia.com.au/

3.2.3 Towards organisation wide risk management

There are many names to describe the approach used when looking at all risk across a company, organisation or entity. Such an approach can be referred to as enterprise wide, whole of entity, organisation-wide, holistic, integrated etc.

For the purposes of this guide, and to reflect common practice within the Victorian Public Sector, the term organisation-wide has been used to describe this approach.

In general, organisation-wide risk management is the risk management practices that aim to look at all risk across a company, organisation or entity. There are many competing definitions and several frameworks that attempt to define organisation-wide risk management, but no universally accepted definition or standard. This is probably because organisation-wide risk management, in practice, is different depending on the background of the practitioner, the size and nature of the company and the time at which organisation-wide risk management was adopted.

Organisation-wide risk management. is a holistic approach to managing and prioritising responses to critical risks across the organisation in a manner that will support business strategy and plans. Effective risk assessment fundamentally consists of risk identification and evaluation across all areas of the organisation, followed by a process to ensure that critical risks are treated and managed in accordance with the organisation’s risk appetite.

Organisation-wide risk management seeks to provide a consolidated view of risk across the organisation. The scope of organisation-wide risk management therefore encompasses the use of common risk language, risk assessment techniques and response strategies across all functional and risk/assurance functions within the organisation, for example:

occupational health and safety risk

loss control and internal audit

legal and regulatory compliance risk

IT and information security

healthcare clinical risk

strategic risk.


Whilst physical hazards and financial management represent significant sources of risk for most organisations, other risk areas such as operational and strategic are often neglected. For many organisations, strategic and operational risks may be the greatest threat to achieving strategic objectives and meeting stakeholder expectations.

For example, misaligned products, supplier problems and cost overruns all relate equally to the public sector and indicates that organisations need to pay increased attention to identifying and managing our strategic and operational risks. This will assist in achieving objectives and delivering on stakeholder expectations.

Public and private sector organisations are increasingly adopting Organisation-wide risk management frameworks that provide a holistic approach to identifying, assessing, managing, and monitoring and prioritising responses to all critical risks across the organisation in a manner that supports business strategies and plans. The chart below illustrates the key attributes of an Organisation-wide risk management framework.

Risk Management Maturity

“Basic ” “Mature ” “ Advanced ”“ Basic ” “Mature ” “ Advanced ”

Enterprise - Wide Risk Management

Organisation Wide Risk Management

“ Traditional ”Risk Management

“ Traditional ”Risk Management

Emphasis on protecting assets

Focus on physical and financial assets

Risks managed within functional silos

Inconsistent approaches

Emphasis on protecting assets

Focus on physical and financial assets

Risks managed within functional silos

Inconsistent approaches

Board/executive support of risk management Clear accountabilities Appropriate risk oversight structures Dedicated risk management coordinator Explicit consideration of both operational and strategic risks Risk management integrated with operational and general

management processes

Clear accountability and timeframes for treatment of risks Differentiated risk reporting tailored to specific stakeholders Regular reviews of risks and risk management processes

Board/executive support of risk management Clear accountabilities Appropriate risk oversight structures Dedicated risk management coordinator Explicit consideration of both operational and strategic risks

Risk management integrated with operational and general management processes

Clear accountability and timeframes for treatment of risks

Differentiated risk reporting tailored to specific stakeholders Regular reviews of risks and risk management processes

3.2.3.1 Optimising risk management maturity

When determining an organisation’s desired risk management maturity, the objective should be to maximise the value created through the risk management framework and practices.

The value of risk management can be defined as follows: Value = Benefits – Costs

The cost side of the equation is normally relatively easy to quantify, and would include:

direct costs associated with increasing the maturity of the organisation’s risk management framework, as well as the direct costs associated with maintaining the desired level of risk management maturity


indirect costs associated with increased focus on risk management activities. This will effectively be the opportunity costs associated with

the additional time spent on risk management activities by management and staff.

The benefits of risk management are often harder to quantify. Some of the benefits typically achieved by organisations with “advanced” risk management practices include:

appropriate balance between realising opportunities for gains while minimising losses

better corporate governance, including risk oversight

improved decision-making and facilitating continuous improvement in performance

organisations that manage risk effectively and efficiently are more likely to achieve their objectives and do so at lower overall cost.


The chart below illustrates the value associated with increasing risk management maturity.

Optimising Your Risk Management Maturity

$

Risk Management

Maturity

Basic Mature Advanced Basic Mature Advanced

Risk Management

Value

(Benefits – Costs)

High

Low

Optimal Risk Management

Maturity

Key observations:

target risk management maturity will differ for each organisation depending on a range of internal and external considerations as outlined above.

the value of increasing an organisation’s risk management maturity will increase as long as the benefits exceed the costs. However, the increase in value is not linear. For example, the value of shifting an organisation’s maturity from ‘basic’ to ‘mature’ is normally higher than from shifting from ‘mature’ to ‘advanced’. This is because most organisations can move from ‘basic’ to ‘mature’ without spending significant resources while the benefits are likely to be significant. Moving from ‘mature’ to ‘advanced’ is more expensive, as it typically requires significant investments in software and other infrastructure, as well as significant time commitments by management and staff.

improving risk management maturity requires time and resources. Time can to some extent be substituted by increased focus/effort. Accordingly:

– an organisation with limited resources and low risk management commitment would take very long to reach the desired level of risk management maturity

– organisations with extensive resources and strong commitment to rapidly enhancing its risk practices may be able to shorten the time required to reach its desired level of risk management maturity.

improving risk management maturity requires balanced enhancement

developing a proactive risk management culture and embedding/integrating risk management practices in business processes always takes time.

3.2.4 What is the most effective and efficient way of closing the gap?


Once the organisation has taken a critical look at the effectiveness of the current risk management practices and determined an appropriate level of risk management maturity, it needs to figure out how to get there.

3.2.4.1 Developing a plan

The likelihood of successfully enhancing the maturity of your risk management framework to the desired level increases dramatically if you plan it well. The best way to do this would often be through the development of a formal risk management strategy or plan, and associated risk policy and procedure documents – this will outline how the organisation intends to achieve its targeted level of risk management maturity while clarifying the responsibility and processes for achieving risk management goals.


Toolkit reference:

Appendix B: Risk management strategy - template

Appendix C: Risk management policy - template

Appendix D: Risk management procedure – template

Appendix Q: VAGO good practice guide

Client Comment:

What aspects of risk management did your organisation struggle with?

How did you overcome them?

“We initially struggled with a negative perception of risk management as the previous incumbent had assiduously followed all elements of 4360 – thus making

the risk process very complex and hard to engage with. As a result, the risk function had been devolved to those who could become experts or who had the

time to devote to it - generally not those in management.

This was overcome by stripping the risk process back to its functional elements and focusing on using risk as a tool. Risk also had to be re-presented in a manner

that engaged the target audience - for example the executive, looking at the overall context of risk and then drilling down to the state, private sector and

departmental level.

Trust in the risk process and benefits associated with participation in updating the risk register also had to be developed and built upon. By making explicit the

benefits and the associations of risk as a tool (for example, being used to develop the audit workplan), trust was slowly gained. This is an evolutionary process.

Having some aspects of risk management as mandatory (Victorian Government risk management framework and risk attestation) has supported this process.”

…Risk Manager General Government

The above templates are examples of information commonly contained within risk documentation. However, the content and level of detail should always reflect the specific context of the organisation and its preferences, size and overall business strategy.

3.2.4.2 Avoiding the common pitfalls

Common areas where organisations struggle with embedding risk management include:

ensuring business planning is integrated with risk management

better defining risk descriptions

improved identification of inter agency risk management

aligning risk committee and boards with what's happening on the ground

linking internal audit and risk management

improving the quality and content of risk registers

embedding operational risk management

identifying controls and their effectiveness

allocating accountability for risk

improving risk reporting and measurement

project risk management.


The following thoughts reflect one organisation’s view on the essential elements that need to be in place to ensure the success of a risk management initiative:

3.2.4.3 Characteristics of high achievers

The VMIA has identified through the Risk Framework Quality Review program that those organisations with well developed and embedded risk frameworks exhibit the following characteristics:

commitment from the executive and board

integration of risk and corporate planning processes

well defined governance framework

strong reporting processes

risk support systems, processes and infrastructure for managing risk

clearly defined roles and responsibilities

strong risk culture


Client Comment:

What lessons have you learned about the requirements for successfully implementing and improving your risk management framework?

“Success relies on...

Demonstrating how risk management can be used in everyday decision making to add value.

Writing risk management documents using 'non-threatening' almost conversational language.

Ensuring risk management expectations are achievable - don't put stuff in policy docs that you've got no hope of achieving.

Busy people want to know that you've got empathy for the challenges they face everyday - this must be reflected in the framework.

Having the executive group demonstrating commitment to the risk framework, not just verbally endorsing it!!

Don’t push to implement at a pace the organisation can't keep up with - this will turn Risk Management into a compliance exercise rather than a cultural

change.”

…Risk Manager Austin Health

3.2.4.4 Public Sector challenges

There are many challenges in implementing a successful organisation wide risk framework. Some of the more compelling are:

competing objectives of delivering more with less

risk compliance often competes with “risk culture”

public sector risk management expertise

the public and private sector are becoming more connected requiring a whole-of-government approach to risk management

attaining risk maturity is a long road.

To those that overcome the challenges, some of the benefits to be reaped include:

strengthened corporate governance processes

improved controls assurance

more informed decisions aligned to delivery of objectives

a source of competitive advantage, and

improved shareholder/stakeholder value

3.2.4.5 Key messages in developing your framework

In the VMIA’s experience, delivering risk management within government is complex, but the benefits are tangible. To be successful an organisational risk management framework must be driven from a strategic position down and across the organisation and be supported by a strong risk management culture.


You are best to start with the basics and implement progressively over time. Identify the value drivers of risk management as a key to success and build upon these quick wins.

Developing an organisational risk management framework is as much a cultural journey, as it is about systems and procedures. Don’t forget to focus on people and principles when progressing your framework.

Manager, Strategic Risk The VMIA

3.3 Documenting a framework Documenting a framework

3.3.1 Why is risk management documentation important? 3.3.1 Why is risk management documentation important?

Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including:

Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including:

demonstrating to stakeholders that the process has been conducted properly

demonstrating to stakeholders that the process has been conducted properly

providing evidence of a systematic approach to risk identification and analysis

providing evidence of a systematic approach to risk identification and analysis

enabling decisions or processes to be reviewed enabling decisions or processes to be reviewed

providing a record of risks and to develop the organisation’s knowledge database

providing a record of risks and to develop the organisation’s knowledge database

providing decision makers with a risk management plan for approval and subsequent implementation

providing decision makers with a risk management plan for approval and subsequent implementation

providing an accountability mechanism and tool providing an accountability mechanism and tool

facilitating ongoing monitoring, review and continuous improvement facilitating ongoing monitoring, review and continuous improvement

providing an audit trail providing an audit trail

sharing and communicating information. sharing and communicating information.

3.3.2 What are the attestation requirements? 3.3.2 What are the attestation requirements?

The Victorian Government Risk Management Framework does not prescribe the type and extent of documentation required to satisfy the attestation The Victorian Government Risk Management Framework does not prescribe the type and extent of documentation required to satisfy the attestation














Monitoring and Reviewing a Risk Mgt Framework

Attestation Process


requirements. However, departments and agencies must have sufficient documentation to demonstrate that:

a risk management processes is in place consistent with the Standard (or equivalent designated standard)

monitoring and review activities have been conducted and they confirm the effectiveness of the risk management process in controlling the risks to a satisfactory level

a responsible body or audit committee verifies that view.

3.3.3 What needs to be documented

The following areas of your organisation’s risk management framework need to be documented:

objectives and rationale for managing risk

accountabilities and responsibilities for managing and overseeing risks

processes and methods to be used for managing risks – i.e. how the AS/NZS4360 Risk Management process will be applied in the organisation

commitment to the periodic review and verification of the risk management framework and its continual improvement

rhe way in which risk management performance will be measured and reported

resources available to assist those accountable or responsible for managing risks

organisation’s risk appetite translated into risk rating criteria

links between risk management and the organisation’s objectives

links between risk management and other processes and activities

scope and application of risk management within the organisation

requirements for recording and documentation of the risk management process (e.g. communication plan, stakeholder analysis, risk register, risk profile, and risk reporting).

3.3.4 Is there a preferred way to structure your documentation?

The Standard does not prescribe how organisations should structure their risk management framework documentation but proposes the following be included in a risk framework:

Objectives


Mandate and commitment to manage

Operational policies

Procedures and practices

Risk management plan/s and allocation of responsibilities.

Some organisations may include all of the above components into a single plan, or may create separate policy, procedure and plan plan documents. As long as the required areas of the framework have been documented (as outlined in Section 4.3.3), it is up to the organisation to select an appropriate document structure.

An example of how key framework elements could be documented is shown below:

Risk Management Framework Documentation

Risk Management

Policy

RiskManagement

Plan

• Intentions and direction • Risk management

purpose/objectives • Key roles & responsibilities • Risk management governance

arrangements • Procedures

• Detailed roles and responsibilities

• Detailed description of process steps

• Risk rating scales • Risk reporting

templates • Risk management

activities

• Scope of risk management • Strategy and Approach • Resources• Procedures• Responsibilities• Sequence and timing of activities• “Roadmap” for enhancement of

risk management practices

Risk Management

Procedure

The above framework documents typically include, or are accompanied by, detailed documentation such as:

charters for the board, board audit committee, board risk committee, executive committee, internal audit function etc

position descriptions describing risk responsibilities

risk management tools, templates and guidelines

risk management training schedule/s

risk register/s

operational plans for risk treatment

risk management reports.


Indicative content of core risk management framework documentation is included in the following sections.

3.3.5 Risk management strategy

A risk management strategy typically documents factors such as:

objectives and rationale for managing risk

the organisation’s overall appetite/tolerance for risks

the organisation’s strategic objectives and the strategies deployed to achieve these objectives

key risks associated with these strategies within a one to three year time frame

the organisation’s high level approach to managing these risks

a plan for progressive enhancement of the organisation's risk management practices and competencies, including key risk management initiatives.

The following key questions would need to be answered in the process of formulating a risk management strategy:

what are the organisation’s key objectives and strategies?

what are the risks associated with these?

how is the organisation assessing, managing and monitoring these risks?

are the risk management processes working effectively?

There is no prescribed format for how a risk management strategy should be documented. Some

organisations disclose their risk management strategy in their annual reports

organisations chose to have a separate document, in addition to a risk management policy and procedure document

organisations incorporate their risk management strategy within their Business Plan, outlining how risks associated with business plan objectives will be managed.


A risk management strategy template is appended to this guide, but it is important to recognise that this is only one way of documenting your organisation’s risk management strategy.

3.3.6 Risk management policy

The risk management policy should clearly articulate the organisation's objectives for and commitment to risk management. The policy typically specifies:

accountabilities and responsibilities for managing risk

commitment to the periodic review and verification of the risk management policy and framework, and its continual improvement

links between this policy and the organisation’s objectives

the organisation’s risk appetite (refer to section 4.2.3.4 for further detail)

the organisation's rationale for managing risk

processes and methods to be used for managing risk

resources available to assist those accountable or responsible for managing risk

the way in which risk management performance will be measured and reported.

3.3.7 Risk management procedures

The risk management policy is typically supported by a more comprehensive risk management procedure document outlining the organisation’s detailed approach to managing risk.

Typical content of the risk management procedure include:

Risk management definitions/language – a common risk language will promote consistent understanding of risk management concepts and provide clarify of communication and action.

Risk management roles and responsibilities – an organisation’s ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and


Toolkit reference:

Appendix B: Risk management strategy - template

Toolkit reference:

Appendix C: Risk management policy – template

Appendix D: risk Management Procedure – template

responsibilities. Risk management roles and responsibilities are discussed in detail in section 3.3.4.

Relationship and integration with other initiatives – risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with existing business processes. The integration between risk management and other processes is discussed further in section 3.1.3.

Description of how each step of the risk management process will be applied within the organisation – in accordance with the Victorian Government Risk Management Framework, an organisation’s risk management framework and processes must as a minimum requirement be consistent with the key principles of the Standard.

Overview of the organisation’s risk reporting framework – content, format, frequency and recipients of risk reports. Risk Management reporting is discussed in further detail in section 4.3.

Risk assessment criteria – agreed criteria for assessment of risk likelihood, consequence, and overall risk rating. Risk rating criteria are discussed in further detail in 4.2.3

Is it OK to combine risk management policy, strategy, and procedures into a single risk management plan or manual?

Yes. Many organisations have successfully combined these into one document. As long as the right areas are documented, it is fine to have them as one document.

3.3.8 Risk register

A risk register is a comprehensive record of all risks across an organisation, business unit or project depending on the purpose/context of the register (Victorian Auditor General’s Office).

3.3.8.1 Risk register content

At a minimum, the risk register records:

the risk

how and why the risk can happen

the existing internal controls that may minimise the likelihood of the risk occurring

the likelihood and consequences of the risk to the organisation, business unit or project


Toolkit reference:

Appendix D: Risk management procedure – template

a risk level rating based on pre-established criteria

framework, including an assessment of whether the risk is acceptable or whether it needs to be treated

a clear prioritisation of risks (risk profile)

accountability for risk treatment (may be part of the risk treatment plan)

timeframe for risk treatment.

3.3.8.2 Risk register format

Risk registers may take various forms, including:

Excel/Word based

risk management software/system.

i) Internally developed

ii) Externally developed (standardised vs. proprietary)

Section 3.5 provides guidance on factors to consider when developing a risk management information system.

Sections 4.2 and 4.3 provide guidance on how each element of the risk management process should be recorded and reported on.

3.3.8.3 Risk treatment plans

Risk treatment plans identify responsibilities, schedules, the expected outcome of treatments, budgets, performance measures and the review process to be set in place.

The risk treatment plan usually provides detail on:

actions to be taken and the risks they address

who has responsibility for implementing the plan

what resources are to be utilised

the budget allocation

the timetable for implementation

details of the mechanism and frequency of review of the status of the treatment plan.


Toolkit reference:

Appendix K: Risk management database – MS Access tool

Appendix L: Risk register – MS Excel template

Appendix M: Risk management register – worked example

Section 4.2.7 provides further guidance on risk treatment plans.

Toolkit reference:

Appendix J: Risk assessment template

3.3.8.4 Risk and risk management reports

Regular reports made available to executive management, boards and audit committees that inform how key risks (statewide risks, strategic risks and emerging risks) are being managed

[Victorian Auditor General’s Office].

Some of the basic questions that risk reports should answer include:

what are the risks?

what is the level of each risk?

what has been done about them?

who is responsible for managing the risk?

has the level of risks changed as a result of implementing risk treatments?

what are the risks that need to be escalated to strategic risks?

what are the risks that are no longer regarded as strategic risks and why?

Section 4.3 provides guidance on risk and risk management reporting.


Toolkit reference:

Appendix G: Risk reporting – MS Word templates

3.4 Risk management governance

An organisation’s ability to conduct effective risk management is dependent upon having an appropriate risk management governance structure and well-defined roles and responsibilities.

It is important for everyone to be aware of individual and collective risk management responsibilities. In order for risks to be effectively managed, it is essential to have people behaving in a way that is consistent with the organisation’s approved approach.

This indicates that risk management is not merely about having a well-defined process but also about facilitating the behavioural change necessary for risk management to be embedded in all organisational activities.

3.4.1 Mandate and commitment

Any major organisational initiative needs appropriate sponsorship to be successfully implemented and sustained. Given its importance and strategic nature, risk management requires strong and sustained commitment by the organisation’s board, audit/risk committee, and the CEO / Secretary.

Management should:

articulate and endorse the risk management policy

communicate the benefits of risk management to all stakeholders

define risk management performance indicators that align with organisational performance

ensure alignment of risk management objectives with the objectives and strategies of the organisation

ensure legal and regulatory compliance; and















Attestation Process


ensure that the necessary resources are allocated to risk management.

The board, risk committee and executive can all play a lead role in setting the tone for effective risk management throughout the organisation. This can be demonstrated in a number of ways but is often achieved through the authorisation and sponsorship of key risk management documentation that outlines both the ‘why’ and the ‘how’ behind effective risk management.

The board, risk committee and executive can also help to drive effective risk management by incorporating risk management and reporting into the corporate and strategic planning processes, thereby setting an example on how it can be incorporated into normal operations.

3.4.2 Accountability

The organisation should ensure that there is accountability and authority for:

managing risks

adequacy and effectiveness of risk controls

implementing and sustaining the risk management framework/process.

This may be facilitated by:

ensuring appropriate levels of recognition, reward, approval, and sanction

establishing performance measurement and internal and/or external reporting and escalation processes

specifying risk owners for implementing risk treatments, maintenance of risk controls and internal reporting of relevant risk information

specifying who is accountable for the development, implementation and maintenance of the framework for the management of risk.

3.4.3 What are the key factors to consider when developing a risk management governance structure?

A number of factors should be considered when determining an organisation’s risk management governance structure, including:

current organisational structure and authorities

current level of understanding, appreciation, and commitment to risk management by key individuals

current level of change readiness within the organisation (often evolutionary change works better than revolutionary change)

key types of risks faced by the organisation and functions currently managing the key risks


the existence of logical “risk champions” within the organisation.

3.4.4 Indicative roles and responsibilities for risk management

Proactive communication and dialogue with the board and audit/risk committee is a critical element of effective risk management governance. The board and its committees retain an obligation to remain informed not only of the risks to the organisation, but also to the effectiveness of risk management efforts. The board and the audit/risk committee have responsibility to the stakeholders of the organisation to ensure that the risk management framework of the organisation is appropriate to the nature of the organisation and the risks the organisation faces.

A key component of effective risk management governance is to establish clear lines of risk and risk management accountability. The specific roles of the various parties such as the board, audit/risk committee, the CEO/Secretary, executive management, and staff would vary according to the organisational structure, complexity, size and maturity. A sample risk governance structure is illustrated as follows:


Client Comment:

How did you link or integrate your governance and risk frameworks?

“Quite simply, form followed function. In order to best manage risk across the department, a framework was developed and then a governance structure was

created to complement and support the risk operations of the department.”

…Risk Manager General Government

RISK GOVERNANCE STRUCTURE

Risk Committee Audit Committee

Staff & Contractors

Risk Owners

Executive & Management

CEO

Board

A description of roles and accountabilities of each of the key parties to whom risk management duties have been delegated is as follows:

3.4.4.1 Board

The board provides direction and oversight of risk management across the organisation. The board’s key risk management responsibilities may include:

approving the organisation’s risk management documentation including the strategic risk profile, risk appetite and tolerance, risk management policy and risk management procedure

setting the standards and expectations of the organisation with respect to conduct and behaviour, and ensuring that effective risk management is enforced through an effective performance management system

monitoring the management of high and significant risks, and the effectiveness of associated controls through the review and discussion of six monthly risk management reports

satisfying itself that risks with lower ratings are effectively managed, with appropriate controls in place and effective reporting structures

approving major decisions affecting the organisation’s risk profile or exposure.

3.4.4.2 Chief Executive Officer (and Secretary)

The CEO’s / Secretary’s key risk management responsibilities may include:

participating in the review and update of the strategic risk profile


Can be combined

reviewing key risk information, identifying key risk trends and assessing the impact for the organisation as a whole

monitoring the management of high and significant risks and the effectiveness of associated controls through the review and discussion of regular risk management reports

ensuring that adequate processes are being followed in relation to lower level risks

setting the tone and promoting a strong risk management culture by providing firm and visible support for risk management.

3.4.4.3 Audit / risk committee

The audit / risk committee is accountable to the board, and meets and reports to the Board advising of its activities, findings and recommendations, including risk management policies.

The primary objective of the audit / risk committee is to assist the board in discharging its responsibilities to exercise due care, diligence and skill in relation to business operations and to advice on any matters of financial or regulatory significance which may be referred to it from time to time. In addition, the committee is to assist the board in fulfilling its responsibilities relating to compliance by the organisation with legal and contractual obligations.

The organisation may also choose to have an executive risk management committee to promote the coordination and oversight of risk management activities.

3.4.4.4 Executive and management

The executive and management are responsible for the oversight of the risk management framework, including the consideration and review of risk management policies and procedures on an annual basis. The executive and management are also responsible for establishing policies and reviewing the effectiveness of the organisation’s approach to risk management including the status of major business risks.

The typical composition of an executive risk management committee would be:

Core Members:

CEO

Risk Manager

Chief Financial Officer

Operations Manager


Internal Auditor

Occupational Health and Safety Officer

Core service (e.g. within Healthcare sector may include: Allied Health, Nursing, Aged Care etc.)

Optional Members:

Human Resources Manager

IT Manager

Legal Counsel

Other functional specialists

3.4.4.5 Chief risk officer / risk manager

Chief risk officers, risk managers (or equivalent) are typically employed to:

develop, enhance and implement appropriate risk management policies, procedures and systems

co-ordinate and monitor the implementation of risk management initiatives within an organisation

work with risk owners to ensure that the risk management processes are implemented in accordance with agreed risk management policy and strategy

collate and review all risk registers for consistency and completeness

provide advice and tools to staff, management, the Executive and Board on risk management issues within the organisation, including facilitating workshops in risk identification

promote understanding of and support for risk management, including delivery of risk management training


It is important to note that most ‘risk managers’ act primarily as advisors and co-ordinators for risk and do not typically have a direct operational responsibility for specific categories of risk.

Operational responsibility for specific types of risk generally rests with functional area line management. For example an IT and Systems Manager would take responsibility for managing IT-related risk/s. Some organisations create a risk management job role that incorporates operational responsibility for a particular risk area. For example the Risk Manager may also act as the organisation’s OH&S Officer.

oversee and update organisational-wide risk profiles, with input from risk owners

ensure that relevant risk information is reported and escalated or cascaded, as the case may be, in a timely manner that supports organisational requirements

attendance at risk committee or audit committees where risk management issues are discussed.

Regardless of the job title or function it is critical that there be clarity around roles and responsibilities in order to progress risk management throughout the organisation.

3.4.4.6 Risk owners

Risk owners are typically line managers, or functional specialists who assume responsibility for designing, implementing, and/or monitoring risk treatments.

Risk owners may be responsible for the following:

manage the risk they have accountability for

review the risk on a regular basis

identify where current control deficiencies may exist;

update risk information pertaining to the risk

escalate the risk where the risk is increasing in likelihood or consequence

provide information about the risk when it is requested.

3.4.4.7 Staff and contractors

It is the responsibility of all personnel, stakeholders and contractors to apply the risk management process to their respective roles. Their focus should be upon identifying risks and reporting these to the relevant risk owner. Where possible and appropriate, they should also manage these risks.


3.5 Risk management information systems

Developing a risk management framework involves identifying the appropriate tools and technology that will help your organisation capture, analyse and communicate risk related information.


Client Comment:

What does your organisational structure for risk management look like?

“A twofold structure exists.

The first is the reporting lines. The audit and risk committee is the committee that monitors and manages the risk register and gives final

approval to the risk attestation. This committee reports findings by exception to the Justice Executive Committee and the Secretary.

Operationally, the departmental risk register is completely reviewed by the Justice Executive Committee on an annual basis. The audit and risk

committee then monitor the treatment of risks outlined in the register - this occurs on a monthly basis, or by exception. The divisional registers are

completely reviewed on an annual basis and a desktop review is conducted every six months.

Business unit risk registers are a component part of the business planning process and the departmentally endorsed business plan template”.

…Risk Manager Department of Justice














Attestation Process


The objective is to provide the right information to the right people at the right time to make appropriate decisions with regards to risks.

In general, risk management information systems should possess the capability to:

record details of risks, controls and priorities and show any changes therein

record risk treatments and associated resource requirements

record details of incidents and loss events and the lessons learned

track accountability for risks, controls and treatments

track progress and record the completion of risk treatment actions

allow progress against the risk management plan/strategy to be measured

trigger monitoring and assurance activity.

This section provides guidelines in identifying suitable tools and technology to enable your risk management framework.

Risk Information Management Planning

Identify your risk management information requirements

Identify your risk management information requirements

Develop appropriate tools and technology

Develop appropriate tools and technology

Select appropriate risk management software

Select appropriate risk management software

Risk data you need to capture Who you will capture it

from How you capture risk

data Users and their needs

Risk data you need to capture Who you will capture it

from How you capture risk

data Users and their needs

Capturing risk data and information Monitoring and

recording Analysis and reporting Communicating

Capturing risk data and information Monitoring and

recording Analysis and reporting Communicating

Cost Functionality Scalability Accessibility

Cost Functionality Scalability Accessibility

3.5.1 Identifying your requirements

The first step in the process of managing risk information is to identify your requirements. The key questions to ask are:

What risk information or data do you need to capture?

How do you capture these risk information?


Who are your end-users and what do they need?

Your requirements will generally involve capturing risk data, monitoring and recording risk information, developing capability to analyse and report risk performance, and communicating relevant and timely risk management information to the right stakeholders.

3.5.2 Developing appropriate tools and technology

Developing the appropriate tools and technology according to your requirements would generally depend on the scale and scope of your risk management framework as well as the stakeholders involved. For instance, who are your users for the tools and technology? Which parts of the business will the tools and technology be applied to?

Choose the appropriate tools that provide comprehensive, relevant, timely and accurate risk information. This will facilitate better, and more informed decision-making.

An organisation may find that the costs associated with acquiring and maintaining software exceeds the benefits. In such circumstances, it is probably preferable to invest these resources in improving other areas of risk management – e.g. to fund critical risk treatments/controls, or to train staff.

3.5.2.1 Capturing risk information

To effectively identify risks, it will be useful to have tools that capture risk information from various sources across the organisation, including:

leadership team

business unit managers

selected staff

other stakeholders.

Your tools and technology should be able to capture typical risk management information, including:

actual losses, potential losses, and near miss events

business risk profile, including new and changed exposure to key risks

significant control weaknesses, (which affect significant risks)

progress on action plans to deal with significant risk or control weaknesses.

3.5.2.2 Monitoring and recording risk information

Many organisations use tools and technology with functionality to generate risk reports with information about:

extreme risks


total risk profile

reasons for risk rating movements

risk treatment actions

assurance coverage of key risks

risk management strategy

new and emerging risk issues

detailed risk register.

Details of these types of information are discussed in Section 4.3 of this guide.

3.5.2.3 Capability to analyse and report risk performance

To effectively analyse and report risk performance, you will need tools and technology that:

analyse risks based on quantitative or qualitative parameters

– qualitative risk analysis will require tools that have the capability to classify risks according to categories, impact and likelihood.

– quantitative risk analysis will require tools that have the capability to calculate and/or simulate value of risk.

facilitate ranking or prioritisation of risks

facilitate trend analysis

aggregate risk information at various levels as required by different levels of staff/management.

Section 4.3 further describes how to analyse and report risk performance.

3.5.2.4 Communicating risk management information

Effective communication facilitates awareness, understanding, adoption of and commitment to the risk management framework.

The communication tools you will require would ideally have the capability to:

provide easy reporting and access of risk information for all relevant stakeholders

archive lessons learned from implementing the risk management framework

store risk management policies, procedures and other documents

trace user access to determine reach utilisation

provide audit trail to ensure integrity of information


enable escalation of risk-related issues and incidents.

3.5.3 Selecting your risk management software

Depending on factors such as size and complexity of an organisation and the nature of the risks it manages, it may be feasible to acquire or develop risk management software to facilitate the recording, analysis, and reporting of risk management information.

The key areas to consider when assessing an organisation’s need for risk management software are:

costs

functionality

accessibility

scalability.

There are various risk management softwares available in the market that meets different requirements. As a guide, consider the following in choosing the most suitable option.

Costs – Determine the costs associated with the software. How much does the license cost? Ensure that you understand what the licensing conditions are for the software.

Functionality – What are the functions that the software provides? Does it meet all your requirements? Could the software be integrated with other existing tools, technology and systems that your organisation currently has? If no, how much transition effort is required?

Accessibility – Does the software allow users to access it easily, anytime, anywhere, as and when required? Does it provide control of access to ensure the integrity of risk management information?

Scalability – Does the software allow expanding the user/s and functions without significant additional costs? If you expand the scope of your risk management framework, will the software still be applicable?


Toolkit reference:

Appendix P: Risk management information systems – checklist

3.6 Checklist – Developing a risk management framework

The following check list provides a number of questions relating to the development of your organisation’s risk management framework. Considering the answer to these questions will help you check your progress in implementing a robust and flexible risk management framework.

The checklist distinguishes between those elements essential to ensure an effective risk framework, and those typically associated with relatively mature or sophisticated frameworks typically found in large organisations.

Toolkit reference:

Appendix O: Risk management checklist


# Section Requirement Essential (E)/ Advanced (A)

In place (Yes/No)

Developing a risk management framework

1 Communicate and consult

Has the board and executive expressed their support for a Risk Management programme?

E

2 Establish the context

Have you identified a person who will be responsible for implementing risk management?

E


Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?

E


Have you defined categories of risk relevant to your organisation and industry?

E


Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?

E


Is there a clear organisational strategy (or objectives) articulated for the organisation?

A


Have you defined and agreed a Likelihood scale to assess the potential for the risk to occur throughout the organisation?

E


Have you defined and agreed a Consequence scale to help assess risk impacts across the organisation?

E


Does your Consequence scale describe both financial and non-financial impacts?

E

10 Establish the Context

Does your Risk management framework consider the effectiveness of controls or risk treatments?

E

In place Essential (E)/ # Section Requirement Advanced (A) (Yes/No)


Is there an agreed template or format for recording risk (a risk register)?

E


Has a risk policy been defined? E


Does the organisation have a documented risk management strategy?

A


Has the Risk Committee (or equivalent) and the Board reviewed and approved the Risk Policy/ Strategy?

E


Do job descriptions of key stakeholders include responsibilities for risk management?

E


Is a formal project management methodology used to manage projects?

A


Is a mechanism in place to identify, assess, record and monitor risks on projects?

A


Has the organisation agreed what types and levels of risk are unacceptable?

E


Is there an agreed format/ template for reporting on risk?

E


Is there a process and/or template where staff and the Executive can record new risks?

E


4 Implementing a risk management framework

This section provides an overview of how a risk management process consistent with that outlined in the Standard can be implemented across an organisation. It also provides guidance on the process and content for risk and risk management reporting and outlines a practical approach for developing a proactive risk management culture.

4.1 Overview of the risk management process

According to the Victorian Government Risk Management Framework, departments and agencies should, at a minimum, establish risk management frameworks and processes consistent with the key principles of the Standard.

The key steps in implementing a risk management process consistent with the Standard are illustrated in the following figure:















Attestation Process



As depicted in the figure above, Communicate and Consult and Monitor and Review are ongoing activities that occur at each stage in the risk management process. Accordingly, these activities are discussed both as separate risk management process steps (refer to sections 5.2.1 and 5.2.7, respectively) and as sub-activities of each of the other risk management process steps (i.e. establish context, identify risks, analyse risks, evaluate risks, and treat risks).

The subsequent sections will describe each of the steps in the risk management process in detail.

The sections aim to answer the following questions:

1. what is the purpose of each step in the process?

2. why is it important?

3. how you implement it?

4. how do you communicate/consult and monitor/review?

5. what tools and techniques are used to implement?

The following table summarises the key risk management processes, the input, output tools and techniques.

Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Treat Risks

Communicate and Consult

Monitor and Review


Establish Context Identify Risks Analyse Risks Evaluate Risks Treat RisksIN

PU

TO

UT

PU

T

• External Context- external environment information

• Internal Context- organisational information

• Risk Criteria• Risk Tolerance• Risk Management

Policy • Risk Management

Framework

• Stakeholder consultation

• Organisational records

• Risks that matter• Risk Register

• Likelihood of risks• Consequence of

risks• Current controls

around risks

• Risk rating criteria- likelihood rating- consequence rating

• Overall risk rating• Risk profile• Risk priorities• Inter-relationship

among the risks

• Risk tolerance

• Treatment plan:- to reduce

likelihood- to reduce

consequence- to maximise

upside risks• Resources and

timeframe

• Treatment Options• Risk Ownership

TO

OL

S &

TE

CH

NIQ

UE

S

• Stakeholder consultation plan

• Communication plan

• Risk Universe• Brainstorming• “what-if” and

scenario analysis• Process mapping &

flowcharting• Systems analysis• Operational

modelling• Expert opinion

• Heat map• Numerical ranking

of risks• Decision trees

• Risk transfer, i.e. insurance, outsourcing

• Risk mitigation• Risk avoidance• Cost-benefit analysis

• Qualitative analysis• Semi-quantitative

analysis• Quantitative

analysis


The “Establish the Context” section describes how each organisation should adjust and customise its approach to risk management to reflect the:

sector it operates in, and the unique challenges and risk faced within the sector

size of the organisation and resources it has to manage risk

culture of the organisation, and its willingness and ability to take calculated risks

appropriate and desired level of sophistication of its risk management capability.

To demonstrate how different organisations may tailor their approach to risk framework development and implementation, we will share the experiences of two fictitious organisations throughout the guide, namely Hamishtown Regional Health (HRH), and Melbourne Education Services (MES)

Hamishtown Regional Health (HRH):

Hamishtown Regional Health (HRH) is a smaller public healthcare provider based in country Victoria. It operates 40 hospital beds; an emergency ward and an aged care facility on an annual budget of $20 million per annum. Meeting budgetary targets is a constant challenge, in part due to the increasing cost of, and demand for complex medical procedures, needed by the ageing population within the region.

Its staff establishment provides for the equivalent of 50 full time medical staff members and 30 support staff. Currently, 25% of specialist positions are vacant, as many specialists and new graduates prefer to further their careers in larger metropolitan hospitals or in private practice.

The hospital operates at over 90% of capacity throughout the year. However, its aged care facilities are not fully utilised, with occupancy in the last financial year running at 60%.

Although the hospital has recently passed its accreditation review, concerns were raised about HRH’s patient admissions systems, which did not adequately capture information on a patient’s medical history, including current treatment regimes being followed.

There is a private hospital 20 km. from HRH and 3 similar public healthcare


providers in the region. Hamishtown Regional Health has established co-operative relationships with other regional hospitals/ health services, where many of its patients travel to receive specialist medical services not offered by HRH.

The CEO, Bob Brown heads up an executive management team made up as follows:

Director of Medical Services

Director of Nursing

Director of Finance

Director of Corporate Services (HR, IT and Facilities)

Manager, Aged Care Services

Health and Safety Officer

Quality of Care Officer

The organisation does not have a dedicated risk manager or internal auditor. However, periodic reviews have been performed by external consultants and accreditation bodies in areas such as:

Financial management processes (billing, supplier payments and payroll)

WorkSafe Occupational Health & Safety standards

Quality of Care – performance indicators, such as the number of patient falls, medication errors and sentinel events, were reviewed as part of the recent accreditation process, and continue to be recorded and reported on, as required by the Department of Human Services

HRH has recently completed a three year Strategic Plan that has identified the following Strategic Objectives:

1. Ensure high standards of patient care 2. Optimise the use of resources within HRH to ensure future sustainability

of service 3. Implement and maintain processes to reduce patient harm or adverse

events 4. Ensure that HRH is staffed by appropriately skilled and experienced

professionals 5. Promote the sharing of information and research between regional

healthcare providers 6. Provide a safe and modern infrastructure to the benefit of staff and

patients

MELBOURNE EDUCATION SERVICES (MES):

Melbourne Education Services (MES) is a large regional education provider of both higher education and TAFE in the greater Melbourne Metropolitan area. Its 25,000+ Australian and International students receive academic and practical education in a full range of academic disciplines at an under-graduate band postgraduate level. MES also runs a range of short-term community education and vocational skills training courses.

The organisation's academic and support staff of over 1800 support curriculum development and delivery across nine campuses dispersed across the Melbourne CBD and its surrounding suburbs.

In addition to its core academic services, MES supports other student and community services, including:

Student and Staff Accommodation Sports Clubs and Facilities Food and Catering Services Privately-funded Science and Technology Research Laboratories Catering and Laundry Services Inter-campus Transportation Student Counselling Community Outreach Programmes

Although MES is a state-funded public institution, which derives the majority of its revenue from the state and student fees, it has managed to expand its funding model to include significant income from its “Grants, sponsorships and endowments” programme that targets private sector institutions and other benefactors.

Vice-Chancellor and President of MES, Sally White, is supported by the MES Council, an Executive Team of 25, as well as a number of Policy, Planning and Operational Committees.

It has been able to deliver an operating surplus for the last 3 years, which it has reinvested in an infrastructure maintenance fund.

MES has identified the following as key priorities during its annual strategic planning process:

1. Use of modern ICT technology to support effective learning techniques 2. Promote MES as a trusted skills provider to the commercial and public

sector 3. Effectively utilise financial and other resources to meet demand for

services 4. Enhance ability of MES to attract and integrate foreign students 5. Expand capacity of MES to meet growing demand for quality TAFE/ higher

education, particularly in Technology and Business Sciences. 6. Ensure quality and relevance of curriculum development, delivery and

examinations processes 7. Attract top students and researchers to MES


HRH GOVERNANCE:

The organisational chart below illustrates the Governance structure for HRH:

BOARD OF MANAGEMENT

CHIEF EXECUTIVEOFFICER

QUALITY & PATIENT CARE COMMITTEE

AUDIT COMMITTEE

(& RISK)

DIRECTOR: CORPORATE

SERVICES

DIRECTOR: COMMUNITY

SERVICES

DIRECTOR:FINANCE

DIRECTOR: MEDICAL SERVICES

RISK & QUALITYOFFICER

FACILITIES MANAGER

Indirect Reporting Line:


HRH has two executive committees, Audit and Quality of Patient Care.

The Audit Committee is comprised of the:

Chairman of the Board of Management CEO Director of Finance Legal Counsel External Audit firm representative

The Quality of Patient Care Committee is comprised of:

CEO All Directors Deputy Directors of Nursing and – Medicine Quality Officer Facilities Manager

Due to budgetary constraints and the size of the organisation, it was decided to expand the role of the Quality of Care Officer, who currently has a responsibility for Clinical Risk, to include co-ordinating corporate risk efforts.


HRH has also decided to expand the responsibilities of the current Audit Committee to include Risk oversight. To ensure that the expanded Risk and Audit Committee is able to address all aspects of risk, the Directors of Nursing and – Medicine have been co-opted onto the Committee.

It has been agreed that the Risk and Audit Committee will focus specifically on reviewing and reporting to the Board on risk every quarter. This decision was taken in conjunction with the Board of Management.

The Risk and Quality Officer will have a recurring invite to attend Committee meetings and will be tasked with:

Co-ordinating the organisation’s risk identification processes Working with functional area management to develop risk response strategies Reporting on clinical and corporate risks and response strategies Training all staff and managers in risk management Overseeing the clinical incident reporting process.

MES GOVERNANCE:

The Following structure illustrates the MES Governance structure for Risk.

MES has appointed a dedicated Chief Risk Officer (CRO) for the organisation, responsible for overseeing all aspects of risk management. Although the CRO’s responsibilities are similar to those of HRH’s Risk & Quality Officer, there are some important distinctions:

The Chief Risk Officer, who reports directly to the MES Vice Chancellor, and the Risk Committee has a team of 5 risk specialists she supervises, namely: An Occupational Health & Safety Manager A Risk Manager 2 Internal Audit and Compliance Officers 1 IT Security specialist While these staff also report into operational line managers, the CRO is able to draw on their skills to identify and assess risks and controls, as well as to aid in the design and implementation of risk treatment plans.

The CRO is a member of the Executive Team and is also represented on the following Committees:

Risk Management Audit Finance Facilities and Infrastructure Policy and Planning Occupational Health & Safety Information Technology and Systems. Discussions between the MES Vice Chancellor, Council, Audit Committee and Risk Committee, chaired by the Chief Risk Officer has resulted in the following being agreed:

That the CRO will present monthly status reports on risk management issues, plans and progress to the Risk Committee and the Executive Team

The Audit Committee will receive a quarterly Risk Progress Report as well as ad hoc reports as requested

Risk Owners will receive monthly status reports on all risks allocated to them for risk treatment or monitoring

The CRO will work with the Project Management Committee to formally identify and track risk on all projects with a capital values in excess of $1,000,000, or those classed as ‘Strategic’ or ‘High Risk’ by the Project Committee.

Functional area and operational management will continue to be accountable for the management of risk within their areas of competence. The CRO and her team will provide advisory, co-ordinating and risk reporting services to these managers.


4.2 Implementing a risk management process Implementing a risk management process

4.2.1 Communicate and consult 4.2.1 Communicate and consult

4.2.1.1 What is it? 4.2.1.1 What is it?

Risk communication is generally defined as an interactive process of exchange of information and opinion, involving multiple messages about the nature of risk and risk management. This applies to internal communication in the organisation, and to communication to external stakeholders.

Risk communication is generally defined as an interactive process of exchange of information and opinion, involving multiple messages about the nature of risk and risk management. This applies to internal communication in the organisation, and to communication to external stakeholders.

Consultation can be described as a process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on a particular issue. Consultation is a process not an outcome, it impacts on a decision making through influence rather than power, and it is about inputs to decision making not necessarily joint decision making.

Consultation can be described as a process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on a particular issue. Consultation is a process not an outcome, it impacts on a decision making through influence rather than power, and it is about inputs to decision making not necessarily joint decision making.


Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Treat Risks


Monitor and Review














Attestation Process



4.2.1.2 Why do it?

Communication and consultation with internal and external stakeholders are fundamental to effective risk management and should take place at each step of the risk management process as far as necessary.

Effective internal and external communication is important to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and why particular actions are required.

Stakeholders are likely to make judgements about risk based on their perceptions. These can vary due to differences in values, needs, assumptions, concepts, and concerns as they relate to the risks or the issues under discussion. Since the views of stakeholders can have a significant impact on the decisions made, it is important that their perceptions of risk be identified, recorded and integrated into the decision making process.

4.2.1.3 How to communicate and consult

The key steps to communication and consultation are:

establish communication and consultation objectives

analyse stakeholders or recipients of message

develop key messages and purpose

identify communication owners and senders

identify appropriate channels

determine timing of communication

deliver key messages.

4.2.1.4 Objectives of communication and consultation

Objectives of communication may include:

Building awareness and understanding about a particular issue

Learning from stakeholders

Influencing the target audience

Obtaining a better understanding of the context, the risk criteria, the risk, or the effect of risk treatments

Achieving an attitudinal or behavioural shift in relation to a particular matter

Any combination of the above.

Developing a communication plan is essential to ensure that key messages are delivered effectively to the right people at the right time using the most appropriate channels at every step of the risk management process.

The following diagram illustrates the key elements of a communication plan.

A stakeholder consultation plan helps to ensure that “all bases are covered” when it comes to understanding perceptions around risk and risk management, identifying, analysing and evaluating risks, as well as developing treatment options. The plan is also useful in ensuring the consultation is as inclusive as appropriate.

When implemented effectively, a stakeholder consultation plan should:

appropriately define an organisation’s context (refer to section 4.2.3)


Communication Plan

One-off for each stakeholder

April 30-May 5

Workshops and interviews

Customer survey

Views on desired state, challenges, risks and opportunities

Expectations on the agency

Gather input for the development of the corporate plan, annual plan and business improvement plan and process development

ConsultantsConsultantsAll stakeholders(see stakeholder plan for detail)

One-off30 AprilWorkshop• Proposed scope, deliverables and templates

Kick-off the RM project

Agree on team/resources, scope, deliverables

RM ConsultantsRM ConsultantsCEO

Fortnightly or monthly for brief updates

Whole duration of project

Email, staff meetings, team meetings

Update on plans and process developments framed within larger context of business excellence journey

Keep staff informed on the progress to sustain support for the business excellence journey

CEOCEO All staff

One-offOne week before kick-off (week of 23 April)

Email or Staff meeting (if applicable)

Anticipated impact, involvement, changes arising from the project

Intent of project

Strategically introduce and position the corporate development projects as part of the risk culture change journey

CEOCEOAll staff

Weekly30 April to 30 July

Meeting with risk consultants and project team(face to face/ by teleconference)

Progress on implementation

Issues/risks that need to be addressed

Update on progress of project

Address any project issues

Consultants and RM Project Co-ordinator

ConsultantsRM Project Team


Email Expected involvement in the project- who would be interviewed and when- who would be participating in workshops and when- who would likely be in the project team

Generate awareness on the risk governance and process development/ project implementation

Generate support

GM- Corporate Services and RM consultants

CEOManagement Team

Method/Delivery

Responsibility for Preparation

Purpose Content/Message FrequencyTimingCommunicatorsStakeholders

One-off for each stakeholder

April 30-May 5

Workshops and interviews

Customer survey

Views on desired state, challenges, risks and opportunities

Expectations on the agency

Gather input for the development of the corporate plan, annual plan and business improvement plan and process development

ConsultantsConsultantsAll stakeholders(see stakeholder plan for detail)

One-off30 AprilWorkshop• Proposed scope, deliverables and templates

Kick-off the RM project

Agree on team/resources, scope, deliverables

RM ConsultantsRM ConsultantsCEO

Fortnightly or monthly for brief updates

Whole duration of project

Email, staff meetings, team meetings

Update on plans and process developments framed within larger context of business excellence journey

Keep staff informed on the progress to sustain support for the business excellence journey

CEOCEO All staff


Email or Staff meeting (if applicable)

Anticipated impact, involvement, changes arising from the project

Intent of project

Strategically introduce and position the corporate development projects as part of the risk culture change journey

CEOCEOAll staff

Weekly30 April to 30 July

Meeting with risk consultants and project team(face to face/ by teleconference)

Progress on implementation

Issues/risks that need to be addressed

Update on progress of project

Address any project issues

Consultants and RM Project Co-ordinator

ConsultantsRM Project Team


Email Expected involvement in the project- who would be interviewed and when- who would be participating in workshops and when- who would likely be in the project team

Generate awareness on the risk governance and process development/ project implementation

Generate support

GM- Corporate Services and RM consultants

CEOManagement Team

Method/Delivery

Responsibility for Preparation

Purpose Content/Message FrequencyTimingCommunicatorsStakeholders

Stakeholders are the audience for the

communication of risk and risk management

Stakeholders are the audience for the

communication of risk and risk management

Communicators send the message, and should be

carefully selected as perception of the sender influences how people receive the message

Communicators send the message, and should be

carefully selected as perception of the sender influences how people receive the message

Responsibility for preparation is the person who is

knowledgeable on the topic and prepares the content of

the messages of communication to be

delivered

Responsibility for preparation is the person who is

knowledgeable on the topic and prepares the content of

the messages of communication to be

delivered

Purpose sets out the objective of the communication

Purpose sets out the objective of the communication

Content/Message indicates the key messages to be

delivered

Content/Message indicates the key messages to be

delivered

Method/delivery is how the message will be delivered through what channel/s, i.e.

workshop, internet, e-mail, newsletter, etc.

Method/delivery is how the message will be delivered through what channel/s, i.e.

workshop, internet, e-mail, newsletter, etc.

Timing is when the message will be delivered; it is important

to have the right timing to ensure people pay attention to

the message and are not distracted by other information

Timing is when the message will be delivered; it is important

to have the right timing to ensure people pay attention to

the message and are not distracted by other information

Frequency indicates how often the

messages will be delivered, i.e. one-

off, weekly, annually, etc.

Frequency indicates how often the

messages will be delivered, i.e. one-

off, weekly, annually, etc.

DEVELOPING-RISK-FRAMEWORK 71

understood and considered

different views are appropriately considered in evaluating

the risk

ntrols and the need to endorse and support a risk treatment

llowing diagram illustrates the basic components of a stakeholder plan:

ensure that the interests of stakeholders are

help ensure risks are adequately identified

bring different areas of expertise together in analysing risks

ensure that risks

ensure appropriate change management techniques during management process (refer to section 4.4)

promote “ownership” of risk by managers

engage stakeholders to allow them to appreciate the benefits of particular coplan.

The fo

Stakeholder Consultation Plan

•RM Consultants1-2 daysWorkshop Agree on risk management policy/objectives

Establish consensus on risk management processes

Articulate/translate risks and issues around strategic purpose and vision

RM Consultants1 dayWorkshop Define operational level KRIs that support strategic level KRIs

• CEO1 hrWorkshopGenerate understanding and commitment to the corporate governance implementation project

Communicate strategic intent and vision

Management Team

•Heather Andrews/Mark Anthony

1 hr (anytime week of 30 April)

• InterviewGather views on desired state, opportunities, risks and challenges for h next 3 yrs

Head of Information Management

Howard Gardner2 days (week of April 30)

SurveyGather views on desired state, opportunities, risks and challenges for h next 3 yrs

Staff

•Heather Andrews5 days (including co-

•Interviews

•Surveys

Determine expectations from Agency

Identify any risks and issues with regards toe expectation

Industry/Experts (Companies)

•Mark Anthony5 days (including co-ordination)

•Interviews Identify expected interdependencies for service delivery

Expectations for whole-of-government approach

Relevant agencies (state and/or commonwealth)

•Mary Antoinette1 day • Interview Identify expectations from Agency within the next 3-5 years

Parliamentary Secretary

• John Smith1 day (including organising)

• Interview Identify expectations from Agency within the next 3-5 years qnd to what extent current/intended corporate plan meets expectations

Minister

ordination)

Owner/FacilitatorTimingMethodPurposeExternal Stakeholders

Team leaders2 days (week of 1 June)

Workshops input into individual and team KRIs

•Heather Andrews1 hr (anytime week of 30 April)

• Interview Revisit risks, issues and next steps (HR)

Gather views on desired state, opportunities, risks and challenges for h next 3 yrs

Head of Human Resources

•Mark Anthony1 hr (anytime week of 30 April)

• Interview Revisit risks, issues and next steps (FN and procurement)


GM- Corporate Services)

•John Smith1.5 hrs (anytime week of 30 April)

• Workshop Clarify their roles and expectations as part of formalising Riskcorporate governance charter

Communicate intended directions for Risk Management

Board

• John Smith1 hr (anytime week of 30 April)

• Interview Clarify Risk Management implementation structure including the management team and non-executive board charter

Identify Chief Executive KRIs (if any)

Establish intended scope for the Risk Management

View on Risk Universe

Chief Executive

MethodPurpose Owner/FacilitatorTimingInternal Stakeholders

•RM Consultants1-2 daysWorkshop Agree on risk management policy/objectives

Establish consensus on risk management processes

Articulate/translate risks and issues around strategic purpose and vision

RM Consultants1 dayWorkshop Define operational level KRIs that support strategic level KRIs

• CEO1 hrWorkshopGenerate understanding and commitment to the corporate governance implementation project

Communicate strategic intent and vision

Management Team

•Heather Andrews/Mark Anthony

1 hr (anytime week of 30 April)

• InterviewGather views on desired state, opportunities, risks and challenges for h next 3 yrs

Head of Information Management

Howard Gardner2 days (week of April 30)

SurveyGather views on desired state, opportunities, risks and challenges for h next 3 yrs

Staff

•Heather Andrews5 days (including co-

•Interviews

•Surveys

Determine expectations from Agency

Identify any risks and issues with regards toe expectation

Industry/Experts (Companies)

•Mark Anthony5 days (including co-ordination)

•Interviews Identify expected interdependencies for service delivery

Expectations for whole-of-government approach

Relevant agencies (state and/or commonwealth)

•Mary Antoinette1 day • Interview Identify expectations from Agency within the next 3-5 years

Parliamentary Secretary

• John Smith1 day (including organising)

• Interview Identify expectations from Agency within the next 3-5 years qnd to what extent current/intended corporate plan meets expectations

Minister

ordination)

Owner/FacilitatorTimingMethodPurposeExternal Stakeholders

Team leaders2 days (week of 1 June)

Workshops input into individual and team KRIs

•Heather Andrews1 hr (anytime week of 30 April)

• Interview Revisit risks, issues and next steps (HR)


Head of Human Resources

•Mark Anthony1 hr (anytime week of 30 April)

• Interview Revisit risks, issues and next steps (FN and procurement)


GM- Corporate Services)

•John Smith1.5 hrs (anytime week of 30 April)

• Workshop Clarify their roles and expectations as part of formalising Riskcorporate governance charter

Communicate intended directions for Risk Management

Board

• John Smith1 hr (anytime week of 30 April)

• Interview Clarify Risk Management implementation structure including the management team and non-executive board charter

Identify Chief Executive KRIs (if any)

Establish intended scope for the Risk Management

View on Risk Universe

Chief Executive

MethodPurpose Owner/FacilitatorTimingInternal Stakeholders

GUIDE-

Stakeholders are consulted to provide input into the risk

management process; includes both internal and external

stakeholders. It is important to have a good representation of

stakeholders to generate comprehensive perspectives on

risk and risk management.

Stakeholders are consulted to provide input into the risk

management process; includes both internal and external

stakeholders. It is important to have a good representation of

stakeholders to generate comprehensive perspectives on

risk and risk management.

Purpose sets out the intent or agenda for the

consultation

Purpose sets out the intent or agenda for the

consultation

Method is the approach in consultation, i.e. interviews, surveys, workshops, focused

group discussions

Method is the approach in consultation, i.e. interviews, surveys, workshops, focused

group discussions

Timing indicates the time required (for budgeting and

resourcing purposes) to conduct the consultation; where known, the dates for consultation are also indicated in this section

Timing indicates the time required (for budgeting and

resourcing purposes) to conduct the consultation; where known, the dates for consultation are also indicated in this section

Owner/Facilitator is the person who will administer the

consultation process. It is important to choose the right facilitator to make

sure appropriate level of response is generated

Owner/Facilitator is the person who will administer the

consultation process. It is important to choose the right facilitator to make

sure appropriate level of response is generated


he ,

nalyse Risks, Evaluate Risks, and Treat Risks).

4.2.1.5 R :

Key considerations for effective communication and consultation throughout the risk management process are outlined at the conclusion of each of tfollowing process steps (i.e. Establish the Context, Risk IdentificationA

Client Comment:

“I have worked as a risk manager in different organisations and have found that it is very difficult to obtain support for risk management unless I have the

cking of the CEO or other senior executives. A simple email or statement bf that stresses the importance of risk manag

eferences and links

Toolkit reference:

Appendix G: Communication and consultation plan - template

GUIDE-

ba y the CEO to staf ement helps to

In

with an

s

r W n

done to addincrease participation in risk identification and solution

General Government

improve staff awareness and participation.

the past we required staff to complete a 2 page form to report a risk. Theform required that information was recorded about the risk, its causes,

examples of previous risk events, risk scores, accountabilities, proposed treatment approach and who would monitor the risk. Most staff were

intimidated by this process and did not feel comfortable rating risk or proposing risk plans. We have simplified the reporting form, which now requires staff to describe the risk and how it impacts on the organisation or their jobs, together

any other comments or suggestions they wish to make. This process calso be done informally through a phone call or email. Functional area pecialists, with input from the risk manager now take responsibility for assessing and evaluating risks and developing response strategies.

Also, many staff felt that nothing happened with risks or incidents they eported, which resulted in many staff not reporting risks they were aware of.

e now use internal communication channels to show staff what has beeress their particular concerns. We expect this approach to

.”

Risk Officer

4.2.2 Establish the context



4.2.2.1 What is it?

Establishing the context is concerned with understanding the background of the organisation and its risks, scoping the risk management activities being undertaken, and developing a structure for the risk management tasks to follow.

Many of the internal and external parameters that constitute an organisation’s context are similar to those considered when developing the risk management framework (refer to section 4). However, when applied to the risk management process, they need to be considered in greater detail and particularly how they relate to each step of the risk management process.

4.2.2.2 Why do it?

The objective of this step is to provide a comprehensive appreciation of all the factors that may have an influence on the ability of an organisation to achieve its intended outcomes.

The outcome is a concise statement of the organisational objectives and specific criteria for success, the objectives and scope for risk management, and a set of key elements for structuring the risk identification activity in the next stage.

4.2.2.3 How to establish the context

This process requires the following key steps:

understand your external context

understand your internal context

develop your risk management context.

Identify Analyse Evaluate Treat Establish Risks Risks Risks Risks Context

Monitor and Review

GUIDE-

Establishing Context

Risk Management Framework

External Context Cultural, political, legal, regulatory,

financial, economic and competitive environment, whether international, national or regional

Key drivers and trends having impact on the objectives of the organisation

Perceptions and values of external stakeholders.It is particularly important to take into account the perceptions and values of external stakeholders and establish policies for communication with these parties.

Risk Management Policy

Risk Assessment Criteria

Risk Tolerance

Internal Context Capabilities (e.g. capital, people,

competencies, processes, systems and technologies)

Information flows and decision making processes

Internal stakeholders

Objectives, and the strategies that are in place to achieve them

Perceptions, values and culture

Policies and processes

Standards and reference models adopted by the organisation

Structures (e.g. governance, roles and accountabilities).

Risk Management Context Definition of responsibilities

Depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions

Extent of the project, process, function, or activity in terms of time or location

Project, process, function, or activity and its goals and objectives

Relationship between a particular project or activity and other projects or activities of the organisation

Definition of risk assessment methodologies

How performance is evaluated in the management of risks

What decisions have to be made

Scoping or framing studies needed, their extent, objectives, and the resources required for such studies

i) Understand external context

According to the Standard, the external context defines the external environment in which the organisation operates. It also defines the relationship between the organisation and its external environment as illustrated by the diagram above.


Understanding the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are captured during the “risk identification” step.

ii) Understand internal context

Understanding the organisation is required before commencing any risk management activity, at any level. According to the Standard, understanding the internal context is important because:

risk management takes place in the context of the goals and objectives of the organisation

the major risk for most organisations is that they fail to achieve their strategic, business or project objectives, or are perceived to have failed by stakeholders

organisational objectives, policies, and processes help define the organisation’s risk management policy, specific objectives and criteria of a project.


In order for risk management systems and processes to reflect each organisation’s specific needs the following steps were taken prior to conducting formal risk identification exercises.

Identifying key stakeholders who would need to be involved in risk management communication

Definition of risk categories to reflect the types of risk faced by the organisation

Definition and approval of risk criteria (risk rating scales) to be used when assessing and prioritising risks.

Hamishtown Regional Health (HRH) and Melbourne Education Services (MES) Stakeholders:

The identification of stakeholders will assist to identify stakeholders who may need to be included in risk communication plans, as well as identify those stakeholders who may either be a source of risk for the organisation or that it may work together with, to define or implement risk treatment strategies and plans.

HRH and MES, as public sector organisations, share common stakeholder groups, such as DTF, VAGO and the Press. However, each organisation will have unique stakeholders that reflect its specific industry or sector focus, such as the Curriculum and Assessment Authority that provides services to educational institutions.

The following stakeholders were identified during the definition of HRH and MES’s initial risk planning processes.

STAKE-HOLDERS:

COMMON STAKEHOLDERS

HRH- SPECIFIC

MES-SPECIFIC

Internal Staff

Management

Executive

Board of Management

Management Committees

Patients

Doctors

Nurses

Academic Staff

Support Staff

Executive Team

MES Council and Senate

Compliance Committees

Operational Committees

Australian Students

Students

Student Societies

External Local Community

State Government

Community Organisations

Charities

Press

Suppliers

VAGO

DTF

Trade Unions

Other Departments

Education Institutions

WorkSafe

DHS

Health Services Minister of Health

ACHS

DEECD

Australian Universities Quality Agency (AUQA)

Higher Learning Institutions

Feeder Schools

Minister of Education

Staff Unions (VTA, AEU)

Examination Bodies

Victorian Curriculum & Assessment Authority (VCAA)


iii) Develop risk management context

After understanding the internal and external context, the next step is to develop the risk management context for your organisation. The Risk Standard recommends taking into consideration the following when developing your risk management context:

objectives and strategies for risk management

scope, i.e. parts of the organisation where you apply the risk management processes

parameters for risk management activities

resources required

records to be established.

The outcome of this process is to ensure that the risk management approach adopted is appropriate and proportionate to the situation of the organisation and to the risks affecting the achievement of its objectives.

Risk management context application: risk tolerance

Once the risk management context is understood and established, a key output of the process is risk tolerance. Risk tolerance is defined as

…an organisation’s readiness to bear the risk, after treatments in order to achieve its objectives

Organisations are prepared to ‘tolerate’ some risks under certain circumstances in return for specified benefits. Tolerance levels may vary by context and are influenced by the:

ability and willingness of the board and executive to take and manage risks

size and type of organisation

maturity and sophistication of risk management processes and control environments

financial strength of the organisation and its ability to withstand shocks

sector in which the organisation operates.

How do you establish your risk tolerance?

The typical steps involved in establishing and implementing risk tolerance are:


1. Complete an analysis of the organisations ability to physically and financially recover from a significant event (e.g. risk such as human

influenza pandemic, loss of major plant or facility, inability to supply or manufacture product, loss of major business partner, credit crunch etc)

2. The above analysis will highlight the need and importance of contingency plans, financial, physical and human resources and the importance of controls. From the analysis determine the tolerance the orgnanisation can bear or accept

3. Management determines the level of tolerance which should then be endorsed by the board

The risk tolerance levels set by the organisation will be reflected in the risk rating scales used to assess organisational risks.

How do you define risk tolerance levels?

Risk tolerance levels can be defined by dividing risks into a number of bands as appropriate for the organisation (three in this example):

An upper band where adverse risks are intolerable, whatever benefits the activity may bring, and risk reduction measures are essential whatever their cost.

A middle band (or ‘grey’ area) where costs and benefits are taken into account and opportunities balanced against potential adverse consequences.

A lower band where positive or negative risks are negligible, or the costs associated with implementing treatment actions outweigh the costs of the impact of the risk should it occur.

These levels of risk tolerance will help determine the type and extent of actions required to treat risks, and the level of management/board attention required in managing and monitoring the risks. Risk tolerance levels can be practically defined through colour coding of a risk likelihood/consequence matrix. This is illustrated in the following sample risk matrix (or heat map):


Sample Risk ‘Heat Map’

ExtremeMajorModerateMinorInsignificant

Consequence

Rare

Likely

Unlikely

Possible

Almost certain

Lik

elih

oo

d

• Bi-monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings

•No immediate need to develop further treatment plans or response strategies

Low

•Escalation of risk to line management for discussion on appropriate treatment plan response

•Monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings

Medium

•Immediate escalation of risk to senior management for prioritised risk and treatment plan response

•Weekly reviews of progress by senior management to be undertaken

High

EscalationRisk Rating

• Bi-monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings

•No immediate need to develop further treatment plans or response strategies

Low

•Escalation of risk to line management for discussion on appropriate treatment plan response

•Monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings

Medium

•Immediate escalation of risk to senior management for prioritised risk and treatment plan response

•Weekly reviews of progress by senior management to be undertaken

High

EscalationRisk Rating

Risk management context application: risk criteria

Having established its risk tolerance, the organisation can now develop its risk criteria. The risk criteria take into consideration the risk management context. It is the basis on which risks are analysed and evaluated.

Risk criteria express the organisation’s values, objectives and resources. Some criteria may be imposed by, or derived from, legal and regulatory requirements. Risk criteria should be consistent with the organisation’s risk management policy.


When defining risk criteria, factors to be considered should include the following:

How likelihood will be defined

How the level of risk is to be determined

Nature and types of consequences that may occur and how they will be measured

The level at which risk becomes acceptable

The timeframe of the likelihood and/or consequence

What level of risk may require treatment

Whether combinations of multiple risks should be taken into account.

The following diagrams illustrate what risk criteria may look like and the key elements included.

Outage of non-critical service for less than 1 day

Outage of non-critical service for 1 - 3 days

Outage of non-critical service for 3-7 days

Outage of non-critical service for 1 - 2 weeks

Outage of critical service for less than one day

Outage of non-critical service for more than 2 weeks

Outage of critical service for one day or more

Service Delivery

Single incident resulting in no material environmental harm

Minor, transient environmental harm

Environmental harm that is reversible within 2 years


Irreversible environmental harm and or environmental harm that is reversible within 10 years

Environmental

First aid treatment only Minor legal issues that could be easily resolved

Loss of under $50,000 Budget reduced by less

than 5%

Insignificant1

Minor medical attention required

Minor legal issues, non-compliances and/or breaches

Loss of between $50,000 – $200,000

Budget reduced by 5% - 10%

Minor2

Significant reversible disability to less than 2 persons

Serious failure to comply with legislation and regulations

Moderate failure in statutory duty

Loss of between $200,000 - $1M

Budget reduced by 10%

Moderate3

Significant irreversible disability to less than 2 persons or significant reversible disability to greater than 2 persons

Partial failure in statutory duty

Major failure to comply with legislation and regulations

Loss of between $1M -$5M


Major4

Single fatality or significant irreversible disability to greater than 2 persons

Severe failure in statutory duty

Extreme failure to comply with legislation and regulations

Loss of over $5M Budget reduced by

30%

Catastrophic 5

SafetyLegalFinancialDescriptionRating

Outage of non-critical service for less than 1 day

Outage of non-critical service for 1 - 3 days

Outage of non-critical service for 3-7 days

Outage of non-critical service for 1 - 2 weeks

Outage of critical service for less than one day

Outage of non-critical service for more than 2 weeks

Outage of critical service for one day or more

Service Delivery

Single incident resulting in no material environmental harm

Minor, transient environmental harm



Irreversible environmental harm and or environmental harm that is reversible within 10 years

Environmental

First aid treatment only Minor legal issues that could be easily resolved

Loss of under $50,000 Budget reduced by less

than 5%

Insignificant1

Minor medical attention required

Minor legal issues, non-compliances and/or breaches

Loss of between $50,000 – $200,000

Budget reduced by 5% - 10%

Minor2

Significant reversible disability to less than 2 persons

Serious failure to comply with legislation and regulations

Moderate failure in statutory duty

Loss of between $200,000 - $1M


Moderate3

Significant irreversible disability to less than 2 persons or significant reversible disability to greater than 2 persons

Partial failure in statutory duty

Major failure to comply with legislation and regulations

Loss of between $1M -$5M


Major4

Single fatality or significant irreversible disability to greater than 2 persons

Severe failure in statutory duty

Extreme failure to comply with legislation and regulations

Loss of over $5M Budget reduced by

30%

Catastrophic 5

SafetyLegalFinancialDescriptionRating

Risk Criteria: Consequence

Description rating is defined based on the different levels of impact. The ratings could

be from 1-3 or 1-5 or any other variations that is

appropriate to the context of the agency

Description rating is defined based on the different levels of impact. The ratings could

be from 1-3 or 1-5 or any other variations that is

appropriate to the context of the agency

Consequence criteria will depend on the nature of the

agency and it’s organisational purpose and strategies. In this example there 5 different criteria.

Consequence criteria will depend on the nature of the

agency and it’s organisational purpose and strategies. In this example there 5 different criteria.


Customised consequence rating scale for Hamishtown Regional Health (HRH)

Hamishtown Regional Health has customised its Consequence scales to reflect its organisational context. Specifically its Financial criteria, where a loss of greater than $100,000 reflects its relatively small size and budget. Similarly, its impact descriptions include reference to patient safety and harm, reflectings its core operational focus.

SCORE DESCRIPTION FINANCIAL LOSS

REPUTATION LEGAL OPERATIONAL/

1 INSIGNIFICANT < $5,000 Little or no impact

Little or no impact

Little or no impact

2 MINOR $5,000 to $25,000

Sporadic localised unfavourable publicity; No impact on staff morale

Minor delays in meeting legal requirements/ fulfilling SLAs etc.

Inefficiencies and/or delays in delivery of support services and non-critical functions. No impact on patient care standards.

SCORE DESCRIPTION FINANCIAL LOSS

REPUTATION LEGAL OPERATIONAL/

3 MODERATE $25,000 to $50,000

Localised negative publicity; Short-term impact on staff morale - managed by appropriate response by institution’s Communication function.

Breach of material terms of key contracts/ SLAs. Threat of legal action against institution, but able to be resolved through negotiation/ remedial action.

Inability to provide key support services according to minimal expected service levels (billing, security; payroll, canteen; staff training etc.). No notable impact on patient care standards. Low probability of patient harm.

4 MAJOR $50,000 to $100,000

Significant/ continued negative publicity in local/ regional press; Low staff morale; Intervention of institution’s CEO to answer public concerns.

Noticeable increase in claims and legal liability; Most exposures covered by existing insurance cover

Delays and inefficiencies in core processes and systems impacting significantly on quality of patient care standards. Increased risk of serious patient injury, disability or sentinel event.

5 CATASTROPHIC >$100,000

Significant/ continued negative publicity in national press; Loss of key staff; Permanent loss of public trust; Withdrawal of funding/ key grants; Intervention of Minister.

Significant increase in legal exposures/ claims; Critical services impacted by cancellation of supplier contracts; Significant exposures not insured.

Critical processes/ systems not available for extended period. Inability to perform core patient care functions. Prolonged inability to provide basic medical services. High probability of multiple preventable deaths due to interruptions to basic services or staff negligence or malice.

In addition to the above categories, MES also uses the following consequence categories: reputation, health and safety, and business interruption. MES has also set its financial thresholds considerably higher to reflect its larger size: (catastrophic: > $5,000,000; and insignificant <$50,000).


Expected to occur once every 100 yearsNo recorded or known incidentsRare1

Expected to occur once every thirty yearsFew recorded or known incidentsUnlikely2

Expected to occur once every ten yearsSome incidents have been recorded50/503

Expected to occur once every three yearsSeveral incidents have been recordedLikely4

Expected to occur once a year or more frequentlyMultiple incidents have been recordedAlmost certain5

FrequencyDescriptionDescriptorRating

Expected to occur once every 100 yearsNo recorded or known incidentsRare1

Expected to occur once every thirty yearsFew recorded or known incidentsUnlikely2

Expected to occur once every ten yearsSome incidents have been recorded50/503

Expected to occur once every three yearsSeveral incidents have been recordedLikely4

Expected to occur once a year or more frequentlyMultiple incidents have been recordedAlmost certain5

FrequencyDescriptionDescriptorRating

Risk Criteria: Likelihood

Descriptor defines what each of the scale in the likelihood rating

mean.

Descriptor defines what each of the scale in the likelihood rating

mean.

Rating of likelihood is typically from 1-5. In some cases, it’s from

1-3.

Rating of likelihood is typically from 1-5. In some cases, it’s from

1-3.

Description defines in further detail what the rating scale means in

the context of the agency.

Description defines in further detail what the rating scale means in

the context of the agency.

Frequency indicates the timeframe within

which the event is likely to occur for a

given rating.

Frequency indicates the timeframe within

which the event is likely to occur for a

given rating.

The following example illustrates an example of an organisational likelihood scale:

Customised likelihood rating scale for HRH

LIKELIHOOD

SCORE DESCRIPTION

1 RARE Highly unlikely to occur in next 5 years. No history of adverse event in organisation.

2 UNLIKELY Event not likely to occur in next 12 months, but there is a slight possibility of occurrence.

3 POSSIBLE 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not.

4 LIKELY There is a strong likelihood that the event will occur at least once in the next 6-12 months. History of event/s in institution or similar organisations.

5 ALMOST CERTAIN The adverse event will definitely occur, probably multiple times in a year.


Control effectiveness criteria:

When analysing a risk, it is important to understand the effectiveness of current controls that are in place. Controls are systems, processes, policies etc. that are implemented to reduce risk levels, either by reducing the consequence of a risk if it does occur and/or to reduce the likelihood of the risk occurring.

Where controls are operating effectively and as intended, they will reduce the level of risk. Conversely, where a control is not effective, is not working as designed, or there are no controls in place, control effectiveness will be low and the risk level will not be reduced.

In the first instance, managers should be able to make a subjective assessment as to the effectiveness of the control using a control effectiveness rating scale using a scale such as the one shown below:

Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/ or very limited operational effectiveness.

Uncontrolled

Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively.

Very Poor

While the design of the controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective.OrSome of the controls do not seem correctly designed in that they do not operate at al effectively.

Poor

Most controls are designed correctly ad are in place and effective. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability.

Satisfactory

Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, address the root causes and Management believes that they are effective and reliable at all times.

Good

DescriptorRating

Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/ or very limited operational effectiveness.

Uncontrolled

Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively.

Very Poor

While the design of the controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective.OrSome of the controls do not seem correctly designed in that they do not operate at al effectively.

Poor

Most controls are designed correctly ad are in place and effective. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability.

Satisfactory

Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, address the root causes and Management believes that they are effective and reliable at all times.

Good

DescriptorRating

Sample Risk Criteria: Control Effectiveness

Rating defines what each scale in the control effectiveness rating means.The ratings could be from 1-5 or 1-3

or any other variation that is appropriate in the context of the

agency

Rating defines what each scale in the control effectiveness rating means.The ratings could be from 1-5 or 1-3

or any other variation that is appropriate in the context of the

agency

Descriptor defines in further detail what the rating scale means in the context of the agency. It takes into

account the effectiveness of the design and operation of the controls.

Descriptor defines in further detail what the rating scale means in the context of the agency. It takes into

account the effectiveness of the design and operation of the controls.

Source: HB 158-2006


For example: having fire extinguishers and other fire suppression systems in place are controls that can reduce the consequences (injury and damage) following a fire. Similarly, the risks associated with unauthorised access to confidential records can be reduced by the use of secure document storage systems, including document safes and password-protected databases.

Periodic independent assurance is also needed – to provide an objective view – based on testing of controls – of the adequacy and effectiveness of the controls. Independent verification of control effectiveness can be sought from external and internal auditors.

4.2.2.4 Communication and consultation and monitoring and review activities

The following table describes the steps to follow in establishing and subsequently monitoring and reviewing the organisation’s risk context:

Establish the context: Monitoring and Review

Monitor any strategic changes as identified in the strategic planning cycle. Review the current risk management context to ensure it remains aligned to the strategic intent of the organisation.

Monitor significant changes to business operations. This merits a review of the risk management context in view of potential changes to the internal context.

Monitor any changes in the external environment. Review the current risk management context to ensure that it remains relevant considering the changes.

Workshops once or twice a year with key stakeholders may help to ensure the context for risk management remains relevant.

Establish the context: Communication and Consultation

Identify which stakeholders need to be consulted or taken into consideration in establishing the risk management context.

Using the stakeholder consultation plan template, establish how the organisation will consult these stakeholders.

Examples of consultation process that maybe applicable to this stage includes interviews and workshops with key executives.

Articulate the risk management context in the risk management framework and policy which then is signed-off by the board.

Communicate this by presenting to the executive team meeting

4.2.2.5 Toolkit references:


Toolkit reference:

Appendix F: Common risk categories for the public sector

Appendix G: Stakeholder communication and consultation plan - template

Appendix J: Risk rating criteria - template

4.2.3 Risk identification

4.2.3.1 What is it?

The Standard defines risk identification as “the process of determining what, where, when, why, and how something could happen”.

4.2.3.2 Why do it?

The objective of risk identification is to generate a comprehensive list of risks based on those events and circumstances that might enhance, prevent, degrade or delay the achievement of the objectives. This list of risks is then used to guide the analysis, evaluation, treatment and monitoring of key risks.

Comprehensive identification and recording is critical, because a risk that is not identified at this stage may be excluded from further analysis. The risk identification process should include all risks, whether or not they are under the control of the organisation.

In identifying risks, it is also important to consider the risks associated with not pursuing an opportunity, e.g. loss of market share.

4.2.3.3 How to identify risks

This section will cover the key steps necessary to effectively identify risks from across the organisation.

These steps are:

i) understand what to consider when identifying risks

ii) gather information from different sources to identify risks

iii) apply risk identification tools and techniques

iv) use risk categories for comprehensiveness

v) document the risks

vi) document the risk identification process

vii) assess the effectiveness of the risk identification process.


Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Treat Risks


Monitor and Review


i) Understand what to consider

The Standard recommends that in order to develop a comprehensive list of risks, a systematic process should be used that starts with the statement of context. To demonstrate that risks have been identified effectively, it is useful to step through the process, project or activity in a structured way using the key elements defined while establishing the context. This can help provide confidence that the process of risk identification is complete and major issues have not been missed.

The process then asks the following questions about each of the key elements:

Risk Identification

What is the source of each risk?

What is the source of each risk?

What might happen that could: Increase or decrease the effective achievement of objectives Make the achievement of the objectives more or less efficient

(e.g. financial, people, time) Cause stakeholders to take action that may influence the

achievement of objectives Produce additional benefits

What might happen that could: Increase or decrease the effective achievement of objectives Make the achievement of the objectives more or less efficient

(e.g. financial, people, time) Cause stakeholders to take action that may influence the

achievement of objectives Produce additional benefits

Other considerations: What would the effect on objectives be? When, where, why, how are these risks (both positive and negative) likely to occur? Who might be involved or impacted? What controls currently exist to treat this risk (maximise positive risks or minimise negative risks)? What could cause the control not to have the desired affect on the risk?

Other considerations: What would the effect on objectives be? When, where, why, how are these risks (both positive and negative) likely to occur? Who might be involved or impacted? What controls currently exist to treat this risk (maximise positive risks or minimise negative risks)? What could cause the control not to have the desired affect on the risk?

ii) Gather information to identify risks

Good quality information is important in identifying risks. The starting point for risk identification may be historical information about this or similar organisations and then discussions with a wide range of stakeholders about historical, current and evolving issues, some examples are listed below.


(something happens)leading to

(outcomes expressed in terms of impact on

Objectives)

Risk Identification: Tools & Techniques

Structures Interviews

Audit Reports

Checklists

Surveys and Questionnaires

Focus Groups

Strategic and Business Plans

Post-event Reports

Local and OverseasExperience

iii) Apply risk identification tools and techniques

The Standard recommends that organisations apply a set of risk identification tools and techniques that are suited to its objectives and capabilities, and to the risk the organisation faces. Relevant and up-to-date information is important in identifying risks. This should include suitable background information where possible. People with appropriate knowledge should be involved in identifying risks.

Approaches used to identify risks could include the use of checklists, judgments based on experience and records, flow charts, brainstorming, systems analysis, scenario analysis, and system engineering techniques. The approach used will depend on the nature of the activities under review, types of risks, the organisational context, and the purpose of the risk management exercise.

Team-based brainstorming for example, where facilitated workshops is a preferred approach as it encourages commitment, considers different perspectives and incorporates differing experiences.

Structured techniques such as flow charting, system design review, systems analysis, Hazard and Operability (HAZOP) studies and operational modelling should be used where the potential consequences are catastrophic and the use of such intensive techniques are cost effective.

For less clearly defined situations, such as the identification of strategic risks, processes with a more general structure, such as ‘what-if’ and scenario analysis could be used.

Where resources available for risk identification and analysis are constrained, the structure and approach may have to be adapted to achieve efficient outcomes within budget limitations. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used.


iv) Use relevant risk categories for comprehensiveness

The risk profiles of public sector organisations may differ from that of commercial organisations, given the difference in organisational objectives and stakeholder groups. A possible public sector risk categorisation model is illustrated below:

Public Sector Risk CategoriesStrategicStrategic

StakeholderStakeholder Market StructureMarket

StructureGovernanceGovernance

Service ProviderService Provider

NationalGovernment

NationalGovernment

DTFDTF

MinisterMinister

ElementsElements

PrinciplesPrinciples

Change ManagementChange Management

EconomicEconomic

LogisticsLogistics

Market DynamicsMarket Dynamics

CompetitorCompetitor

InformationInformation

IT SystemsIT Systems Intellectual Property

Intellectual Property

Information ManagementInformation

Management

Database Planning & Development

Database Planning & Development

OperationsOperations

Organisation & Monitoring

Organisation & Monitoring

Intangible Capital/Assets

Intangible Capital/Assets

Knowledge ManagementKnowledge

Management

FinancialFinancial

Liquidity & Credit

Liquidity & Credit

CollectabilityCollectability

Cash Management& Treasury

Cash Management& Treasury

FundingFunding

Capital StructureCapital

Structure

EquityEquity

DebtDebt

MarketMarket

Interest RateInterest Rate

Foreign ExchangeForeign Exchange

ReportingReporting

AccountingAccounting

Regulatory & Compliance

Regulatory & Compliance

OperationsOperations

ProcessProcess Physical AssetPhysical Asset

Service DeliveryService Delivery

Supply ChainManagementSupply ChainManagement

Transfer PaymentsTransfer

Payments

Plant, Estate & Property

Plant, Estate & Property

EquipmentEquipment

People & Culture

People & Culture

Occupational Health& Safety

Occupational Health& Safety

Skills DevelopmentSkills Development

LegalLegal

LiabilityLiability

ContractContract

Legislative & Regulatory

Legislative & Regulatory

New Service Development

Human ResourcesHuman Resources

FraudFraud

Victorian CabinetVictorian Cabinet

Growth Strategy & Development

Growth Strategy & Development

SupportProcessesSupport

Processes

Trade UnionsTrade Unions

Other Departments/

Agencies

Other Departments/

Agencies

Public entitiesPublic entities

VAGOVAGO

Business PartnerBusiness Partner

Financial InstitutionsFinancial

Institutions

PublicPublic

FiscalFiscal

Regulatory FrameworkRegulatory Framework

PPP & Procurement

PPP & Procurement

Internal AuditInternal Audit

FleetFleet

Other TangiblesOther Tangibles

Budget Implementation

Budget Implementation

Accounting Norms &

Standards

Accounting Norms &

Standards

Compliance & Reporting

Compliance & Reporting

Economic IndicatorsEconomic Indicators

Capital MarketsCapital Markets

CPIXCPIX

Intangible AssetsIntangible AssetsBusiness ContinuityBusiness Continuity

HardwareHardware

SoftwareSoftware

NetworksNetworks

SecuritySecurity

ArchivingArchiving

Change Man, ControlChange Man, Control

Policies &ProceduresPolicies &

Procedures

ReputationReputation

MonitoringMonitoring

Authority &Responsibility

Authority &Responsibility

Resource AllocationResource Allocation

StrategicPlanningStrategicPlanning

EthicsEthics

EnvironmentEnvironment

IT Strategy, PlanningIT Strategy, Planning

EXAMPLE


Risk Categorisation Model

HRH:

HRH has agreed on the following risk categories against which to measure risk. It is anticipated that a significant number of risks will fall in the clinical category as this represents the core service delivery area for the health service.

MES Ris gories k Cate

The MES Risk Committee has developed and approved the following risk categories. In addition to standard risk categories, curriculum-related risk and student support services has been defined as a core operational risk area for the education institution.

The Risk and Audit Committee defined a draft risk categorisation model, which was modified to reflect additional risk categories identified after an initial risk brainstorming session was held with the Executive Team.

STRATEGIC PLANNING

GOVERNANCE

STAKEHOLDER RELATIONS

LEGISLATION & COMPLIANCE

REPUTATION

BUSINESS CONTINUITY

MARKET CONDITIONS

NATURAL RESOURCES

QUALITY OF STUDENT OUTCOMES

INNOVATION & RESEARCH

FUNDING & SUSTAINABILITY

STRATEGIC

CURRICULUM DEVELOPMENT

CURRICULUM DELIVERY

EXAMINATIONS

HR & TRAINING

OCC. HEALTH & SAFETY

SUPPLY CHAIN

LEGAL & CONTRACTS

OTHER

ASSET MANAGEMENT

FACILITIES MANAGEMENT

STUDENT SUPPORT SERVICES

OPERATIONAL

BUDGETING

LIQUIDITY AND CREDIT

REPORTING

CAPITAL

DEBTORS

FRAUD & THEFT

GRANTS & BURSARIES

FINANCIAL

SYSTEM DESIGN

INFORMATION SECURITY

QUALITY OF INFORMATION

INTELLECTUAL PROPERTY

IT AND INFORMATION

RISK CATEGORIES

v) Document the risks identified

The risks identified during the risk identification are typically documented in a risk register that, at this stage in the risk assessment process, includes:

risk description

how and why the risk can happen (i.e. causes and consequences)

the existing internal controls that that may reduce the likelihood or consequences of the risks.

It is critically important at this stage to understand the cause-effect relationships between a risk, its causes, and the potential consequences should the risk occur. If the “wrong” risk is identified at this stage (e.g. causes or consequences, rather than the actual risk itself), it will reduce the value of the rest of the risk management process.

Toolkit reference:




One can see from the following examples that failure to correctly define your risks will result in flow on effects to the your control identification, mitigation plans and ultimately reporting. It’s the old “garbage in garbage out” analogy.

Below, we have provided some examples of “good” and “bad” risk descriptions:

The VMIA has found that one of the weakest elements of an organisation’s an be the capturing and defining of risks. It is essential

se

ts that make up a risk and this level of detail will enable an organisation to more completely understand the risk

risk framework cwhen describing a risk to consider the following three elements:

description/event – an occurrence or a particular set of circumstances

causes - the factors that may contribute to a risk occurring or increathe likelihood of a risk occurring

consequences – the outcome(s) or impact(s) of an event.

It is the combination of these elemen

GUIDE-

Example 1: Good Risk Descriptions

Example 2: Poor Risk Descriptions Explanation

Lack of succession planning is a lack of a control.

Fines are really the impact to the organisation. Also, the reason for identifying the cause is so that you can identify the right controls. This description is so wide that a control is difficult to define, other than “put in place a full compliance program”.

System not backed up is a control failure. Also an IT failure is not the cause of the system not being backed up, poor work practices are.

vi) Document your risk identification process

In addition to documenting the risks identified, it is also necessary to document the risk identification to help guide future risk identification exercises and to ensure good practices are maintained by drawing on lessons learned through previous exercises. Documentation of this step should include:

the approach or method used for identifying risks

the scope covered by the identification

the participants in the risk identification and the information sources consulted.



4.2.3.4 w activities

and Review

Monitor the reliability / currency of the sources of information used to identify risks.

Monitor any changes / enhancements to the risk identification process over the period.

Monitor the impact these changes may have on future risk identification exercises.

sk identification: Communication and Consultation

Identify the key stakeholders who need to be informed of the risk identification process and how it will be implemented across the organisation.

Communicate / articulate the risk identification process to ensure all stakeholaware of and undeprocess.

Consultation may i

o Risk identification consultation plan.

Communication and consultation and monitoring and revie

Risk identification: Monitoring Ri

ders are rstand the

nclude:

4.2.3.5 References and links:

Toolkit reference:

Appendix I: Common example risks


GUIDE-


4.2.4 An

4.2.4.1 What is it?

The Standard defines risk analysis as a s tand the nature of risk and determine the level of risk. The risk analysis step aims

ing of the risk. It provides an input to decisions on whether risks need to be treated and the most appropriate and cost-effective

ies.

alyse risks

ystematic process to unders

Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

TreaRisk

t s

Communica

to develop an understand

risk treatment strateg

4.2.4.2 Why do it?

Risk analysis is a fundamental component of the risk management process. It helps to guide the evaluation of risks by defining the key parameters of the risk and how these may impact on the achievement of organisational

GUIDE-

t e and Consult

Monitor and Review


objectives. One of the key outcomes of the risk analysis process is determining levels of risk exposure for the organisation.

ta and related information collected during the risk analysis process can be used to

4.2.4.3 How to analyse risks

Risk analysis involves the following key steps:

1) nd evaexisting control effectiveness

2) determine risk (probability or frequency of risk occurrence)

e risk ence (outcome

The following section on how to analyse risks is structured as follows:

i) identify and evaluate existing controls

ii) determine risk consequence and likelihood

iii) determine overall risk level

iv) document your risk analysis process.

i) Identify and evaluate existing controls

When assessing a risk, it is important to identify what controls are in place to mitigate the risk. Many controls are built-into existing business operations and systems.

In addition, the daassist in guiding risk treatment decisions.

identify a luate

likelihood

GUIDE-

3) determinconsequor impact of an event)

4) determine risk level.


unction for which it is intended

work as practically

Examples of controls:

Controlled physical access (e.g. security codes, access cards, security personnel)

Employee code of conduct

tocols

e controls (e.g. temperature control)

procedures

processes

anagement

ement

to specialists

ts and Service Level Agreements

Media and public relations strategies/pro

Specified training (e.g. software, hazardous substances)

Automated softwar

Policies and

Standardised business

Insurance

Quality control m

Budget manag

Outsourcing functions

Formalised contrac

Audits (internal and

Controls should be considered on the basis of:

design effectiveness – is the control “fit for purpose” in theory i.e. is the control designed appropriately for the f

operational effectiveness – does the controlintended.

In order to understand the level of residual risk remaining after controls have been taken into account, it is essential as part of the risk analysis process to be able to estimate the effectiveness of existing controls

In the first instance, management should be able to make a subjective assessment as to the effectiveness of the controls using a rating scale such as that contained in section 4.2.2.3. Periodic independent assurance is also needed to provide an objective view - based on testing - of the adequacy and effectiveness of the controls e.g. internal and external audit.

It is useful to involve staff with an understanding of the controls when rating them. Internal audit, business analysts and operational/ financial management can all provide input into control identification and assessment.

A well-designed and implemented control can often mitigate or reduce more than one risk or type of risk.

GUIDE-

external).


ii) Determine risk consequence and likelihood

he tvent, s ur, and the likelihood of the event and its associated on q in the context of the effectiveness of the xi

o e analysis nd a ilable,

subjective e which reflect an individual’s or group’s eg e event or outcome will occur.

he o and techniques should be used h a nsequences and likelihood.

T S andard recommends that the magnitude of the consequences of an hould it occe

ce

se uences, should be assessedsting strategies and controls.

C ns quences and likelihood may be estimated using statistical a c lculations. Where no reliable or relevant past data is ava

stimates may be made re of belief that a particular d

T m sources of information st relevanten nalysing cow

S u

P

experience

Relevant published literature

Market research

dels

Specialist and expert

o rces of information: Techniques:

red interviews with experts in the area of interest

Use of multi-disciplinary groups of experts

Individual evaluations using questionnaires

ast records

Practice and relevant

Structu

The results of public consultation

Experiments and prototypes

Economic, engineering or other mo

judgements.

GUIDE-

Use of models and simulations.


Types of Analysis

Risk analysis may be undertaken to varying degrees of detail deanalysis, and the information, data and resources available. Anal

pending upon the risk, the purpose of the ysis may be qualitative, semi-quantitative or

tive and l of risk and

y be necessary to undertake more specific or quantitative analysis on

stablishing the

quantitative or a combination of these, depending on the circumstances.

The order of complexity and costs of these analyses, in ascending order, is qualitative, semi quantitaquantitative. In practice, qualitative analysis is often used first to obtain a general indication of the leveto reveal the major risk issues. Later it mathe major risk issues.

The form of analysis should be consistent with the risk evaluation criteria developed as part of erisk management context (see section ABC)

Semi- quantitative AnalysisQualitative Analysis Quantitative Analysis

Use of words to describe the magnitude of potential consequences and the likelihood

ted to suit the different

esenting

Use of nominal ranking scales, i.e. values are assigned to likelihood and consequence scales

Numbers should only bcombined using a formu harecognizes the limitatio tkinds of scales used

Scales are context-spec Typically used in prioritis r

sed on numerical ranking

Use of numerical values for both consequences and likelihood

Quality of analysis depends on racy and completeness of rical values used

n from ast data

deriving financial

that those consequences will occur

Scales can be adjuscircumstances, anddescriptions may be used for different risks

Typically used in proverall risk profile i.e. heat map

accunumee

la t t ns of he

Consequences may be determined by modelling the outcomes of an event or set of

ificing isks

events, or by extrapolatioexperimental studies or p

Typically used inbarisk reserves

Consequence

Low Minor Moderate High Extreme

Like

lihoo

d

Mod

erat

eLi

kely

Rar

eU

nlik

ely

Alm

ost C

erta

in

12

3

4

5

6

7

8

9

10

11

12 13

14

15

CONSLIKE

EQUENCE: 4 (oLIHOOD: (o ikely

OVERALL RISK = 8

ut of 5) – Major2 ut of 5) – Unl= 4 * 2

Illustration to be updated

LIKELIHOOD: 50% (Within 1 CONSEQU

(out of 25)

Year) - Possible

ENCE: $120,000 - Significant OVERALL RISK EXPOURE: 50% * $120,000 = $60,000

Before you determine the overall risk rating you will need to determine the level of likelihood and consequence for each risk. Each organisation will need to establish its own likelihood and consequence tables. An example risk consequence scale is shown below:

The categories below are potential categories only – from the review of the risk universe of the organization consider those risks most applicable for the particular organization.

Description

Rating Financial

Service Quality

Reputation

People & Knowledge

Stakeholders Compliance, Governance & Legal

Systems & Processes

Fundamental

Major

Moderate

Minor

Insignificant


It is also necessary to establish your likelihood table. A generic sample is noted below.

iii) Determine the overall risk rating

Once you have rated the likelihood and consequence, combine the two to determine the overall risk rating.

Based on the risk analysis, risks are classified by level to determine the appropriate level of response to those risks. Specific responses are defined in the “Treat Risks” phase.

Rating Descriptor Frequency Description/s

5 Almost Certain

4 Likely

3 Possible

2 Unlikely

1 Remote

Risk Analysis: Sample Risk Severity Rating Scale

Immediate escalation of risk to senior management/ Executive for prioritised response and treatment plan development.

Incorporate management of risk into established strategic governance and operational processes.

Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s.

SEVERE/ EXTREME15-25

Develop risk response strategies as part of risk management and operational processes.

Ongoing monitoring of risk and progress of risk response or treatment plans.


HIGH10-14

Regular monitoring and re-evaluation of potential risk and any factors that may increase consequence or likelihood occurrence.

Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s as resources/ circumstances permit.

MODERATE5-9

No immediate response required. Risk ownership may not be allocated. Could be excluded from risk monitoring activities. Infrequent re-evaluation of risk.

LOW1-4

LIKELY RESPONSEQUALITATIVE RATING

QUALITATIVE RATING

Immediate escalation of risk to senior management/ Executive for prioritised response and treatment plan development.

Incorporate management of risk into established strategic governance and operational processes.


SEVERE/ EXTREME15-25

Develop risk response strategies as part of risk management and operational processes.

Ongoing monitoring of risk and progress of risk response or treatment plans.


HIGH10-14

Regular monitoring and re-evaluation of potential risk and any factors that may increase consequence or likelihood occurrence.

Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s as resources/ circumstances permit.

MODERATE5-9

No immediate response required. Risk ownership may not be allocated. Could be excluded from risk monitoring activities. Infrequent re-evaluation of risk.

LOW1-4

LIKELY RESPONSEQUALITATIVE RATING

QUALITATIVE RATING


OPING-RISK-FRAMEWORK 101

n of the risk analysis process provides a record of how risks were analysed in previous periods, thereby informing future risk analysis

xercises. A key outcome of documenting the risk analysis process is enabling accurate tracking of risks over ti torica ta.

ocumen ion shou

key assumptions and limitations

sources of information used

explanation of the analysis method, and the definitions of the terms used to specify the likelihood and consequences of each risk

existing controls and their effectiveness

description and severity of consequences

rrences

e required for very low risks; however a s.


Analyse risks: Monitoring and Review

Monitor the implementation of each step of the risk analysis process to test for currency and appropriateness for the organisational context.

Monitor the effectiveness and relevance of controls. Is the assessment of control effectiveness being done in a consistent way?

Monitor the approach used to determine likelihood and consequence for each risk. Is the approach still relevant / effective?

Analyse risks: Communication and Consultation

Identify the key stakeholders who need to be informed of the results of the risk analysis process.

Communicate the results. Ensure those with risk ownership / reporting responsibilities are informed of the results of the risk analysis.

Communicate any necessary/proposed changes in the risk analysis approach.

Consultation may include:

− Meetings / focus groups

− Strategic Planning

− Internal Memorandum

iv) Document your risk analysis process

Documentatio

eme using his l reference da

D tat ld include:

the likelihood of these specific occu

resulting level of risk

Detailed documentation may not brecord should be kept of the rationale for initial screening of very low risk

Tool

Appendix E: Risk rating criteria (likelihood and consequence) - template

A

kit reference:

ppendix D: Risk management procedure - temp

GUIDE-DEVEL

late


4.2.5 E

4.2.5.1

ll exposure against the e.

4.2

mes of risk analysis, atments.

The output of a risk evaluation generally consists of a prioritised list of risks

g key steps are involv

valuate risks


What is it?

Risk evaluation involves comparing a risk’s overaorganisation’s risk toleranc

This allows the determination of whether further controls are required to bring the risk within a level acceptable to the organisation. The output of the risk evaluation phase is a prioritised list of risks.

.5.2 Why do it?

Consistent with the Risk Management Standard, the purpose of risk evaluation is to make decisions, based on the outco

bout which risks need treatment and to prioritise trea

that require further action.

4.2.5.3 How to evaluate risks?

The followin ed in evaluating risks:

i) Rank the risks based on th

ii) Consider the overall risk

iii) Develop a list of priority

e outcome of the risk analysis process

profile

risks.

i) Rank the risks

Risks can be ranked either qualitatively or quantitatively.

Applying qualitative analysis, you can rank the risks using a heatatrix with each colour indicating the

map. The level of

th This ntext”, as it

is a part of the organisation’s ris

heat map is a colour-coded mrisk. This heat map representswould have been developed in the e

e tolerance level of your organisation. arlier phase of “Establish Co

k management context.

Identify Analyse isks

Evaluate Risks

Treat Risks

Establish Risks RContext

GUIDE-DEVEL

Monitor and Review

Based on the control effectiveness rating, likelihood of the risk occurring and ences identified in the earlier phase, plot the risks against

Applying semi-quantitati

potential consequthe matrix. The completed matrix is your risk profile.

ve analysis, the organisation can also rank the risks based on their numerical value. The numerical value is a combination of the values assigned by the organisation to control effectiveness, likelihood and consequence.

The most common approach to visu rding risk is using a 5 by 5 heat map as illustrated below. A risk heat map is sometimes referred to as a risk matrix.

ally reco

Ri sk P r of i l e

Risk Ranking: Heat Ma

1

10

13192 0

2

45

6

8

11

1517

3

4

4

elih

ood

12

16

2 1 3

7

9

18

2

3

5

6

2 2 3 3 4 4 5 5 6

Consequence

Lik

e

Hig h R isk

1

1 1E xt r em

1

2

5Sig nif icant

R isk

M od erat e skR i

Lo w R isk

t e

Hi ghM oder aM i nor Low

p Example

a heat map:

rating scales.

Al most

Cer t ai n

Li kel y

M oder at e

Unl i kel y

Rar e

Some organisations use the following matrices to create

3 by 3

4 by 4

4 by 3


4 by 5

The matrices you select will reflect your organisation’s risk

For example: If your risk consequence and likelihood used 3 point scales, such as those shown below, a 3 by 3 heat map would be appropriate:

SCORE LIKELIHOOD CONSEQUENCE

1 Unlikely Low

2 Possible Moderate

3 Likely Severe

Example Risk Profile for HRH


5

210

74, 8

96

32

5

210

74, 8

96

32Almost Certain

LI

Incorrect diagnosis or medication errors resulting in patient harm10

Inability to meet increasing demand for aged care services9

Damage to medical equipment as a result of improper use8

Unauthorised disclosure of patient confidentiality resulting in potential legal liabilities 7

Billing errors as a result of staff mistakes, resulting in inaccurate patient bills or revenue not being collected.

6

Severe damage to HHS facilities as a result of a natural disaster (flood, fire etc.)5

Declining demand for maternity services as a result of aging population in the area4

Inability to attract suitably qualified nursing staff3

Patient harm suffered as a result of slips, trips and falls2

Failure to maintain ACHS accreditation1

LikelyKE

PossibleLI

UnlikelyOD

Rare

Insignificant Minor Moderate Major Catastrophic

CONSEQUENCE

HO

RISK DESCRIPTIONRISK NO.RISK NO. RISK DESCRIPTION

Incorrect diagnosis or medication errors resulting in patient harm10

Inability to meet increasing demand for aged care services9

Damage to medical equipment as a result of improper use8

Unauthorised disclosure of patient confidentiality resulting in potential legal liabilities 7

Billing errors as a result of staff mistakes, resulting in inaccurate patient bills or revenue not being collected.

6

Severe damage to HHS facilities as a result of a natural disaster (flood, fire etc.)5

Declining demand for maternity services as a result of aging population in the area4

Inability to attract suitably qualified nursing staff3

Patient harm suffered as a result of slips, trips and falls2

Failure to maintain ACHS accreditation1

1

GUIDE-DEVEL

ii) Consider the overall risk profile

Once the initial risk profile has been developed, the organisation may need to consider how each risk ranks in relation to the other risks. This step allows the organisati to c sanity check” of the risks that have been placed on the heat map to ensure that risks are rated correctly when compared to h o . “Risk manager may be off sick with flu” is not rated the same as “Project objectives may not be met”).

ossible outcomes of this step include:

ss the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of reality

The organisation may recognise that some risks are similar to the other risks, or are contributing factors to other risks. Hence they may be incorporated into the risk description of other risks within the risk register

The organisation may consider the interdependencies between the risks and consider the consequence on the organisation if more than one risk occurred at the same time. This may result in changes to the overall risk ratings.

i) Develop priority list of risks

he primary objective of evaluation is to prioritise risks. This helps to inform e allocation of resources to manage risks, both non-financial and financial.

he priority list can be categorised by a number of different criteria ependent on what is most relevant for the organisation e.g. risk rating, nctional area or by type of impact (i.e. strategic or operational). This will

e the focus for risk treatment.

4.2.5.4 w activities

Evaluate risks: Monitoring and Review

Monitor consistent application

Evaluate risks: Communication and Consultation

Identify the stakeholders who need to be informed of the risk treatment process.

Communicate the outcomes of the risk evaluation process (e.g. the prioritisation of risks)

Methods of communication may include:

− Minutes from relevant risk evaluation meetings / focus groups


− Focus groups involving risk owners and those with risk reporting responsibility

on onduct a “

eac ther (e.g

P


The organisation may reasse

ii

Tth

Tdfufurther refin

Communication and consultation and monitoring and revie


4.2.6 T

4.2.6.1

Risk treatment involves identifying the range of options for treating risks,

f assessing a risk treatment, deciding that current risk levels are not tolerable, generating new risk

ct of that treatment until a level of risk is ganisation can tolerate based on the

4.2.6.2

ring

er, not all risks will require treatment as some may be accepted by the organisation and only require

T utside of th e those w e tion to a p g risks is to minimise or

4.2.6.3 How to treat risks

Treating risks involves the following key steps, each of which are covered in detail in this section:

identify risk treatment options

select risk treatment options

assign risk ownership

prepare risk treatment plans

reat risks


What is risk treatment?

assessing these options and the preparation and implementation of treatment plans.

Risk treatment may involve a cyclical process o

treatment/s, and assessing the effereached which is one which the oragreed risk criteria.

Why treat risks?

A key outcome of the risk evaluation process is a list of those risks requifurther treatment, as determined by the overall level of the risk against the organisation’s risk tolerance levels. Howev

occasional monitoring throughout the period.

he risks that fall ohich pose a significant potchieve set objectives. The

e organisation’s risk tolerance levels arntial impact on the ability of the organisaurpose of treatin

eliminate the potential imobjectives.

pact the risk may pose to the achievement of set

Identify Analyse Evaluate Risks

Treat Risks

Establish Risks Risks Context

GUIDE-DEVEL

Monitor and Review


identify risk treatment options.

i) Identify risk treatment options

Risk treatment design nsive understanding of how risks arise. This includes understanding not only the immediate causes of an event but also the underlying factors that influence whether the p tme ffect

Risk treatment options in all circumstances.

M only $5M, it may not be

should be based on a comprehe

roposed trea nt will be e ive.

are not necessarily mutually exclusive or appropriate

Risk Treatment Options

ii) Select options for treatment

The Standard recommends that consideration be given to the cost of the treatment as compared to the likely risk reduction that will result. For example, if the only available treatment option would cost in excess of $10to implement and the cost impact of the risk is advisable.

Accept the impact of the risk Retain the risk

Transfer ownership and liability to a Third party (e.g. Insurance) Share/ transfer the risk

Undertake actions aimed at reducing the impact of the risk Change the consequence

Undertake actions aimed at reducing the probability of the risk occurring Change the likelihood

Change business processes or objectives so as to avoid the risk

GUIDE-DEVEL

Avoid the risk


benefits associated with each risk treatment option, it is necessary to conduct a cost-benefit analysis.

In order to understand the costs and

Basic cost benefit analysis:

Define, or breakdown the risk into its elements by drawing up a flowchart or list of inputs, outputs, activities and events.

Calculate, research or estimate the cost and benefit associated with eacelement. (Include if possible direct, indirect, financial and social costs abenefits).

h nd

Compare the sum of the the benefits. costs with the sum of

Cost Benefit Analys

er has ds to loss of employee data”. As a treatment strategy she is deciding whether to

nt a new pers and payroll system. The HR department has only a few computers and are not highly computer literate. She is aware that computerised information will allow more accurate analysis of data and give a higher quality of reliability and service to internal customers.

Her financial cost/benefit analysis is shown below:

& Installation @ $4,600 Payroll Software @ $15,000 Training costs: Computer introduction - 8 people @ $400 each Keyboard skills - 8 people @ $400 each Payroll System - 4 people @ $700 each Other costs: Lost time: 40 man days @ $200 / day Total cost: $68,400 Benefits: Doubling of payroll capacity: estimate: $40,000 / year Improved efficiency and reliability of client service: estimate: $50,000 / year Improved accuracy of customer information: estimate: $10,000 / year Reduction of payroll and processing effort: $30,000 / year

is Example:

An HR manag a risk of “Ineffective records management lea

impleme onnel management

GUIDE-DEVEL

Costs: New computer equipment: 10 PCs with supporting software @ $2,450 each 1 server @ $3,500 3 printers @ $1,200 each Cabling

ii) Assign risk ownership

Tresponsibilit

he CEO and/or the Executive Management Committee typically allocate y for risk to an operational or functional area line manager.

Assigning Risk Ownership: Example

IT ManagerIT and Systems

Chief Executive Officer / Communications ManagerReputational

Risk Officer or Facilities ManagerBusiness Continuity

Facilities Manager or Human Resources ManagerHealth and Safety

Finance Manager / Chief Financial Officer

Chief Executive OfficerStrategic

Risk OwnerRisk Type

Finance/Budgeting

Human Resources ManagerHuman Resources

IT ManagerIT and Systems

Chief Executive Officer / Communications ManagerReputational

Risk Officer or Facilities ManagerBusiness Continuity

Facilities Manager or Human Resources ManagerHealth and Safety

Finance Manager / Chief Financial Officer

Chief Executive OfficerStrategic

Risk OwnerRisk Type

Human Resources Human Resources Manager

Finance/Budgeting

Risk owners nominated by executive management should assume resp ctive risk treatment plans. The risk owner shou cient technical know treatment is required.

The onsibility (but not accountability) to his/h r detailed plan development and impl

iv) P

Once treatment options f been selected, all treatment optio ion plans and/or strategies. As one pact on multiple risks, treatment actions for different risks need to be combined and compared so as to identify and reso between plans and to reduce duplication of effort.

Trea

, be set in

place

onsibility for developing effeld be a senior staff member or manager with suffi

and/or risk area for which a ledge about the risk

risk owner will often delegate resps foer direct reports or consultant

ementation.

repare treatment plans

or individual risks have ns should be consolidated into risk act

risk treatment may im

lve conflicts

tment plans should:

identify responsibilities, schedules, the expected outcome of treatmentsbudgets, performance measures and the review process to



assessing and monitoring treatment context of individual responsibilities and

n

should all arise from the treatment design process

document how, practically, the chosen options will be implemented.

The successful implementation of the risk treatment plan requires an effective management system that specifies the methods chosen, assigns responsibilities and individual accountabilities for actions, and monitors them against specified criteria. Communication is a very important part of treatment plan implementation.


Treat risks: Monitoring and Review

Monitor / test the effectiveness of risk treatment plans: Does the risk require further treatment – Y/N?

Monitor the utilisation of resources for the treatment of risks. Is the need for resources greater for treating other risks?

Treat risks: Communication and Consultation

Identify the stakeholders who need to be informed of the risk treatment process.

Communicate the risk treatment plan to relevant stakeholders. This should specify who is responsible for risk treatments, timeframe for

s

isk

time to inform further risk

ing risk.

Communicate any urgent changes required to further

ings

include mechanisms for effectiveness, within theorganisational objectives, and processes for monitoring treatment planprogress against critical implementation milestones. This informatio

Continually monitor changes in risk levels (reflected in changes to risk ratings) over time.

completion and resourceavailable.

Communicate changes to rratings (risk levels) levels over

treatment decisions and identify successes in manag

reduce risk levels.


− Focus group discussions

− Internal Audit find

GUIDE-DEVEL

Toolkit Reference:

Appendix J: Risk assessment - template


4.2.7

Monitoring and reviewing risk management involves:

ing and learning lessons fro ges and trends

es

nd

e yste ts

4.2.7.2 Why do it?

Regular monitoring throughout the rito:

ensure currency of risk info morganisation is operating is constantly changing and so thererisks. If risk information is inaccuramake poor decisions it cou

ensure effectiveness and adequac esses

continuously evolve to desired lev

continuously improve, adopting better practices and developments in

4.2.7.3 How

The key steps to Monitor and Review are:

Monitor and review


4.2.7.1 What is monitoring and review?

analys m events, chan

detecting changes in the externalto the risk itself which may requpriorities

and internal context including changire revision of risk treatments and

ensuring that the risk contboth design and operation.

Monitoring and review is an essential is one of the most important steps of t

rol and treatment measures are effective in

and integral part of managing risk, ahe risk management process. It is veness and appropriateness of th

ms set up to implement risk treatmennecessary to monitor risks, the effectistrategies and management sand the risk management plan and system as a whole.

sk management process is necessary

r ation - the environment in which the fore are its

te, it may cause the organisation to ld otherwise have avoided

y of risk management proc

els of risk management maturity

risk management.

to monitor and review

Identify Analyse Evaluate Treat Establish Risks Risks Risks Risks Context

GUIDE-DEVEL

Monitor and Review


i) understand the different types and levels of monitoring and review

ii) establish your monitoring and review cycle

iii) measure risk man

i) Understand different levels and types of monitoring and review

Different types of monitoring and review will be dependent on the tdecision isk management. This also implies varying levels of frequency and aggregation of risk information depending on the purpose of the review:

At the task level, routine measurement or checking of particular parameters (for example pollution levels, or cash flows) is often required through continuous (or at least frequent) monitoring.

level, line management reviews risks reviewed within a

ent framework is also reviewed at this level.

context of risk management and an organisation’s risk management strategy. Typically,

On an annual basis

agement performance.

ype of s made around risks and r

At the functional or operational and their treatments on a regular basis. Risks arepredefined scope and prioritised according to agreed criteria.

At an organisational level, a risk function, manager or committee reviews enterprise-level risks. At this level of monitoring, relevance and alignment to organisational strategies are reviewed. The risk managem

Monitoring and review of risk management framework

el. riteria,

and such as surveys and

benchmarking, comparing against latest risk management better practices.

ty of risk management can be monitored comparing the current level

annually).

The context of risk management needs to be reviewed at enterprise levThis may include ensuring the currency of the organisation’s risk crisk tolerance, risk categories.

The maturity of the risk management framework in terms of design implementation could be monitored through tools

ii) Establish your monitoring and review cycle

The monitoring and review cycle will vary depending on the

, the entire risk profile will be reviewed by the Risk & Compliance Committee (or equivalent); however this may be more frequent if major business changes are occurring.

Every three years the risk management framework and associated documentation will be reviewed either as part of the internal audit

dent third party. process, or by an indepen

GUIDE-DEVEL

Maturiof maturity and the desired level of maturity at regular intervals (i.e.

4.2.7.4 Measuring risk management performance


measures of the level of performance of a

measurable and appropriate to individual

cesses to

example, specific losses or gains) or

however outcome performance indicators usually significantly lag the changes that give

he

treatments or processes with the greatest potential for improvements in efficiency.

included in risk

Performance Indicators (PIs) are quantitative

given item or activity. They need to be

business units and hold individuals accountable while forming the basis for continuing improvement.

Organisations should use their normal organisational planning progenerate performance measures for the risk management system and processes. The performance indicators should reflect the range of key organisational objectives defined when the context was established at the start of the process. Performance indicators may monitor outcomes (for

processes (for example, consistent performance of risk treatment procedures).

Normally a blend of indicators is used,

rise to them, so in a dynamic environment operational process indicators are likely to be more useful.

Performance indicators should reflect trelative importance of risk management actions, with the greatest effort and focus applied to:

the highest risks

the most critical treatments or other processes

In choosing performance indicators, it is important to check that:

ably able

ent in terms effort

and resources

g

tes esirable behaviours and

viours

ion of

d understand ected

nd have the portunity to input to the

procedure

re captured orted in a form

they are reasonto be measured

they are efficiof demands on time,

the measurinprocess/surveillance encourages or facilitaddoes not motivateundesirable beha(such as fabricatdata)

those involvethe process and expbenefits aop

Risk management performance indicators may be management reports to senior management and the Board.

Risk management monitoring and review should also include an attestation process. Attestation is a formal reporting and sign-off in the Annual Report on the organisation’s risk management implementation. The attestation process is described in further detail in section 5.2.

GUIDE-DEVEL

the results aand repthat will facilitate learningand improvement.


4.3 orting

an organisat to ues d to

ation.

4.3.1 The need for risk reporting

uent and open communication

definition of a risk communications and reporting plan a rganisational risk management (or ERM) programme.

orate governance by senior managers and

lace to manage these risks. The Board of a public entity is also required to inform the Minister and department head of known

The availability of this information can be used to support management

4.3.2 Foundations of good reporting

he following principles should be remembered when developing a risk reporting solution:

The quality of risk reporting is dependent on a fully functioning risk management system. Incomplete or unreliable risk identification,

Risk and risk management rep

f appropriate risk

Risk reporting is the regular provision oto stakeholders and decision-makers withinsupport understanding of risk management issin performing their duties within the organis

-related information ion in order

an assist stakeholders

Successful risk management requires freqwith a broad group of internal and external stakeholders. This makes risk reporting and the key component of an o

Effective risk reporting also contributes to good corpproviding reliable and current information to Boards,other stakeholders regarding the risks faced by the organisation as well as the treatment plans in p

major risks.

decision-making during strategic planning and operational management processes.

T

Developing a sk Management amework

RiFr

Implementing a Risk ManagementFramework

Monitoring and Enhancing a Risk

ramManagement F ework

OvMa

erview – Risk nagement Framework

KeDe

y Considerations When signing a Framework

DoFra

cumenting a mework

RisGo

k Management vernance

RisInf

k Management ormation Systems

Overview of a Risk ss Management Proce


Risk and Risk Management Repo

Mo toring and Reviewing k Mgt Framework

nia Ris

Attestation Process

Contirting


GUIDE-DEVEL

nuous Improvement


ct in poor

There is no single risk report that meets the needs of all stakeholders. Reports should be developed and customised to reflect the needs and preferences of the target audience and its purpose. Seek input from stakeholders before implementing a risk reporting solution, as this should be part of existing reports and reporting frameworks.

Although all organisations need to report on risk to various stakeholder groups, organisations with more mature and sophisticated risk management frameworks will typically produce a number of customised risk reports to meet the needs of different stakeholder groups throughout the year.

Avoid providing too much or too little information in risk reports. Senior Management and the Board will typically prefer a summary of risks and risk trends, focusing on high risk and strategic issues across the organisation, while those involved in managing specific risks will require detailed information covering their areas of responsibility.

4.3.3 The audience for risk reporting

– CEO and Board of Directors.

ll major

entification of risk and the implementation of risk plans.

ublic (through access to Annual Reports and press releases)

manager, should be responsible for ports to ensure consistency in

Risk reporting can be automated using risk management software such

assessment, prioritisation and treatment outputs will reflereporting outputs.

Risk reports should be delivered to a broad spectrum of organisational stakeholders. Typical recipients of regular formal risk reports shouldinclude:

– Business unit heads of abusiness functions.

– Compliance committees (notably Internal Audit and Risk Management).

– Staff directly responsible for designing and implementing risk management treatments.

– Employees who need to assist in the id

– Government ministries and agencies.

– The p

A single person, typically the riskco-ordinating and drafting risk restandards and format

as the VMIA’s Risk Register, Cura, Riskman etc. However, it is still

GUIDE-DEVEL

important to ensure that reporting formats meet stakeholder requirements.

The risk process should ensure that risks are linked to strategic objectives. This helps to report on risk within a strategic organisational context.

Frequency of risk reporting 4.3.4

eet

The frequency of risk reporting should reflect the cycle of the organisation’s

ed in the following table:

At a minimum, an organisation should update and report on its risk profile onan annual basis. While an annual reporting and update cycle may mstatutory requirements, effective risk management typically requires more frequent reporting on risk.

regular internal reporting. Where the Executive receives monthly or quarterlyprogress reports on Financial, Operational, Health and Safety or IT matters, they may wish to receive similar risk reports.

Typical reporting frequency for various risk report types is outlin

Ad hoc basis, as requiredEmployeesKey Suppliers

Staff Communications (on risk initiativefollowing adverse event/s)

s;

Monthly or QuarterlyAll adverse events recorded immediately following event

Risk ManagerLine Management

Risk Events/Adverse Events Summary

Based on organisational type: Monthly or Quarterly

Functional Area Manager/sProject Managers Staff responsible for implementing risk solutions

Operational Risk Reports (including Clinical Risk)

OPERATIONAL

Monthly or QuarterlyRisk CommitteeCEOInternal Audit

Risk Committee Reports

Quarterly or bi-annuallyBoard of DirectorsCEOCompliance Committees

Board Risk Reports

Based on required Audit Committee frequency

Audit CommitteeInternal AuditExecutive Management

Risk Report to Audit/ Compliance Committee/s

AnnuallyExternal PartiesPublic

Risk Management Statement in Annual Report

STRATEGIC

SUGGESTED FREQUENCYTYPE OF REPORTSTRATEGIC/ OPERATIONAL

RECIPIENT/S

Ad hoc basis, as requiredEmployeesKey Suppliers

Staff Communications (on risk initiativefollowing adverse event/s)

s;

Monthly or QuarterlyAll adverse events recorded immediately following event

Risk ManagerLine Management

Risk Events/Adverse Events Summary

Based on organisational type: Monthly or Quarterly

Functional Area Manager/sProject Managers Staff responsible for implementing risk solutions

Operational Risk Reports (including Clinical Risk)

OPERATIONAL

Monthly or QuarterlyRisk CommitteeCEOInternal Audit

Risk Committee Reports

Quarterly or bi-annuallyBoard of DirectorsCEOCompliance Committees

Board Risk Reports

Based on required Audit Committee frequency

Audit CommitteeInternal AuditExecutive Management

Risk Report to Audit/ Compliance Committee/s

AnnuallyExternal PartiesPublic

Risk Management Statement in Annual Report

STRATEGIC

SUGGESTED FREQUENCYTYPE OF REPORTSTRATEGIC/ OPERATIONAL

RECIPIENT/S


4.3.5 of risk reports

e

table illustrates the different types of reporting:

Types and content

The information within risk reports is drawn from the risk register of thorganisation. By filtering the information within the risk register, it is possibleto draft a number of reports tailored to suit the needs of the various recipients. The following

By sorting risks according to due dates for treatment plans/ responses, Risk Managers, Project Mangers and others can identify critical timeframes for responding to key risks as well as identify and manage potential delays and/or non-performance in responding to risk.

Risk Treatments Due or Overdue

By filtering the report by the risk owner, it allows those responsible to view risk treatments that they need to oversee or develop.

Risk Owner/Person Responsible

By grouping all risks that have not been allocated to a responsible person for follow-up and response, management can identify key risks that are not being effectively monitored and managed.

Unallocated Risks

OPERATIONAL

In order to identify the main areas of exposure, it is helpful for Boards to understand where the majority of risk exposures originate. For example, what proportion of risks are Financial, Operational, Strategic, or Compliance related. This information is typically incorporated into the report types listed above.The detail behind these summary reports can also be provided to functional area management and specialists responsible for managing specific types of risk.

Risk Categories/ Risk Types

By identifying significant/ extreme risks with ineffective controls, the Board and Executive are able to identify potential points of business failure that need urgent interventions or resource support.

Risks with Ineffective Controls

By sorting risks according to when they were identified, it is possible to easily report on new risks that may still need to be fully considered and understood. From an emerging risks perspective, types or categories of risks that may begin to emerge over the next 2-3 years or longer should be identified and captured. Details at this stage may only include information regarding what research is being undertaken into the risk, and who is responsible.

New and/or Emerging Risks

When risks are regularly reassessed, it is possible to: Define target risk levels for key risks; Identify which risks are getting worse or where treatments are reducing risk exposures; Identify risk areas that need additional attention; and Demonstrate the success of treatment plans.

Risk Trends

These reports contain a prioritised list of the top 10 to 20 risks based on colikelihood scores. Typically they include details about the risk, information

nsequence and on key controls

and their effectiveness and additional treatments needed with timeframes.

Top Risks/ Strategic Risks

Boards/CEOs and Secretaries that are accountable for the risks of their orgrequired

anisations are to attest in the annual report that: organisations have risk management processes

bout key pproaches to addressing these risks.

in place consistent with the [4360] Standard, and that: These processes are effective in controlling risks to a satisfactory level A responsible body or audit committee verifies that view. This attestation is often accompanied by information for external stakeholders arisks within the organisation and a

Annual Report Attestation

TRATEGIC

COMMENTREPORT TYPE

S

By sorting risks according to due dates for treatment plans/ responses, Risk Managers, Project Mangers and others can identify critical timeframes for responding to key risks as well as identify and manage potential delays and/or non-performance in responding to risk.

Risk Treatments Due or Overdue

By filtering the report by the risk owner, it allows those responsible to view risk treatments that they need to oversee or develop.

Risk Owner/Person Responsible

By grouping all risks that have not been allocated to a responsible person for follow-up and response, management can identify key risks that are not being effectively monitored and managed.

Unallocated Risks

OPERATIONAL

In order to identify the main areas of exposure, it is helpful for Boards to understand where the majority of risk exposures originate. For example, what proportion of risks are Financial, Operational, Strategic, or Compliance related. This information is typically incorporated into the report types listed above.The detail behind these summary reports can also be provided to functional area management and specialists responsible for managing specific types of risk.

Risk Categories/ Risk Types

By identifying significant/ extreme risks with ineffective controls, the Board and Executive are able to identify potential points of business failure that need urgent interventions or resource support.

Risks with Ineffective Controls

By sorting risks according to when they were identified, it is possible to easily report on new risks that may still need to be fully considered and understood. From an emerging risks perspective, types or categories of risks that may begin to emerge over the next 2-3 years or longer should be identified and captured. Details at this stage may only include information regarding what research is being undertaken into the risk, and who is responsible.

New and/or Emerging Risks

When risks are regularly reassessed, it is possible to: Define target risk levels for key risks; Identify which risks are getting worse or where treatments are reducing risk exposures; Identify risk areas that need additional attention; and Demonstrate the success of treatment plans.

Risk Trends

These reports contain a prioritised list of the top 10 to 20 risks based on colikelihood scores. Typically they include details about the risk, information

nsequence and on key controls

and their effectiveness and additional treatments needed with timeframes.

Top Risks/ Strategic Risks

Boards/CEOs and Secretaries that are accountable for the risks of their orgrequired

anisations are to attest in the annual report that: organisations have risk management processes

bout key pproaches to addressing these risks.

in place consistent with the [4360] Standard, and that: These processes are effective in controlling risks to a satisfactory level A responsible body or audit committee verifies that view. This attestation is often accompanied by information for external stakeholders arisks within the organisation and a

Annual Report Attestation

TRATEGIC

COMMENTREPORT TYPE

S



It should be noted that for all the risk report types outlined above, dominantly on an “exception” basis.

only report on risks at the Executive/ Senior Manager level that fulfil predefined characteristics (e.g. significant risks with poor control effectiveness).

This approach prevents the situation where the same risk may justifiably appear on the report time after time as it is rated high, but no further action can be taken to mitigate the risk at that time (i.e. the risk has been accepted as high). In this instance, report recipients may fail to pay attention to the risk report as they become used to seeing the same risk information and therefore begin to regard the risk reporting process as non-value adding. It is important however that there is complete oversight of all risks on at least an annual basis to ensure that there have been no changes to the overall risk profile, and that the executives/senior managers are fulfilling their oversight duties.

4.3.6 Format of risk reports

The way that risk information is presented can make a huge difference in the value it adds.

It is often useful to graphically represent risk information in order to make the formation easily understood, and to show a large volume of information in

a compact manner.

organisations may choose to report preThis means to either:

only report on the changes from the last report rather than producing risk reports that contain data that is largely unchanged from the last reporting cycle

in

Client Comment:

As the Metropolitan Fire and Emergency Services Board’s (MFESB) risk framework and processes developed, the volume of risk data available

significantly increased. The MFESB decided to review industry benchmarks to determine ‘typical’ board reporting models and standards.

This resulted in a model that differentiates between long-term, short term and emerging risks. Long term risks are reported by exception (that is, only when key

control effectiveness falls to a pre-determined level). The effect is to prevent Board reports being continually populated by the same slow changing long term

risks. These are now reported on a six monthly basis irrespective of control effectiveness.

…MFESB Risk Reporting Project Co-funded by VMIA

GUIDE-DEVEL

The following section provides examples of three types of risk repo

i) Strategic risk reports

rts:

e well received by most boards. They are useful as they

ii) Operational risk reports

iii) Key risk indicator reports.

i) Strategic risk report formats

Heat maps are commonly used to report on the top risks faced by theorganisation, and argraphically illustrate the relative severity of risks in relation to each other.

Sample Risk Reporting: Heatmap

Risk Profile

The green areas represenupward and right towards the red sh


t the least severe risks, and as the risk moves aded area, the level of risk exposure

Heat maps are less useful (difficult to read) when there is a need to illustrate

increases.

a large number of risks, or where risk scores are very similar for all risks.

The ability to effectively link an organisation’s key risks to its strategic objectives or business goals is aframework. An example is

n indicator of a maturing risk management illustrated in the value chain report below.

ful to board and executive management as it ational strategy and risk. It is also a useful

technique for identifying risks, i.e. what are the risks to the achievement of

Value chain reports are useshows the link between organis

the objectives?

Risk Reporting: Value Chain


Linking strategy and risk

MES eet Executive Team identified the following as significant risks to its ability to morgan the Vice isational objectives. The management of these risks is regularly reported toChan this to the cellor (CEO equivalent) and risk committee. The risk committee will presentMES uest. Council upon req

ii) Operational risk report format

Table formats, of which there are many variations, are useful for reporting on a large number of risks or when a greater amount of detail about each risk is required. This approach is best suited to operational risk reporting where, for example, the risk owner or risk manager will want to review more detailed risk and control information such as:

control effectiveness levels

rating scores

treatment plans

treatment due dates.



These reports are used by risk committees, programme managers and risk wners to monitor and manage the update, implementation and review of

ities/ plans. This level of detail can be provided as

t the reporting requirements of a specific target audience. It is also easy to add to or modify content following risk update processes.

orisk management activsupporting information to summary executive reports, or provided where the board or executive wish to review a specific risk or cluster of risks.

A key advantage of table or spreadsheet reports is that they can easily be filtered or sorted to mee

GUIDE-DEVEL

Risk Reporting: Operational Risk Report – Sample Format 1

Risk Reporting: Operational Risk Report Sample Format 2


be

addition to reports containing qualitative data, once an organisation has stablished an effective system of risk reporting, it may wish to consider the se of quantitative data in the form of KRIs. Indicators are a valuable tool to cilitate the monitoring of risks and controls over time against an

’s risk appetite. Whilst risk and control data in many rganisations is formally updated on a regular basis, key indicators enable n organisation to continuously and predicatively monitor changes to its risk

profile or control framework, and allow actions to be carried out in a more mely and effective manner.

is important to note that use of KRIs is considered to be at the “mature nd” of the risk management spectrum, and therefore organisations should

tors until they have stablished a robust risk management framework that delivers clearly efined and understood risk and control data. In addition, as risk indicators an be costly to implement and maintain, it is recommended that such dicators are only used for significant risks.

or organisations who are keen to focus on more quantitative data but which ry resources to identify and monitor the large

olumes of data required for risk indicators, it is recommended that priority is

iii) Key Risk Indicators (KRIs)

Key risk indicators – which are used to measure risk levels – should developed once an organisation is satisfied that the basic elements of its risk management framework are well established and operating effectively.

Client Comment:

“I had n

Ineufaorganisationoa

ti

Itenot attempt to develop and role out such indicaedcin

Fdo not have the necessav

GUIDE-DEVEL

ever made the connection between the organisation’s risk management processes – which I am not an expert in – and the monthly business performance indicators we receive in preparation for our monthly meetings. After attending a risk management training session for the Board, I realise that we can use existing trend reports covering areas such as:

Variance to budget OH&S incidents Staff turnover and vacancies Medication errors Patient falls to monitor changes in risk levels or to identify new risks. The hospital is planning to define acceptable levels or thresholds for each business indicator it reports on, which if exceeded, would result in a re-appraisal of related risks and escalation of the risk to our Risk and Audit Committee for further action.”

…Non-executive Board Member Regional Healthcare


nitoring of key control indicators instead

insurance industry relies heavily on risk indicators

use

misjudge the risk and consequently business performance would be significantly (negatively) affected.

t may raise warnings as to potential risks.

lar

potential staff

that can demonstrate a

g in

likelihood or consequence.

given to the identification and mo(see definitions below) as they are easier to identify and capture, and will reflect a weakening in the control environment that is likely to result in an increased level of risk.

For example, the motorwhen determining appropriate policy pricing. Factors such as age of applicant, neighbourhood and number of kilometres driven each year build a profile of the applicant and therefore the ‘risk’ that the insurance firm will have to pay out on a claim. If an insurance company were to attempt to write new business without utilising indicators, underwriters would be forced to

Key indicators allow an

understand how the risk profile changes in different circumstances

ning signals for emerging risks.

their intuition to judge how likely a new customer would be to claim in the future. Whilst some may prove to have good insight, many would

There are three types of key indicators commonly used, Key Performance Indicators, Key Risk Indicators and Key Control Indicators. There is often confusion as to the difference between them. Below is a brief definition of each:

i) Key Performance Indicators (KPIs) are used to monitor the change in overall business performance (e.g. budget) in relation to specific business objectives. KPIs can measure internal or external factors andcan be seen as events tha

ii) Key Risk Indicators (KRIs) are a specific measure relating to a particurisk that shows a change in the likelihood or consequence of that risk event occurring. KRIs that demonstrate increased exposure to risks (e.g. significant increases in business volumes combined withnumbers) can show what level of stress or strain current control activities may be put under.

iii) Key Control Indicators (KCIs) are metricschange in a specific control’s effectiveness (e.g. a control’s design and its actual performance). A deterioration of KCIs reflects a weakeninthe control environment and is likely to result in an increase in a risk’s

GUIDE-DEVEL

organisation to:

appreciate how risk moves and is affected by the business environment

focus attention on risk drivers that are most volatile

ensure controls around the drivers are robust and effective

gain a forward looking perspective of the current risk profile

understand the early war

Examples of such indicators are illustrated in the following table:

Business objective: To deliver major projects on budget

Key Risk Indicator Example

# variations to an

# passed gateway reviews

% difference between target and actual budget

#unacceptable risks

project pl# variations to scope(L)

iations to dget

# varrequired bu(I)

Project delivered 90% within budget

Project plan (prevent)

Business case (prevent)

Risk management (prevent)

Gateway review (detect)

Resource plan (prevent)

Major project cost overrun

KPIControlRisk KRI KCI

Cause: Project creep

Impact: Additional project funding required

I data

nitor KRIs.

Defining an effective system of Key Risk Indicators (KRIs) can be broken down into five phases:

i) identify and document the key risk and control indicators

ii) source and validate existing KR

iii) establish tolerance levels and escalation procedures

iv) analyse, report, and revise the KRIs

v) mo


These phases are outlined in further details in the following table:

Phase Activities

• Review existing risk profiles. Ensure that all major risks are captured and the causes and consequences are understood. Understanding the causes is essential for determining the risk metrics that measure changes in the likelihood of a risk occurring; and understanding the consequences is essential for determining the risk metrics that measure changes in the impact of a risk.

• Determine factors that lead to changes in risk consequence or likelihood – these are the KRIs.

• Review the control environment and ensuring that the controls are adequately addressing the risks.

• Identify the Key Control Indicators that indicate changes to control design or performance.

Identify and document the Key Risk and Control

Indicators


• Collect, extract or produce relevant data.

• Ensure that the KRI and KCI data is providing information that is reliable and of good quality.

• Clarify dependencies on other parties who are responsible for producing and maintaining the data.

• Ensure data history is maintained and ownership established.

• Once the indicators have been sourced, each KRI/ KCI needs to be documented. As a minimum, the information recorded should be:

• Description of the KRI/ KCI

• Owner

• Escalation protocols

• Actions

• Data source

Source and validate existing KRI and KCI data

• Tolerances/ thresholds

Phase Activities

Establish tolerance levels Consider at what level the organisation is prepared to accept a defined level of hom risk data needs to be escalated. Escalation levels e with risk tolerances and risk appetite, and to keep the

an be used to represent the need r) and senior management (Red).

risk, and when and to wshould be defined in lin

and escalation procedures

system simple, Red/ Amber/ Green ratings cto escalate to middle mmanagement (Ambe

• Analyse changes against the defined thresholds and report on a monthly basis.

• Identify trends and tendencies.

fined by the

• Assign the required actions and resolution dates to owners.

•

Analyse, report and revise the KRIs/ KCIs

• Escalate to the relevant level of management as deorganisation’s risk tolerance levels.

Revise the process, indicators and data as required.

KRI and KCI movements and trends should be monitored on a regular basis by linking the data to a risk reporting system, or real time exception based reporting.

Monitor

GUIDE-DEVEL

4.3.7 The use of risk management software for reporting

T em nhe use of risk manag e t software is useful in helping manage risk related information. However, it is not essential to use risk software to achiev and effect

Most specialised risk management and internal audit software tools, such as RiskMan, Cura, ERA and capabilities. Software tools can report on risk managemen

While many generic reporimportant to ensure that the report format and content meets stakeholder req y cas , n consultants, software vendors or intern ITmeet specific reporting require

4.3.8 The VMIA’s Risk Regist s

e a robust ive risk management framework.

RiskAdvisor include automated risk reporting simplify and reduce the time required to

t initiatives.

ts can be drawn from such software, it is still

uirements. In man es an organisation may commissioal specialists to develop customised reports to

ments.

er oftware

T d he VMIA has designe a simple risk recording and reporting tool, VMIA r, that ble free-of-charge to VMIA’s Risk Registe is availainsurance clients.

The software is not designed to replace or replicate the functionality of specialised risk software pa ple and easy to use risk tool for the may not require a compre governanc

The VMIA Risk Register is d to allow organisations to:

Create a single risk register across the organisation

Record pertinent risk information, including:

- Risk descriptions, causes and impacts

- Risk assessment outcomes (likelihood, consequence, control effectiveness etc.)

- Categorisation of risks (risk categories)


c VMIA’s insurance clients that

kages. It has been developed to provide a sim

hensive e, risk and compliance software product.

esigned


d summary and detailed risk reports

4.3.9 C

rting system should not be underestimated as it ultimately supports improved decision-making ability.

also undermine executive and anagement process.

Reports should be viewed as a business tool, rather than a compliance requirement. Remember that there is no ‘right or wrong’ approach to risk reporting, as long as the reports produced:

meet the needs of your stakeholders

are available when needed by the business

contain current, updated quality information

are easily understandable

contain the right level of detail

are supported by detailed underlying risk information, where appropriate

support action and accountability for risk management across the

tions, benefits obtained from risk management processes.

- Linkage of risks to specific business units

- Linkage of risks to specific strategic objectives

- Current control information (summary level)

- Responsibility for risk

- Risk treatment and response (summary level)

- Risk response status and due dates

Select from a range of pre-definein both graphical and text formats. The software is able to generate heat map reports.

onclusion

The importance of an effective risk repo

The failure to effectively report on risk willBoard support for the organisation’s risk m

organisation.

Considering these requirements when designing risk reporting solushould maximise the

Toolkit Reference:

Appendix L: Risk register – MS Excel template

Appendix N: Risk reporting – MS Word templates

Appendix P: Risk management information systems – check-list

ebsite or contact your

GUIDE-DEVEL

VMIA Risk Register software – Refer to the VMIA wVMIA representative

4.4 D ulture

eveloping desired risk management c


4.4.1 W

und here”. It is the collective way s.

nt is tion. It is about the

accepted ways of being and doing with regards to risk and risk management. e recognise and respond to risk and how risk

4.4.2

s ntial opportunities whilst managing adverse effects’

ce, s

m king, a change in culture may be necessary.

T depending on the unique context of your organisation. To determine this, a starting point is to u

4.4.3 Drivers of culture

There are various drivers within an organisation that shape culture. These drivers influence how well embedded risk management is throughout the organisation.

hat is risk management culture?

Culture is defined as “the way we work aroof doing things, through accepted behaviours and processe

A risk management culture specifically refers to the way risk managemeapplied in the way people work within an organisa

Risk culture involves how peoplis considered in making decisions.

Why is risk management culture important?

Culture is intrinsic to risk management. The accepted behaviour or normaround ‘maximising potedetermines how embedded risk management is in your organisation. Hento have an effective risk management process or framework in place meanhaving an appropriate culture that works for your organisation. If risk

anagement is not wor

he appropriate risk management culture would vary

nderstand the key drivers of culture.

Developing a Implementing a Monitoring and Enhancing a Risk

ent rk

RiskFrame

Management Risk Management work Framework Managem

Framewo

Overview – Risk Overview of a Risk Monitoring and Reviewing Management Process a Risk Mgt Framework Management Framework



Attestation Process




RisGo

k Management vernance


RisInform

k Management ation Systems

GUIDE-DEVEL


Mission, Vision, Values, Purpose

Structure

Systems and Processes

Job Design and Role Definition

Leadership

Desired vs. Actual

Risks are managed on a day to day basis as part of applying the values of the organisation.

The mission, vision and purpose promote a risk culture

Cultural Drivers Risk Management Culture

The management systems and processes enable effective and efficient risk management.

The process for managing risk is integrated with day to day processes

There is a risk organisational structure to enhance accountability and delegation

The structure enables risk-based decision making without bureaucracy, making jobs easier and delivering better outcomes

Leadership skills and attributes around risk management are fostered and rewarded and implemented across the business

Poor behaviours or practices around risk management are not tolerated by leaders

Jobs are designed to reflect risk management and risk policies

Job definitions include performance expectations around risk management

Accountabilities with regards to risk and risk management are clearly articulated

Behaviours

There is a clearly articulated consensus around desired behaviours across the

by leaders and people are responsive to these desired behaviours

takeholders in defining a risk management solution that reflects the needs of the

business

These are modelled

The following client example illustrates the benefit of involving s

organisation:

Client Comment:

During 2007-8, the VMIA was involved in co-funding two projects with the Metropolitan Fire and Emergency Services Board (MFESB) to improve its risk

ses.

f risk g the nal

Risk Projects y VMIA

management proces

The process of involving managers in the testing and redesign omanagement components has lead to their engagement in maintaininprofile of risk management at the MFESB, and further enhanced inter

knowledge and understanding about risk.

…MFESBCo-funded b

4.4.4 Embedding desired risk management culture

Embedding your desired risk management culture is a change journey. Managing change means shifting the organisation from where it is (current state) to where it wants to be (future state).

Fundamentally this involves three key steps:

Determine desiredrisk culture

Assess gaps in current

culture

Implementinterventions toclose the gap

• Visions, Mission, Values and Purpose

• Job design and role definition

• Structure

• Leadership

• Desired vs. Actual Behaviors

• Systems and Processes

• Culture Change Leadership

• Communication & Engagement

• Learning and Development

• Organisational Alignment

• Performance Management

4.4.4.1

el of involvement in risk management that you would like the whole organisation to have. Identify and articulate the desired behaviours around risk management. This inclu k, how people respond to risks and risk events and the general awareness around risk and risk ma

The desired culture would contin epend on the level of maturity that is acceptable to your organisation within a given period of time. Tobenchmindepenbe a top-down approach engage buy-in (i.e. staff briefings, roundtable discussions, forums).

4.4.4.2 Assess w t your organisation’s current risk culture is

he current risk culture is an outcome of collective behaviour driven by existing norms around risk management. Determining your organisation’s current culture and identifying the key drivers that will be useful in identifying the appropriate interventions to achieve the desired risk culture.

The most commonly used tools for assessing current culture are interviews, focused-group discussions and surveys. When conducting the assessment, it will be useful to get input from a sample of participants or respondents across the different part of the organisation, and across different levels.

Clearly define where your organisation wants to be in terms of risk management culture

Define the lev

des tolerance for ris

nagement.

ue to evolve, as it would d

ols that could help you define the desired culture are arking, surveys, workshops with senior management and dent risk framework assessment. Often, the definition process would

, followed by consultation down the line to

ha


T


4.4.4.3 Determine what cultural and behavioural interventions that are useful

the

arting point in prioritising and

4.5 Checklist – Implementing a risk management framework

The following check list provides a number of questions relating to the plementation of your organisation’s risk management framework.

Considering the answer to these questions will help you check your progress

es between those elements essential to ensure an

to help close the gap

Determining the cultural and behavioural intervention will help you closegap between where you currently are and where you want to be in your riskculture. The assessment provides a useful stdeveloping your options for culture change.

im

in implementing a robust and flexible risk management framework.

The checklist distinguisheffective risk framework, and those typically associated with relatively mature or sophisticated frameworks often found in large organisations.

Toolkit reference:

Appendix : Risk management checklist


In place (Yes/No)

Implementing a risk management framework


Is risk management or awareness training provided to astaff?

ll E

2 Comand

municate consult

Does the Risk Manager (or equivalent) have access to the CEO, Board and Audit/ Risk Committee when required?

E

3 Comand

E municate Do your staff know that they have a right and consult responsibility to assist in risk identification and escalation?

4 Comand

municate consult

Do staff know who to report/ escalate risks to? E

Toolkit Reference:

Appendix G: Communication and consultation plan – template

Appendix H: Risk training slides

GUIDE-DEVEL

# Section Requirement Essential (E)/ In place Advanced (A) (Yes/No)

5 Comand

municate consult

Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility?

E

6 Command consult

ded guidance on what information they would like to see in risk reports?

E unicate Have the Executive and the Board provi


Is there agreement on when and how often risk reports will be produced?

E


Have the recipients of risk reports been identified and agreed?

E


Can different risk reports be produced to meet different needs of stakeholder groups?

A


Has responsibility for managing/ treating specific risks been assig

E ned and communicated to those responsible?

11 Comand

municate consult

Are staff encouraged or incentivised to report risk or suggest risk reduction strategies?

A

12 Riskass

essment

Has a risk-brainstorming workshop (or workshops) been conducted?

E

13 Riskass

essment

Have you considered the history of events and incidents in your organisation during the Risk Assessment process?

A

14 Riskass ent risks in the industry?

Has research been performed to understand common A essm

15 Riskass

ecutive and Board considered risks relating to ment of key organisational goals and

A essment

Has the Exthe achieveobjectives?

16 Riskasse ent

Are risks identified during compliance reviews/ audits always added to the risk register?

E ssm

Risassessment

Have existing controls for risks during the risk assessment process?

k been identified E 17

18 Risk Has the E assessment

perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place?

Treat risks Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')?

E 19

Treat risks Have you identified possible actions/ treatment plans that could help to reduce the risk level?

E 20

21 compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?


Treat risks Have the benefits of a treatment approach been A

Essential (E)/ In place # Section Requirement Advanced (A) (Yes/No)

22 Treat risks Have risk treatment or action plans been documeapproved for important risks?

nted and E

23 Treat risks Have due dates/ completion dates been agreed for risk E treatment actions and plans?

24 E Treat risks Is there a clear understanding of who will oversee the risk treatment selection and execution process?

25 een defined and agreed for key A Treat risks Have Key Risk Indicators brisks/ risk areas?

26 Treat risks Are valuable physical assets appropriately insured? E

27 place for critical organisational functions/ processes?

A Treat risks Is a Business Continuity Plan in

28 assessment

E Risk Has the risk register been updated in the last year?

29 assessment

out the year to reflect changes in risk and emerging risks?

A


Risk Is the risk register updated through

5 Monitoring and enhancing the risk g

golargely inf inually improved. It is

re review nd ce

that a risk management framework remains fit for purpose and is customised t c prac s,

organisat nificant value from risk management.

ito nagemen

5.1.1 What is it?

Monitoring and reviewing a risk management framework is different to monitoring of risks and their associated controls for effectiveness (as discussed in section 5.2.7). The latter is a sub-set of the former, as obtaining assurance on the effectiveness of the practices in place to manage specific risks; an organisation can be satisfied that at least part of its risk management framework is operating effectively. This review activity would then be coupled with review of additional components of the risk management framework to ensure its overall effectiveness.

mana ement framework The on ing relevance and usefulness of a risk management framework is

ormed by the extent to which it is conttherefoenhan

essential for all departments and agencies to monitor, the effectiveness of their risk management framework. By en

asuring

to mee hanging organisational circumstances and new leadingions will obtain sig

tice

5.1 Mon ring and reviewing a risk mawork

t frame

Developing a sk Managem

rkRiFramewo

ent

Implementing a Monitoring and a Risk

ent Framework

Risk Management Framework

EnhancingManagem






Attestation Process









e occurring when and ffectiveness and

efficiency of the risk management framework due to it providing the structure

5.1.3 H

l

there is effective monitoring and review by management and executives to detect changes in risks and controls.

There are several approaches available to assist Departments and Agencies in effectively monitoring and reviewing their frameworks, including reviewing the framework against:

i) Risk management process components;

ii) Risk management principles; and/or

iii) A risk management maturity models (Appendix N: VAGO Good Practice Guide).

5.1.2 Why do it?

Monitoring and reviewing the risk management framework is aimed at ensuring that appropriate framework enhancements aras needed. It is important to gain assurance as to the e

within which all risks are managed.

ow to monitor and review your risk management framework

When monitoring and reviewing the framework, particular attention should be paid to whether the framework has been appropriately customised and isoperating in a manner that illustrates that:

risks are being effectively identified and appropriately analysed

this leads to adequate and appropriate risk management and contro

The factors to consider when choosing the appropriate approach include:

the maturity level of the risk management, as determined through any previous maturity assessments

the number of planned risk management improvement initiatives currently being undertaken / recently having been undertaken

findings from previous risk management framework reviews

size and complexity of the organisation

s

GUIDE-DEVEL

the

the

the number of major risks that have eventuated in that year

whether the organisation has entered into providing any new service/ products

whether there have been significant organisational changes

management of inter-agency risk

use of implementation partners.

For example, a medium sized organisation that has been previously

f failure in its risk management practices.

s; however, on a three yearly sment, ment

ts risk management framework

5.1.3.1 dit in the risk management process

l Practices Framework defines e assurance and consulting

function designed to add value and improve an organisation’s operations

the effectiveness of: risk management control

nte l Af the org d party professional services or

aud g f

nte l A

ollo ng it in the risk man em l

ns thInternal Audit function compromised.

assessed as having mature risk management but which had numerousmajor risks eventuate in the last year would most likely to undertake more rigorous monitoring and review of its risk management framework. The fact that the organisation rated well in a previous maturity assessment does not outweigh the fact that the organisation had many risks eventuate, as this would normally indicate some form o

Also, it should be noted that it may be that you choose to use a combination of approaches at different times or alternate the approach used from year toyear. For example, it may be appropriate to conduct an annual review of the framework against the process componentbasis, it may be useful to conduct a risk management maturity assesparticularly if over that period a number of risk management improveinitiatives have occurred.

Further detail is provided below on the different approaches that an organisation may use to monitor and review iincluding examples of how these approaches could be practically implemented.

The role of Internal Au

The Institute of Internal Auditors’ ProfessionaInternal Audit is an independent, objectiv

and accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve

governance processes.

I rna udit services can be provided either by suitably qualified members anisation, or outsourced to a thiro

itin irm. Ieffectiveness of an orga

rna udit has an important role to play in monitoring and evaluating thenisation’s risk management processes. The

f wi tables describe the core roles of Internal Audag ent process, as well as those activities and roles that Interna

Audit should not fulfil or only do so when adequate controls are in place to ure at conflicts of interest do not arise or the independence of the


e

Reviewing the management of material risks

Reporting of material risks

E valuating: Ri

G iving A ssurance: C ontrol Systems effectiveness Risk Management P rocesses T hat risks are correctly evaluated

sk Management P rocesses

CORE

ROLES

Reviewing the management of material risks

Reporting of material risks

E valuating: Ri

G iving A ssurance: C ontrol Systems effectiveness Risk Management P rocesses T hat risks are correctly evaluated

sk Management P rocesses

CORE

ROLES

n of duties

membership of the Institute of Internal Auditors that requires strict to

The following safeguards should be considered when involving Internal Audit in the activities described in the table below:

segregatio

professional standards and ethical behaviours are adhered

appropriate Audit and Risk Management qualifications such as CIA (Internal Audit), CISA (IT Audit) and CRM (Risk Management)

appropriate skill levels and knowledge of the organisation

board review and approval of risk management outcomes.

O perating the E RM Framework

Holistic reporting on risk

cation and E valuation

ting:

Developing the R isk Management S trategy for Board approval

C entral co-ordination point for ERM

Risk workshops Management risk response

R isk monitoring across the business

C hampioning establishment of ER M

F acilita

A dvice on R isk IdentifiWITH

SAFEGUARDS

O perating the E RM Framework

Holistic reporting on risk

cation and E valuation

ting:

Developing the R isk Management S trategy for Board approval

C entral co-ordination point for ERM

Risk workshops Management risk response

R isk monitoring across the business

C hampioning establishment of ER M

F acilita

A dvice on R isk IdentifiWITH

SAFEGUARDS


The following activities should never be performed by an organisation’s Internal Auditor/s:

T ake decisions on risk response

T ake accountability for risks and controls

Impose risk management processes

Set risk appetite

Manage risks on behalf of management

DO

NOT

T ake decisions on risk response

T ake accountability for risks and controls

Impose risk management processes

Set risk appetite

Manage risks on behalf of management

DO

NOT

Source: StandDelivering assurance based

ards Australia HB158-2006: on AS/NZS 4360:2004 Risk Management

5.1.3.2

and key

this form of ntire risk

management framework; however, the process will depict a large extent of risk management effectiveness within an organisation. Process effectiveness is then looked at in conjunction with the extent to which the right capability exists and the right behaviours are being exhibited to determine overall framework effectiveness.

One available approach for monitoring and reviewing a risk management framework is to review the organisation’s process against the seven steps set out in the Standard. Set out below is further detail on conducting this type of review.

Element 1: Communication and consultation

Risk management process components

The Standard provides non-prescriptive guidance on how to conduct an effective risk management process. The process contained therein,described in the proceeding section of these guidelines identifies seven risk management process elements. It is important to note that review concerns the risk management process rather than the e

Element 1 is defined in the guide as meaning - Communicating and consulting with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole.

The questions which Handbook 158 (handbook supporting implementation of AS/NZS 4360:2004) provides to assist in examining the effectiveness and appropriateness of communication are:


Have all key stakeholders have been consulted and involved as

ers’ perceptions of risk been addressed?

Where necessary, has a communication plan been developed?

Is there ownership of risks and controls by members of the organisation?

appropriate?

Have stakehold

Typical Documentation When examining this documentation consider whether:

Stakeholder Account is taken of the fact that different stakeholders management plan should be communicated and consulted with using (either dedicated to different medium and channels. risk management or Different stakeholders are being communicated containing a risk different messages depending on their needed management involvement in the risk management process. element).

The timing of communications and consultation is Communications plan appropriate, for example, it may not be appropriate to

(either dedicated to provide ‘general’ external stakeholders with quarterly risk management updates; however, this may be risk management or

containing a risk required when communicating or consulting with management element).

Communications that have been provided to internal and / or external stakeholders, for example, the risk management component of an Annual Report or internal newsletters or bulletins containing risk management discussion.

Outcomes of communication and consultation

suppliers who are delivering critical outputs on your behalf.

The right mix of communication and consultation occurred, that is, if input from a stakeholder was crucial to the organisation’s ability to make a certain decision, did consultation rather than communication occur with that stakeholder?

Stakeholders, both internal and external, exhibited a greater understanding and awareness of risk management as a result of the communication and consultation that occurred. This may be evidenced by increased participation in risk assessment exercises, increased contribution to risk reporting and / or through the outcomes of surveys.

evaluation exercises.

Element 2: Establishing the context

Element 2 is defined in these guidelines as meaning - Establishing the external, internal, and risk management context in which the rest of the process will take place. Criteria against which risk will be assessed should be established and the structure of the a


nalysis defined.

When commencing risk assessment, is there a process to obtain a cleunderstanding of t

ar he organisation’s:

rganisation and its environment, and the organisation’s strengths, weaknesses,

goals and objectives and the strategies that are in place

Risk management contex the goals, objectives, strategies, ra

External context (including the relationship between the o

opportunities and threats)?

Internal context (including the organisation’s capabilities, theorganisation’s to achieve them)?

t (includingscope and pathe organisation to applied); and

Criteria of deciding w

meters of the risk management process, or the part of which the risk management process is being

hen risk is tolerable or not?


Risk assessment presentations

Risk assessment criteria including consequence, likelihood and overall risk levels

Risk registers

SWOT analysis outcomes.

The risk assessment process involved examining risks to achieving the organisation’s / area’s / project’s objectives

Identified risks were clearly linked back to the relevant objectives

Consequence and likelihood criteria, and overall risk levels are clearly established, and where appropriate, consistent across the organisation

The right people were involved in establishing the organisation’s consequence and likelihood criteria, and overall risk levels

There was some sort of review, and where appropriate updates, of the risk management framework to reflect any changes that have occurred in the organisation’s internal or external environment. For example, if new business units were established, these business units should now have a current risk register.

Element 3: Risk identification

Element 3 is defined in these guidelines as meaning - Identifying where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of organisational objectives.

Questions to assist in examining the effectiveness and appropriateness risk identification are:


of

Is risk identification an integral part of planning including strategic, operational and project plan development, by linking the process to

ctitioners for each process? (It is common for

ification knowledgeable about the risks that must be

managed as a part of that activity?

Is risk identification normally a participative process that involves

isks

objective setting?

Is it an integral part of change management processes?

Does the organisation have ongoing, comprehensive and systematic processes for identifying risks?

Is there a range of risk identification processes available (a tool kit) together with skilled praorganisations to provide guidance on the approach and the level of rigour required. The effort required is usually related to risk severity levels.)

Are the staff involved in risk identprocesses or activity being reviewed and about the

appropriate stake

Are identified r

holders?

allocated to named individuals or positions (risk owners)?


Strategic and business planning day a

Risks are identified, or the need for risk management is considered, during the strategic andgendas

and presentations

Strategic an

business planning process

Strategic and business plans clearly identify the key risks to delivery of

d business plans the objectives contained therein

Risk identification occurs at numerous levels within the organisation, that is, at strategic, operational and project levels

Identified risks cover all categories or types of risk to which the organisation is exposed

Project business cases and implementation plans

Risk registers

Lists of participants in risk assessment The right mix of people were involved in the risk exercises. assessment process. For example, were all Executives

involved in identifying the organisation’s strategic risks and were the heads of business units involved in the process of identifying the risks for their business units

The risk register clearly identifies individuals or positions, and not groups of people, who


own risks.

sis

Element 4: Risk analy

Element 4 is defined in these guidelines as meaning - Identifying and evaluating existing controls, and determining consequences and the likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur.

Questions to assist in examining the effectiveness and appropriateness of risk analysis are:

Are the existing management and technical systems and proceduresthat are

used to control risks identified and assessed for effectiveness

Are the most critical and important controls identified and are they

Is there a coherent process for the analysis of risk that measures both

Is there appropriate analysis of the nature and extent of consequences?

k risk criteria, the level of uncertainty in the analysis and the needs of

as part of risk analysis?

Is there a robust means of assessing risk control effectiveness?

allocated to specific positions or named individuals?

consequences and corresponding likelihood?

Is there rigour of the ris analysis always in keeping with the context, the

decision makers?


Strategic and business planning da

Risk analysis involves identifying and considering the effectiveness of current controls, and determining y agendas

and presentations

Risk registers

Root cause analysis outcomes

Audit repor

the range of consequences that could result if the risk were to occur and the likelihood of the risk occurring

Control effectiveness assessments are supported by information other than management’s initial perceptions

Reliable and appropriate information is used to predict the likelihood and consequences of risks occurring, for example, information on past events and available industry data

The right people are involved in risk analysis to e

ts

Control self-assessment outcomes.

nsure that supported ratings are provided, for example, if there is a specific IT risk, involve the CIO and their relevant support staff in analysing that risk

All risks are analysed using approved, and where appropriate consistent, risk assessment criteria (Likelihood, Consequence etc.).


Element 5: Risk evaluation

Element 5 is defined in these guidelines as meaning – Comparing estimated level of risk against the pre-established criteria and considering the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities.

Questions to assist in examining the effectiveness and appropriateness of risk evaluation are:

Are risks evaluated and prioritised for attention using a consistent process?

Does the organisation have treatment plans for the higher priority risks, taking account of benefits and costs?


Risk registers

Evidence of discussion

There are overall risk levels given to identified risks

There is a priority order given to identified risks and approval of risks There are pre-defined actions required for certain risk both within and levels

There is a process in place for acceptingbeyond the organisation’s risk tolerance.

risks that are beyond the organisation’s risk tolerance where there are no further viable treatment options available.

Element 6: Risk treatment

Element 6 is defined in these guidelines as meaning - Developing and implementing specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs.

Questions to assisrisk treatment are:


t in e

treatm ntrols) in place for each risk d not to be t

Do risk treatment ptiming?

Are performance objectcontrols?

xamining the effectiveness and appropriateness of

ent plan (leading to co Is there a riskthat is judge olerable?

lans include the consideration of resources and

ives set during the design and development of


Risk registers

Risk treatment plans (if these are docum

Risk treatments have the resources required to deliver upon those treatments identified and whether these resource requirements have been incorporated into the relevant budgets, particularly where significant ented resources are required separately to the risk

register) Risk treatments have responsible persons and implementation timings identified Budgeting

documentation. Different risk treatment options have been considered for risks

Treatments chosen reflect the organisation’s risk tolerance

All treatment plans have been approved by someone with the requisite authority to do so.

rElement 7: Monito and review

Element 7 is defined in these guidelines as meaning - It is necessary to monitor the effectiveness of all steps of the risk management process and overall risk manageme t framework. This is important for continuous nimprovement and change management. Risks and the effectiveness of controls and risk treatments need to be monitored to ensure changing circumstances do not alter priorities.

Questions to assist in examining the effectiveness and appropriateness of monitoring and reviewing risk are:

ular review and monitoring of:

t process?

ent plans

organisation’s risk management processes have been

ce are also responsible for the implementation of the risk

management process?

Is there reg

– The risk managemen

– The risks and opportunities the organisation faces, and their priorities for treatment?

– The implementation and effectiveness of risk treatm(controls, strategies)?

– Whether theapplied systematically to objectives at the corporate, business unit and project levels?


Are independence requirements recognised where 3rd party assuranproviders


Risk reports

Minutes of meetings to which risk reports are provided

Reports documenting the result

Risk reporting is provided to all relevant stakeholders and is tailored to meet the relevant stakeholder group’s requirements

An appropriate level of independent review is occurring in respect of risk management

There is a well thought through process for detes of effectivenes

rmining where and risk assurance activities reviews,

for example, Internal s are occurring

All aspects of risk management are being covered by some formAudit Reports of monitoring and review activity.

Evidence of updates to risk registers as a result of review findings.

5.1.4

The following sections provide guidance on the factors to consider when conducting such a review, with the aim of reducing what could otherwise be quite a subjective assessment.

Risk management principles

Another available approach to reviewing the effectiveness of a risk management framework is to do so in relation to established risk management principles.

The risk management principles identified in the Standard are:

value

Risk management is an integral part of all organisational processes

making

ic, structured and timely

7. Risk management is tailored

d inclusive

anisation

1. Risk management creates and protects

2.

3. Risk management is part of decision

4. Risk management explicitly addresses uncertainty

5. Risk management is systemat

6. Risk management is based on the best available information

8. Risk management takes human and cultural factors into account

9. Risk management is transparent an


10. Risk management is dynamic, iterative and responsive to change

11. Risk management ifacilitates continual improvement of the org

P erinciple 1: Risk managem nt creates and protects value

AS/NZS 31000 provides the following mation on this principle: further infor

Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, , project management, efficiency in operations, governance and reputation.

For an organisation to demprotecting value, it

onstrate that its risk management is creating and portant to have defined indicators in place to is im

iv d. Some examples of the ways in which an ure va e include:

s in risk level/s, as supported by clear and relevant key risk indicators

achieving objectives, as set out in strategic and business plans, and as demonstrated by meeting clear key performance indicators

hin budget and to the requisite quality

osts.

to er, the fact that no catastrophic or severely

amaging delivery issues have occurred means, by inference that there has een effective risk management. The use of quantifiable indicators helps to upport a more robust process for measuring value.

pr

measure the value being derorganisation may meas

reduction

elu

delivering projects on time, wit

preventing negative outcomes or unnecessary expenditure or c

It is recognised that not all of an organisation’s success may be attributedrisk management; howevdbs

Principle 2: Risk management is an integral part of all organisational ocesses

AS/NZS 31000 provides the following further information on this principle:

Ris rate from the main k management is not a stand-alone activity that is sepaac i t is part of the tivit es and processes of the organisation. Risk managemenres nal ponsibilities of management and an integral part of all organisatiopro s roject and change ce ses, including strategic planning and all pmanagement processes.

Th xtent to which risk ma

e

Strategic planning

Business planning

anagement

e ways in which an organisation may measure the enagement is integrated within its organisational processes is by

d termining whether risk management is considered as part of:


Budgeting

Performance planning and m

Project management.

If risk management forms a part of the above-listed processes and is seen to be consistently and correctly applied in those processes, an organisation

should be able to confidently say that it practices integrated risk management.

Principle 3: Risk management is part of decision making


Risk management helps decision makers make more informed choices, prioritise actions and distinguish among alternative courses of action.

The value to be derived from risk management is diminished if risk information is not used for decision-making purposes. Risk information provides significant insight into whether an activity should be undertaken by

of the

to

project business cases been rejected on the basis of the risks that may be created by undertaking the project?

king

rinciple 4: Risk management explicitly addresses uncertainty

an organisation, or if so, the extent of risk reduction resources needed to manage the risks associated with delivering that activity. Therefore, it is essential that risk information forms an input into decision-making rather than act as a separate stand-alone activity.

Some of the factors to be considered when determining whether risk management is a part of decision-making are:

Have any business strategies or activities been avoided becauseassociated risks?

Have budget changes occurred in order to appropriately manage risks associated with strategies that the organisation has chosen undertake?

Have any

If ‘yes’ has been answered to any of the above questions, or if you can show evidence of why ‘no’ was always answered from a risk perspective (that is, because the risks were too low to cause any changes in business practices), then it could be said that risk management forms part of the decision maof the organisation.

P


Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.

This is a difficult principle to measure; however, it may be possible to

this principle is being followed, by determining whether


measure whether

any foreseeable risks have eventuated, which were not captured in the

it s outside of

considered. If risks have occurred that were foreseeable on the basis that there was uncertainty in some form of the internal or external

risk

organisation’s risk register.

Considering that risk management occurs in order to manage uncertainty, is important that when the risk management process occurs, riskthe “norm” are

environment, these should have been identified as part of the assessment process. If they were not, then there is a gap in the effectiveness of the process.

Principle 5: Risk management is systematic, structured and timely


A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.

Some of the questions that an organisation may ask in order to determinwhether it uses a systematic and structured risk management process are:

Are there more than one set of consequ

e

ence, likelihood and overall risk

in a manner that can be

Internal

?

anagement is based on the best available information

level criteria used across the organisation?

Are risks reported throughout the organisation combined to provide one meaningful and consistent reporting format at Board level?

Are there any independent reviews of the risk ratings or control effectiveness ratings provided by management, for example, byAudit?

Are there regular risk reviews conducted (e.g. monthly) by individuals who understand the risk and control environment

If ‘yes’ was answered to all of the above-listed questions then it is likely that the organisation has a fairly consistent, comparable and reliable risk management approach.

Principle 6: Risk m


The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and shou


ld take into account, any limitations of the data or modelling used or the possibility of divergence among experts.

It is important to learn from both past experience and the experience of others when considering the risks to which an organisation may be exposed

ts and risk management process. An example of

where this principle may not be met is when only one person has been given a

and the best available strategies available for treating those identified risks. As is indicated below, sources of information such as audit and incident reports, the outcomes of previous risk assessment exercises, and expert opinions, are all important inputs into the risk management process, as is theexperience of individuals.

This principle can be demonstrated by ensuring that the right inpuparticipants are involved in the

responsibility for compiling or updating a risk register as this may result inmore subjective and influenced outcome.

Principle 7: Risk management is be tailored


Risk management is aligned with the organisation’s external and internal context and risk profile.

Some of the ways in which an organisation can demonstrate that it practices tailored risk management are if it has:

Risk categories that reflect its organisational context, for example, a healthcare organisation is likely to have a risk category around ‘patient safety’ as compared to Department which may have a risk category

and tolerance, that is, which are not merely the same as those ;

r ways an organisation could demonstrate that it practices tailored risk management; however, these will be highly dependent

onsidering does practice tailored risk management, look to see

whether the organisation’s risk management approach is solely a “cut and e

around its ‘policy development’ role;

Likelihood, consequence and overall risk level criteria that reflect its risk appetiteprovided as examples in the AS/NZS 4360 Risk Management Standardand

Risk reporting that takes account of existing reporting structures rather than “re-inventing the wheel” for risk reporting.

There are also many othe

on the nature and size and complexity of the organisation. When cwhether an organisation

paste” from a standard or whether the approach being used is tailored to thorganisation’s objectives, structures and existing processes.

Principle 8: Risk management takes human and cultural factors into account


Risk management recognises the capabilities, perceptions, and intentions of


internal abnd external people that can facilitate or hinder achievement of the organisation’s objectives.

Stakeholder management and communication is an important part of achieving effective risk management. Managing people’s risk management perceptions and generating a willingness of people to input into the risk assessment process are essential to its success. Therefore, when reviewing

to

d staff who have knowledge about a risk area, so as to reduce the subjectivity of assessment

input has been gained from external stakeholders who may have an y

k assessment outcomes has occurred in an appropriate manner, for example, the Annual Report includes the

the risk management framework’s effectiveness, attention should be paidwhether:

there is adequate participation in the risk assessment, that is, a cross section of executives, management an

outcomes

informed view as to some of the risks faced by the organisation, or mathemselves form a source of risk

communication of ris

attestation (as described in further detail below) and articulates the organisation’s approach to risk management

approval is sought for key risk management documents including theorganisation’s risk register by groups that have the requisite authority toapprove such documents and who have authority to direct the right amount of resources to risk management activity.

Principle 9: Risk management is transparent and inclusive


Appropriate and timely involvement and inclusion of stakeholders and, in particular, decision makers at all levels of the organisation ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

Evidence of this principle is determined in a similar way to the principle outlined directly above. The other essential component to this principle is that there is sufficient risk reporting and escalation to support effective risk governance and management throughout the organisation. It is important that the Secretariat / Board receive risk reporting on more than an annual

nisational levels.

basis and that the organisation’s key strategic risks are communicated to thelowest orga


For risk management to be truly effective, all people throughout the organisation should understand how their individual actions contribute to achievement of the organisation’s key objectives. The governing body

should be well aware of its risk exposure. Hence, the importance of risk reporting and escalation throughout the entire organisation.

P ve to c

rinciple 10: Risk management is dynamic, iterative, and responsihange


Risk management continually sesnses and responds to change. As internal and external wevents occur, context and knowledge change, monitoring and review of risks takes place, new risks emerge, some change, and others disappear.

As an organisation’s environment will change regularly, so will its risk

isation has a robust process for

nual e ,

rinciple would still be k

organisation

environment. The risks that an organisation is exposed to and the appropriate treatment strategies can change quickly.

Therefore, it is important that an organmonitoring its risk environment and updating its risk register as and when it is required. For example, if an organisation was only undertaking an anrisk review process and between reviews, no risk or control updates weroccurring, this principle may not be met for some organisations; howeverwhether this inaction resulted in not meeting this pdependent upon the size and nature of the organisation and the type of risenvironment in which it operates.

Principle 11: Risk management facilitates continual improvement of the


Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation.

For an organisation to demonstrate continuous risk management improvement and enhancement, it would need to show that at least annuallyit is reviewing and updating its risk m

anagement framework as required,

cluding but not limited to, documentation such as: in

risk management policy

risk management procedure

risk appetite and tolerance documentation

risk reporting formats.


These changes could be identified by:

internal stakeholders who have ideas for process improvements

independent review parties


g risk management thought leadership that indicates changes in leadinrisk management practices.

Toolkit reference:

Appendix : 31000 Principles – 20 Questions to Ask

A risk management maturity model

Using a risk

5.1.4.1

management maturity model against which to assess a risk anagement framework is another available approach to reviewing its

esign of with the extent that

t to

r

hen assessing the framework it is important to consider whether the ndard,

anagement through the erformance goals, measurement, review and on of processes, systems, resources, capability

ted accountability for risks, risk controls and risk treatment tasks

3. All decision making within the organisation, whatever the level of s the explicit consideration of risks

e

meffectiveness.

A risk management maturity model should measure the technical dan organisation’s risk management framework coupledthe framework is understood and applied consistently, that is, the extenwhich risk management behaviours and capabilities are exhibited. It is important to concentrate not only upon whether the “right documents” exist but also to consult a cross section of the organisation to determine whethethese documents and the processes contained therein are practised in reality.

A risk management maturity model should allow a framework to be assessed on

cation

ses.

both design and behavioural aspects in relation to:

governance and oversight including risk management reporting and communi

Wfollowing risk management attributes, as contained in the Risk Staare evident: 1. An emphasis on continual improvement in risk m

setting of organisational pthe subsequent modificatiand skills

2. Comprehensive, fully defined and fully accep

importance and significance, involveand the application of risk management to some appropriate degre

GUIDE-DEVEL

integration of risk management with other business processes

the existence and use of a risk management strategy, policy and proces

4. Continual communications with and highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process

5. Risk management is viewed as central to the organisation's cesses so that risks are considered in terms of effect of

mation is provided on each of these five attributes below:

management prouncertainty on objectives.

Further infor

Attributes Description Indicators

1 An emphasis on continual improvement in risk management through the setting of organisational performance goals, measurement, review and the subsequent

This would be indicated by the existence of explicit performance goals against which the organisation's and individual manager's performance is measured. The organisation's performance could be published and communicated. Normally, there would be at least an annual review of performance and then a revision of processes, systems, and the setting of revised performance objectives for the

modification of following period. processes, systems, This risk management performance resources, capability and skills

assessment is an integral part of the overall organisation's performance assessment and measurement system as applied at the business unit and individual level.

2 Comprehensive, fully defined and

Designated individuals fully accept accountability, are appropriately skilled

fully accepted and have adequate resources to check accountability for risks, risk controls and risk treatment

risk controls, monitor risks, improve risk controls and communicate effectively about risks and their management to

tasks internal and external stakeholders.

This would be indicated by all members of an organisation being fully aware of the risks, risk controls and tasks for which they are accountable. Normally this will be recorded in job/position descriptions, database or information system. The definition of risk management roles, accountabilities and responsibilities should be part of all the organisation's introduction programs.

The organisation ensures that those who are accountable are equipped to fulfil that role by providing them with the



authority, time, resources and skills sufficient to assume their accountabilities.

3 All decision making This is indicated through the within the examination of the records of meetings organisation, and decisions to show that explicit whatever the level discussions on risks took place. Also, it of importance and should be possible to see that all significance, elements of risk management are involves the explicit represented within key processes for consideration of decision-making in the organisation. For risks and the example, for decisions on the allocation application of risk manageme

of capital, on major projects and on re-structuring and organisational changent to

some appropriate degree

s. For these reasons, soundly based risk management is seen within the organisation as providing the basis for effective and prudent governance.

Continual communications

4

with and highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process

This is indicated by communication with interested parties as being clearly regarded as an integral and essential component of risk management so that communication takes place as part of each part of the risk management process. Communication is rightly seen as a two way process so that properly informed decisions can be made about the level of risks and the need for risk treatment against properly established and comprehensive risk criteria.

Highly visible, comprehensive and frequent internal and external reporting of both significant risks to the organisation and of risk management performance contributes substantially to effective governance within the organisation.

Risk management is The organisation's governance structure and process are founded on the management of risk. Effective risk management is regarded by managers

5 viewed as central to the organisation's management

as essential for the achievement of the organisation's objectives.

This is indicated by managers' language

processes so that risks are considered in terms of effect of uncertainty on objectives.


and important written materials in the organisation using the term “uncertainty” in connection with risks. This statement is also normally reflected in the organisation’s statements of policy,


particularly that relating to risk management. Normally, this attribute would be verified through interviews with managers and through the evidence of their actions and statements.

Types of ac

When condexpected

i) Review of ri

ii) Distribution

iii) Constakeholder

iv) Preparation of a report outlining finrecommendations.

ch of

i) Review of

tivities

ucting a risk managemen that the following types of ac

sk management do

of a survey (optional or

duct of meetings with key ins

t maturity assessment, it would be tivities would be conducted:

cumentation

may replace the meeting process)

ternal, and where appropriate external,

dings and proposed

Ea these activities is described

risk management docume

in further detail below.

ntation

n in-depth understanding of a risk ke a review of current risk

mentation. The types of documents that

The first stemanagemenmanagemen uwould typically be reviewed include:

risk

risk management process and strate

risk identification and assessment to

risk management training prog

risk tolerance documentation incluoverall risk level criteria

risk

ii) Distributio

p towards developing at framework is to undertat and governance doc

management policy

gy documents

ols and templates

ram and materials

ding likelihood, consequence and

risk registers

reports.

n of a survey

n be used to determine thet, both more generally and

d risk management strategy. A and is a usefu


A survey camanagemenestablishelarger organisations management knowledge and capa

current understanding of risk in the context of the organisation’s

survey would typically be used in l tool for ascertaining the level of risk bility at lower organisational levels. A

survey would usually ask similar questions to those outlined below under ‘conduct of meetings’.

The use of a survey is optional; howshould be distributed prior to the conmeetings can then be used to confirinformation provided in the survey.

ngs

ever, if it is chosen to be used then it duct of meetings. This is because the

m and, where necessary, clarify the

iii) Conduct of meeti

ent

anagement understanding

bedding risk management within the organisation.

It is important to promote understanding and support of the risk managemprocess by key individuals within an organisation. Therefore, as part of amaturity assessment it is important to conduct interviews with key executives /managers to gain insight into their current risk mand to ascertain their views as to the effectiveness of the existing risk management framework. Meetings can also be used as an opportunity to obtain information on any improvements they consider would assist in furtherintegrating and em

The follwowing questions could be asked during these meetings:

ing you to manage your risks?

Are emerging risks being identified in time to effectively manage them?

able for delivery of risk

ecialists within

nised and rewarded?

es incorporate a risk management component?

risk management incorporated into the organisation’s overall risk management approach?

have you received in risk management?

ed at the lower levels of the organisation?

n

How are risk management practices help

What form of risk reporting do you receive?

How is risk information used by the organisation?

Is there a regular review of existing risks?

How are management held accountmanagement responsibilities?

Does the organisation have risk champions or risk spcertain areas?

How are good risk management practices recog

How would you describe the risk culture of the organisation?

What business process

How is project

What training

How is being manag

How effectively are the aims, objectives and benefits of risk management communicated across the organisation?

How does the organisation determine which risk treatment options cabe implemented? Is this done on a cost versus benefit basis?

How does risk management assist in overall business managemen


t?

iv) Preparation of a report

It is important to record outcomes of a risk management maturity re

these gaps could be closed.

assessment into a formal report so that this information is available for futureference. When presenting assessment outcomes, all findings and supporting information should be included and where gaps are identified,recommendations provided on how


Toolkit reference:

Appendix: VMIA Risk Framework Maturity Model


5.2

5.2.1 What is it?

The Victorian Government Risk Management Framework (VGRMF), released in 2007, brings together information on governance policies, accountabilities, and roles and responsibilities for all those involved in risk management across the State.

One of the more significant requirements under the VGRMF is the need for accountable officers (in departments) and the chair of the board (in statutory bodies) to “attest” in their organisation’s Annual Report that:

Risk management processes consistent with the standard (AS/NZS 31000:2009) or equivalent are in place,

An internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures and

The audit committee (for a department) or board (for a statutory authority) verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.

5.2.2 Why do it?

It is recommended that all public sector agencies adopt the VGRMF, however it is mandated under Standing Direction 4.5.5 of the Minister for Finance ‘Risk Management Compliance’ for those agencies that report in the

Risk management attestation

Developing a Implementing a Risk Management Framework


RF

isk Management ramework

Overview – Risk Overview of a Risk Monitoring and Reviewing a Risk Mgt Framework Management Process Management Framework



Attestation Process







GUIDE-DEVEL

Annual Financial Report for the State of Victoria. This applies to approximately 300 public bodies. The majority of these are departments and

or annual reports completed or issued after July 008.

5.2.3 Roles and responsibilities

Secretaries, chief executive officers, and management of departments and agencies are ultimately responsible for developing and implementing risk management processes and internal control systems, and managing and continuously improving these processes and systems.

The audit committee should take a leading role in the governance and oversight of the department or agency and be actively involved in the monitoring and review of risk management process and control systems.

The accountable officers (in departments) chair of the board (in statutory bodies) will be required to “attest” in their organisation’s annual report and the audit committee (for a department) or board (for a statutory authority) will be required to verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.

5.2.4 Risk frameworks – the current status

The VMIA (through our Risk Framework Quality Review program) has formed the opinion that the majority of public sector departments and agencies have

stralian Risk Stamndard and are evolving their risk f those n e P

T tional risk frameworks and maturity will vaadepartments or agencies attestation

5.2.5

nts. It s on

management framework.

tion

T r a

larger public sector agencies.

Attestation is effective f2

adopted the Aurameworks and risk maturity levels. These findings are consistent withoted in the Victorian Auditor General’s report ‘Managing Risk Across thublic Sector: Towards Good Practice’ (2007).

he VMIA recognises that organisaary according to many factors including size, risk appetite and contextual spects. There is no one size fits all model for risk management, nor is there singular attestation model. Attestation is relative to risk maturity and a

should reflect this.

So what is new or different?

The attestation builds upon current directives and legislative requiremeextends this to mandate use of the Risk Standard and focuses agenciean organisation wide approach to risk management, both of which are widely understood and adopted throughout the public sector. The most significant change is the requirement to attest in an organisation’s annual report on the effectiveness of a department’s or agency’s risk


5.2.6 Implementa

he VMIA has developed a number of key principles to guide department ogencies that underpin the attestation process, some of which include:

t as ible.

complexity and risk appetite needs to be n is relative to maturity”.

g

ent as

or

ainst the Risk Standard and organisation wide risk models

porting frameworks for

aps and systems

5.2.7

s all-important practices and processes

Whilst each entity will have its own tailored attestation framework, all entities ing management and the board fully informed of the

rol activities

Attestation is intended to provide “assurance” or demonstrate “performance”. It should not be merely a compliance or “box-ticking”exercise.

Keep the attestation framework and process as pragmatic and relevanposs

The Agency’s maturity, size,considered, since “attestatio

A model, similar to the Australian Stock Exchange’s "if not, why not" reporting style should be used. Thus if the Agency does not attest, youshould explain why not and what you are planning to do about improvinover the coming year.

It is essential that a department or agency treat the attestation requirema formal process. Initially this may require the application of project management principles to ensure the development of an attestation systemframework. Once completed this system should be integrated into risk, compliance and annual reporting processes.

Key stages would include:

Current state assessment/gap analysis ag

Review of current risk and compliance recompliance/gaps/synergies

Education programs for board, management, auditors, planning, risk management and annual reporting staff about the VGRMF, accountabilities and actions.

Development of attestation policy, process m

Rollout and embed procedures into core operations

Review, report and refine policies and procedures

The attestation framework

The objective of the VGRMF is to promote sound risk management principles that embed risk management acrosthroughout the organisation. Thus attestation is intended to provide “assurance” or demonstrate “performance” that this is being achieved.

It is essential that accountable officer/chair of the board “attestors” and audit committee/board “verifiers” act in accordance with the above and do not treatthe attestation process purely as a compliance exercise.


will benefit from keeprange and breadth of risk management processes, and contundertaken across the department or agency. In a risk mature organisation this will already be occurring.


:

dard (or equivalent

ile has been critically reviewed within the last 12

essment or report on the application of and

s

the overall attestation is assuring “the executive understand, manage and satisfactorily control risk exposures”.

ugh a cascading sign off process linked to an entities risk or control register.

A level of assurance will be required to support the attestation that

The Agency has risk management process in place consistent with the Australian/New Zealand Risk Management Standesignated standard) and

The Agency’s risk profmonths.

This could be satisfied by:

Evidence of third party reviews of the risk framework (e.g. VMIA RFQR,internal/external audit or risk service providers)

A management self assadherence to the Risk Management Standard

Risk management strategies and business/action plans

Details of management, executive, board risk assessments/workshopconducted over the past year

A key element in support of

This may be demonstrated thro

Au

Annual plan/s or calendar/s of risk and assurance activities will be of use.

dit CT/ Board Verification

Secretary/Chairman Attestation

Executive Sign Off

Management Sign Of

Audit CT/ Board Verification

Secretary/Chairman Attestation

Executive Sign Off

f Management Sign Of

GUIDE-DEVEL

f

These could include:


rd

assessments/workshops conducted across the

up of

the range/frequency of risk and audit reports

dates of formal risk and audit meetings of management and the boa

the number/type of audits completed in support of the organisation’s riskframework and key risks

the number/type of risk entity.

The risk and audit plans and calendar would need to be supported by an effective management process, including reporting and followrecommendations, actions items and risk mitigation plans.

GUIDE-DEVEL

In order to complete the process an entity may include a formal report or submission to the audit committee or the board. If the board or audit committee is fully informed of the risk and assurance program throughout the year, (in a manner described above) a formal report may suffice. If, however, the reporting processes or risk maturity are immature, then it would be likely that an entity will need to demonstrate activities more fully.

5.2.7.1 Example attestation statements

set out below: Examples of attestations that could be used are

Examples of Risk Management Attestation

There may however, be reasons that a department or agency may wish to modify the sample attestation wording. Reasons may include the risk maturity of the department or agency, the progress being made towards implementation of a risk framework, incomplete coverage of organisation units, divisions or risk types or the inability to adequately determine the level of “satisfaction” over controls or risk exposure.

Should a department or agency choose to modify the sample attestation wordings, an explanation as to why such modification is required should be made. The VMIA proposes a model similar to the Australian Stock Exchange’s "if not, why not" reporting style. This means that if the department or agency cannot attest, for whatever reason, they should explain why not and what they are planning to do about their risk management framework and process, and control systems over the coming year.

he VMIA would not see this as a negative or non-compliance. On the c e a MF.

5.2.8 I

AI encies attestation process and system should be as pragmatic as possible and in line with the department or agency’s risk maturity, size and complexity.


Tontrary, this could be seen as providing leadership and direction to improvn entities risk framework and in accordance with the intent of the VGR

n summary

ttestation is intended to provide “assurance” or demonstrate “performance”. t should not be merely a compliance exercise. The department or ag


If a department or agency is to attest without variation, they should have a that embeds risk management across

a ciples throughout the organisation.

5.3

5.3.1

hat t

risk management framework in place ll-important practices and processes and embody sound risk prin

Continuous improvement

Developing a isk Management

Framework R



OvM

erview – Risk anagement Framework

KeDe

y Considerations When signing a Framework

DoFr

cumenting a amework

RiGo

sk Management vernance







Attestation Process


What it is

The Risk Standard clearly articulates the continuous improvement loop tsupports the ongoing effectiveness of a risk management framework. Seout below is the diagram provided within that Standard to demonstrate this process.

Continuous Improvement Process (ISO31000)

GUIDE-DEVEL


5.3.2

ithin he greatest benefits from continuous

improvement, it must span all risk management framework elements urs, tools and templates and

uctures, and the practices used to manage actual risks.

5.3.3 How to achieve it?

s is evident in the diagram on the previous page, there is a direct link etween the outcomes of monitoring and review activities and the continual provement of the framework. Continuous improvement is supported and formed by both the monitoring and review of risks and controls (as outlined

in the ‘Implementing the Risk Management Framework’ section), and the onitoring and review of the risk management framework.

s the continual improvement of a risk framework includes discrete risk anagement improvement initiatives, it makes sense that there is a clear

an organisation’s risk management strategy and the initiatives it ishes to undertake to improve its framework. In Section 3 of this guide, the omponents of a risk management strategy were outlined including the need

be developed for the ‘progressive enhancement of the rganisation’s risk management practices and competencies.

es that are identified during monitoring and review activities rioritised and then included within the risk management strategy

once implemented, hence the importance of establishing linkages between the various elements of the process outlined in these guidelines.

Why do it?

Continuous improvement and change management is essential in ensuring the ongoing relevancy and effectiveness of risk management activities wan organisation. To achieve t

including the process, capability, behavioreporting str

Abimin

m

Amlink betweenwcfor a plan to o

The initiativshould be pand risk plans to ensure that they are appropriately approved and supported in their implementation. Inclusion of these initiatives in the strategy will alsoincrease accountability for their delivery and should drive a need to measuretheir value

By continuously improving its risk management framework, a department or agency should obtain benefits including:

Organisational resilience by being more proactive in managing risks as compared to reactive in managing issues

Better governance through regular reporting which strengthens an organisation’s ability to oversee its risks and direct changes in approach where necessary

Increased accountability through well defined risk management responsibilities against which performance is measured

Being able to leverage leading risk management practice in its risk management approach.

GUIDE-DEVEL

5.4

risk . gress

es between those elements essential to ensure an

Checklist – Monitoring and reviewing a risk management framework

The following check list provides a number of questions relating to themanagement monitoring and review processes within your organisationConsidering the answer to these questions will help you check your proin implementing a robust and flexible risk management framework.

The checklist distinguisheffective risk framework, and those typically associated with relatively mature or sophisticated frameworks typically found in large organisations.

Toolkit reference:

Appendix O: Risk management checklist


In place (Yes/No)

Monitoring and review / enhancement of a risk management framework

1 Monrevi

E itor and Does your risk process follow the steps described in the ew Risk Standard?

2 Monrevi

itor and ew

Do Internal Audit review risk management processes? A

3 Monrevi

itor and ew

Is an Internal Audit function/ process in place? E

4 Monrevi most critical risks recorded in the risk register?

itor and Do your Internal Auditors focus their time and effort on the A ew

5 Mon orevi

itew

r and

Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels?

A

6 Monitor anrevi

d Has the risk policy been reviewed and approved in the last year?

E ew

7 Monitor anreview

the Victorian Government Risk

d Has the Board and/or Risk Management Committee (or equivalent) made an attestation in the Annual Report in accordance with

E

management framework (if applicable)

8 Monitor anreview

budgeting and audit planning processes?


d

Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning,

A

6 Risk management toolkit

6.1

6.2

6.3

6.4 nt procedure – template

6.5 g criteria – template

6.6 Appendix F: Common risk categories for the pu

6 ppen mmunication and consultation –

6 ppendix H: Risk training slides

6 ppen s

6

6.11 agement database – MS s

6.12 Appendix L: Risk register – MS Excel template

6worked example

Appendix A: Risk management glossary

Appendix B: Risk management strategy – template

Appendix C: Risk management policy – template

Appendix D: Risk manageme

Appendix E: Risk ratin


blic sector

.7 A dix G: Coplan template

.8 A

.9 A dix I: Common example risk

.10 Appendix J: Risk assessment – template

Appendix K: Risk manAcce s tool

.13 Appendix M: Risk management register –


rd

t

n checklist

6.14 Appendix N: Risk reporting – MS Wotemplates

6.15 Appendix O: Risk management checklis

6.16 Appendix P: Risk management informatiosystem –

6.17 Appendix Q: VAGO good practice guide

Documents

Risk framework