Upload
ulicsak-bela
View
158
Download
8
Embed Size (px)
DESCRIPTION
Guide
Citation preview
Guide
Risk Management Developing & Implementing a Risk Management Framework
March 2010
Disclaimer
This document provides general information, current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information.
The VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk.
Principal Author Victorian Managed Insurance Authority (VMIA)
Version Date: 1 March 2010
Reviewed by: Stephen Owen
Approved by: Steve Marshall
Distribution: VMIA Public Sector clients
Document Owner
Stephen Owen
Manager: Strategic Risk (VMIA)
Contents
1 Foreword.......................................................................................................................5
2 Introduction .................................................................................................................. 6
2.1 Purpose ................................................................................................................. 6
2.2 How has the guide been developed? .................................................................... 6
2.3 Scope of the guide ................................................................................................ 7
2.4 Overview of document........................................................................................... 8
2.5 Key definitions and terminology ............................................................................ 9
2.6 The role of the VMIA ........................................................................................... 10
2.7 The need for a risk management guide............................................................... 11
3 Developing a risk management framework ............................................................. 18
3.1 Overview ............................................................................................................. 18
3.2 Key considerations when developing a risk management framework................. 27
3.3 Documenting a framework .................................................................................. 37
3.4 Risk management governance............................................................................ 45
3.5 Risk management information systems............................................................... 52
3.6 Checklist – Developing a risk management framework....................................... 57
4 Implementing a risk management framework ......................................................... 59
4.1 Overview of the risk management process ......................................................... 59
4.2 Implementing a risk management process.......................................................... 68
4.3 Risk and risk management reporting................................................................. 114
4.4 Developing desired risk management culture ................................................... 129
4.5 Checklist – Implementing a risk management framework ................................. 132
5 Monitoring and enhancing the risk management framework .............................. 135
5.1 Monitoring and reviewing a risk management framework ................................. 135
5.2 Risk management attestation............................................................................ 159
5.3 Continuous improvement .................................................................................. 165
5.4 Checklist – Monitoring and reviewing a risk management framework............... 167
6 Risk management toolkit......................................................................................... 168
6.1 Appendix A: Risk management glossary........................................................... 168
6.2 Appendix B: Risk management strategy – template ......................................... 168
6.3 Appendix C: Risk management policy – template ............................................. 168
6.4 Appendix D: Risk management procedure – template...................................... 168
6.5 Appendix E: Risk rating criteria – template ....................................................... 168
6.6 Appendix F: Common risk categories for the public sector ............................... 168
6.7 Appendix G: Communication and consultation plan – template ........................ 168
6.8 Appendix H: Risk training slides........................................................................ 168
6.9 Appendix I: Common example risks.................................................................. 168
6.10 Appendix J: Risk assessment – template.......................................................... 168
6.11 Appendix K: Risk management database – MS Access tool............................. 168
6.12 Appendix L: Risk register – MS Excel template................................................. 168
6.13 Appendix M: Risk management register – worked example ............................. 168
6.14 Appendix N: Risk reporting – MS Word templates ............................................ 169
6.15 Appendix O: Risk management checklist .......................................................... 169
6.16 Appendix P: Risk management information system – checklist ........................ 169
6.17 Appendix Q: VAGO good practice guide........................................................... 169
1 Foreword Managing risk is an increasingly important facet of public sector governance, and one that supports the achievement of public sector objectives.
In July 2007, the Government issued the Victorian Government Risk Management Framework. The framework provided clarity around risk management roles and responsibilities across the public sector.
Importantly, it also served to engage senior executives in risk management processes through the introduction of an attestation in annual reports of operations. The attestation requires departmental Secretaries and Chief Executive Officers to certify that risk management processes are in place, risks are effectively controlled and managed and that the risk profile of the organisation has been critically reviewed within the last twelve months.
The Guide for developing and implementing your risk management framework has been developed in consultation with department and agency representatives to support the implementation of risk management requirements and enhance the practice of risk management throughout the public sector.
It is anticipated that the guidelines will assist public sector entities to develop an organisation-wide approach and embed a culture of risk management at all levels of the organisation.
This guide is designed to enable individual entities to build upon, and enhance their risk management frameworks, recognising that risk management is a continuous journey of improvement.
Steve Marshall
Chief Executive Officer
Victorian Managed Insurance Authority
GUIDE-DEVELOPING-RISK-FRAMEWORK 5
2 Introduction
2.1 Purpose The guide aims to provide practical guidance to Victorian Public Sector Departments and Agencies (referred to hereafter as organisations) for developing, implementing and enhancing their risk management frameworks.
The guide aligns with the Australian/New Zealand Standard: Risk management – Principles and guidelines (AS/NZS ISO 31000:2009) which was released 20th November 2009.
The guide complements the Victorian Government Risk Management Framework and existing legislation, such as the Financial Management Act 1994 and the Victorian Managed Insurance Authority Act 1996 which prescribe risk management requirements within the Victtorian Pubic Sector.
The guide is primarily targeted at risk managers or equivalent and designed to assist them to better embed risk management practices within their respective organisations. The guide may also be used by other stakeholder groups including the board, executive, and employees during the execution of their risk management responsibilities.
The guide is primarily developed for large organisations, however the majority of the content is applicable to smaller organisations. Some of the more ‘advanced’ risk management framework attributes may not be feasible or appropriate for smaller organisations.
The guide is developed to support organisations with varying degrees of risk management maturity, recognising that risk management is a continuous journey. The guide includes a number of examples aimed at illustrating how organisations with less mature risk management practices can incrementally enhance and progress their risk management frameworks.
GUIDE-DEVELOPING-RISK-FRAMEWORK 6
2.2 How has the guide been developed? This guide was originally developed in 2008 based on the AS/NZS 4360:2004 and the Draft ISO 31000 Risk Standard. This version has been updated to reflect changes to the Risk Standard, notably the adoption of ISO 31000 as the Australian Standard.
The original guide was developed in consultation with a broad range of stakeholders, including entities with responsibility for co-ordinating risk management in the Victorian Public Sector and a range of Victorian departments and selected agencies.
2.3 Scope of the guide
The scope of the Guide is focused primarily on providing generic guidance on the management of organisational-level risk. Some guidance is provided on effective management of state-wide and inter-agency risk.
The principles and practices described in the Guide follow the Australian/New Zealand Standard: Risk management – Principles and guidelines (AS/NZS ISO 31000:2009) and are applicable to all Victorian Public Sector departments and agencies.
GUIDE-DEVELOPING-RISK-FRAMEWORK 7
Scope
Generic Risk Management Guide & Tools
Generic Risk Management Guide & Tools
Sector Specific Risk Management Guide/s & Tools
Sector Specific Risk Management Guide/s & Tools
Whole of Government Risk Management Guide
Whole of Government Risk Management Guide
Organisation-level risks Organisation-level risks Organisation-level risks Organisation-level risks Inter-agency risks State-wide risks
Inter-agency risks State-wide risks
2.4 Overview of document The document is structured into three key sections:
Developing a risk management framework (Section 3)
Implementing the risk management framework (Section 4)
Monitoring and enhancing the risk management framework (Section 5).
Each section provides guidance on specific topics of developing, implementing, and monitoring/enhancing a risk management framework. The guideline document includes references to templates and good practice examples that are included in the toolkit (see Appendices).
Toolkit references are marked as follows:
GUIDE-DEVELOPING-RISK-FRAMEWORK 8
Toolkit Reference:
Appendix XYZ: Appendix name
Document Structure
Developing a Risk Management Framework
Developing a Risk Management Framework
Implementing the Risk Management Framework
Implementing the Risk Management Framework
Monitoring and Enhancing the Risk Management Framework
Monitoring and Enhancing the Risk Management Framework
Guidelines
Risk management overview
Core elements of a risk management framework
Risk management information systems
Guidelines
Risk management overview
Core elements of a risk management framework
Risk management information systems
Guidelines
Practical application of AS/NZS 31000 process
Risk and risk management reporting
Developing and progressing your risk management culture
Guidelines
Practical application of AS/NZS 31000 process
Risk and risk management reporting
Developing and progressing your risk management culture
Guidelines
Monitoring and reviewing your framework
Attestation process
Guidelines
Monitoring and reviewing your framework
Attestation process
Toolkit Toolkit Toolkit
Practical examples and quotes from those involved in risk management processes, illustrating the experiences of Victorian Public Sector organisations have been included in the guide. These illustrate how organisations have adapted and customised their risk management systems to meet unique organisational and sector requirements.
At the end of each section, a series of questions are asked of the reader relating to the topics covered within the section. These questions serve as a guide to check whether your current risk management framework is in line with key risk management principles, processes and outcomes.
GUIDE-DEVELOPING-RISK-FRAMEWORK 9
2.5 Key definitions and terminology The risk management ‘glossary’ based on the Risk Standard is appended to this document. However, some more common definitions are noted below:
Risk – Effect of uncertainty on objectives
Risk is often characterized by reference to potential events and consequences, or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Risk management – Coordinated activities to direct and conrtrol an organisation with regard to risk.
Risk management framework – Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
Australian/ New Zealand Risk Management Standard (AS/NZS ISO 31000: 2009) (The Standard) – The Standard is a generic and flexible standard that is not specific to any government or industry sector. The Standard identifies elements or steps in the risk management process that can be applied to a wide range of activities at any stage of implementation (from the Victorian Government Risk Management Framework).
Organisation – The term ‘organisation’ as used within this guide, includes all Victorian Public Sector departments, agencies and entities required to, or expected to implement sound risk management systems. The term organisation includes the individual business units, subsidiaries or affiliate entities that fall under an agency’s direct authority and/or responsibility.
Victorian Government Risk Management Framework (VGRMF) – Guidance document released by the Department of Treasury and Finance in July 2007, that was developed to support good practice in public sector risk management. Specifically the framework provides for a minimum common risk management standards for public sector entities and attestation by accountable officers that risk management processes are consistent with
that standard in annual reports” (Victorian Government Risk Management Framework).
Toolkit Reference:
Appendix A: Risk management glossary
2.6 The role of the VMIA Under the Victorian Managed Insurance Authority Act 1996 and as evidenced in the ‘Victorian Government Risk Management Framework’ the Victorian Managed Insurance Authority (VMIA) has a key role to play as a central advisor and source of support for the Victorian State Government in relation to non-financial, insurable and non-insurable risks.
The VMIA provides the following services:
advice to Government on whole-of-government downside and upside risks and to be a conduit of risk and risk management information through advice to the Minister for Finance
development and maintenance of a statewide risk register
ensure clients have a risk management framework in place, identify opportunities for improvement and development of the framework
maintain a centre of excellence in risk management for the Victorian State Government and for public sector entities across Victoria including provision of products and services that enable entities to develop and improve their risk management frameworks
educate clients to increase the knowledge and capability across government in risk management.
The VMIA’s internal structure is based on the delivery of best practice risk management and insurance products and services to our clients. These services will assist in lifting the level of risk management skills and aid the improvement of risk management practice across the public sector.
Due to the VMIA’s role in developing a centre of excellence in risk management for the Victorian State Government, it is well placed to develop organisation wide risk management guidelines for the public sector.
GUIDE-DEVELOPING-RISK-FRAMEWORK 10
2.7 The need for a risk management guide The effective management of risks across the Victorian Public Sector (VPS) is critical to ensuring that organisations can deliver on their commitment to the Victorian community. Greater scrutiny over service delivery standards and the expenditure of public funds has required an increased emphasis on the design and implementation of robust risk management practices to enable public agencies to minimise risks in relation to their activities.
A number of factors have contributed to increased focus on risk management among Victorian Public Sector organisations. The key factors are:
Victorian Auditor-General’s Office (VAGO) Risk Management Audits
The Victorian Government Risk Management Framework.
These are described further below.
2.7.1 Victorian Auditor-General’s Office risk management audits
An audit “Managing Risk Across the Public Sector” conducted by the Victorian Auditor-General’s Office (VAGO) in 2003, found that risk management was not yet an established or mature business discipline and that public sector organisations did not rigorously assess risks and evaluate risk controls.
The 2003 audit recommended that the public sector be provided with risk management guidelines, processes and procedures. It also recommended that agencies formally identify, assess and manage risks, and that risk criteria link to government policy and organisational objectives.
VAGO conducted a follow-up audit in 2007 “Managing risk across the public sector: Toward Good Practice” to determine whether satisfactory progress
GUIDE-DEVELOPING-RISK-FRAMEWORK 11
It is important to emphasise that the Guide is not intended to duplicate or replace the Risk Management Standard or the companion guidelines to the standard, which are excellent documents, endorsed and supported by the VMIA.
The guide is intended to reinforce the key elements and principles of risk management with pragmatic advice, tips and guidance, tools and enablers to support the advancement of risk management across the Victorian Public Sector.
We recommend those interested in promoting risk management familiarise themselves with the Risk Management Standard and any associated companion guidance documents.
had been made by departments and selected agencies in developing appropriate risk management frameworks and in applying risk management principles in their organisation.
The key findings of the audit included:
central agencies have provided guidance on risk management through legislation, ministerial directions, and portfolio guidelines, but these are not comprehensive
departments and agencies have adopted adequate risk management strategies, frameworks and processes that enable them to apply risk management across their organisations
most departments and almost all agencies did not align their risk assessments to their corporate goals
departments and agencies prepared risk reports, most of which did not contain sufficient details to enable a clear understanding of how risks are being managed
all departments and agencies have an audit committee with responsibility to provide oversight of risk management. Almost all of them did not formally endorse the organisation’s risk management framework and risk profile for currency and appropriateness
almost all audited organisations use the standard, but have placed more emphasis on risk assessment (identification, analysis, and evaluation) than on the management of risks (risk treatment, monitoring, review).
GUIDE-DEVELOPING-RISK-FRAMEWORK 12
VAGO noted in its report that the public sector needs clear guidelines, including minimum standards, about what is expected from them when managing risks. VAGO requested specific guidance on:
The content of policy and risk management frameworks
The roles of the secretary, board and executive management; the risk coordination unit/branch; the audit committee; and internal audit
Applying risk management standards throughout the whole organisation
Linking risk assessments to corporate goals
Developing risk registers and risk profiles
The content of risk reports to executive management and audit committee.
2.7.2 Victorian Government Risk Management Framework (VGRMF)
The Department of Treasury and Finance released the Victorian Government Risk Management Framework (VGRMF). The framework has been developed in consultation with a broad range of stakeholders, including government departments, the State Services Authority and the VMIA.
A key benefit of the framework is that it brings together information on governance policies, accountabilities and roles and responsibilities for all those involved in risk management. It also provides a central resource with links to a wide range of risk management information sources.
Key elements of the framework include the adoption of the Standard across public sector entities. An attestation by the accountable officer that risk management processes are in place, risks are effectively controlled and managed and that the risk profile of the organisation has been critically reviewed within the last 12 months.
This framework formalises and builds upon existing processes, as part of the Government’s commitment to continuous improvement in public sector governance. The framework also seeks to provide a reference for agencies with regard to the use and application of the standard from an organisation wide perspective.
These requirements are documented in Standing Direction 4.5.5 of the Minister for Finance.
2.7.2.1 Key elements
The framework seeks to strengthen risk management through the key elements noted below:
1. All risk management frameworks and processes must as a minimum requirement, be consistent with the key principles of the Standard, or designated equivalent.
2. An attestation from agency heads in annual reports that:
risk management processes are in place consistent with the Standard
an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures
the risk profile of the department or agency has been critically reviewed within the last 12 months
GUIDE-DEVELOPING-RISK-FRAMEWORK 13
a responsible body or audit committee verifies that view.
3. The framework also promotes the need to address interagency and statewide risks when developing and implementing risk management processes.
It is recommended that all public sector agencies adopt the framework as a part of good governance and corporate planning processes. However, application of the framework is required by those agencies that report in the Annual Financial Report (AFR) for the State of Victoria. This represents approximately 300 public bodies. The majority of these agencies are VMIA clients.
The framework also seeks to provide a reference for agencies with regard to the use and application of the standard from an organisation wide perspective.
2.7.2.2 Interagency and statewide risks
The VGRMF promotes the need to address interagency and statewide risks when developing and implementing risk management processes.
The boundaries between the public and private sectors are becoming more porous requiring a more holistic view of project or service delivery risk. Equally the public sector is operating in an environment of shared accountabilities, which cut across specific agency responsibilities and require a coordinated interagency approach to risk management.
In this context it is important that risks with the potential to impact across agencies or at a whole-of-government level are communicated or escalated through to potentially affected agencies to enable a coordinated, effective and timely approach to risk management.
2.7.2.3 Risk definitions
Whole-of-government or statewide risks are those risks that will affect the Victorian Community at large. They may be beyond the boundary of one agency to respond to and require a collective, central agency or whole of government response.
Interagency risks are those risks affecting the operations of one or more departments or agencies and which may impact the service delivery of other departments or agencies.
GUIDE-DEVELOPING-RISK-FRAMEWORK 14
Example: climate change. Climate change will affect the whole community at almost every conceivable level. It requires strong leadership from government in establishing policy parameters and actions plans for a coordinated response.
Risks that impact more than one agency and cannot be managed by one agency or at interagency level such as the impact of an ageing population or climate change may require central government coordination of policy initiatives and implementation strategies.
Agency risks are those risks specific to the operations of a single department or agency.
2.7.2.4 Existing whole-of-government processes for managing risk
Current legislation that defines and assigns risk management responsibilities and accountabilities for monitoring and reporting risk includes the:
Victorian Managed Insurance Authority Act 1996 Financial Management Act 1994 Public Administration Act 2004.
Existing whole-of-government processes for managing risk are aligned with legislative requirements, so that oversight of financial, insurable and non-financial risks is undertaken at the whole-of-government level by the:
Department of Treasury and Finance (DTF) Department of Premier and Cabinet (DPC) Victorian Managed Insurance Authority (VMIA).
Department of Treasury and Finance
Whole-of-government economic and financial risk management is supported by the Department of Treasury and Finance in partnership with departments and agencies so that financial matters requiring government decisions are escalated to the Treasurer, the Minister for Finance and/or the Expenditure Review Committee of Cabinet. Committee membership includes the Premier, the Treasurer and the Minister for Finance.
Department of Premier and Cabinet
There are a number of ways in which risks unable to be managed at agency level are currently escalated or reviewed at a whole-of-government level. These include regular monitoring and reporting processes and reports and submissions to Cabinet and Cabinet Committees. The Department of Premier and Cabinet plays a role in this process by providing briefings on submissions and secretariat support to Cabinet committees.
GUIDE-DEVELOPING-RISK-FRAMEWORK 15
Example: Department A changes the funding conditions attaching to community service organisation funding models which ultimately result in a loss of funding and thus withdrawal of services provided by community service organisations. Withdrawal of services results in a shift in demand and impacts upon service demands placed upon Department B.
The Victorian Managed Insurance Authority
The role of the VMIA includes the provision of strategic and operational risk management advice, tools and training to support increased awareness of the risk exposure at the agency, interagency and whole-of-government level. The VMIA’s risk management functions include:
assist departments and agencies establish programs for the identification, quantification and management of risk
monitor risk management by departments and agencies
provide risk management advice to the State
provide risk management advice to departments and agencies.
As noted in the Victorian Government Risk Management Framework the VMIA is also charged with developing and maintaining a statewide risk register.
It is widely recognised that the complexity and connectivity of government and the private sector make the management of interagency and statewide risk a significant challenge and one not likely to be achieved through a single systemic solution.
In supporting its risk advisory role to the State the VMIA currently captures risk information in a number of ways, including but not limited to:
Risk framework quality review process includes identification of top five agency, interagency and statewide risks
site risk survey process examines public liability and property exposures
identifying national and international research
collaboration with interstate peers, industry experts and consultants
participation in national and international forums on risk and insurance
GUIDE-DEVELOPING-RISK-FRAMEWORK 16
Inter-agency risks – Joined-up government
1.6 That departments and agencies ensure that risk management arrangements are established for all joined-up government initiatives, particularly in the governance arrangements for the initiatives.
Statewide risk management framework
1.8 That DTF, DPC and the VMIA, in consultation with other key stakeholders, develop guidelines for identifying, assessing, managing, escalating and reporting statewide risks.
collaboration/participation with departments and agencies involved with risk initiatives and projects
analysis of insurance claims, trends and litigation.
Departments and agencies are encouraged to actively engage in the processes noted above and support the VMIA in efforts to improve risk management across the state and raise interagency and whole-of-government risks to the attention of government.
GUIDE-DEVELOPING-RISK-FRAMEWORK 17
In line with good risk management practice, agencies with responsibility for supporting the government in management of risk at a whole-of-government level will continue to investigate and apply systems to improve the coordination of processes for identifying, assessing, managing, escalating and reporting interagency and multi agency risks.
3 Developing a risk management framework
3.1 Overview
A risk management framework aims to assist an organisation to manage its risks effectively through the application of the risk management process at varying levels and within specific contexts of the organisation. Such a framework should ensure that risk information derived from these processes is adequately reported and used as a basis for decision making at all levels.
3.1.1 What is a risk management framework?
A risk management framework is defined by the Australian Standard as:
Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
The Standard notes that the framework can include:
The policy, objectives, mandate and commitment to manage risk. The organisational arrangements include plans, relationships,
accountabilities, resources, procesess and activities And should be embedded within the organisation’s overall strategic and operational policies and practices.
GUIDE-DEVELOPING-RISK-FRAMEWORK 18
Developing a Risk M anagement Framew ork
Implem enting a Risk M anagem ent Fram ew ork
M onitoring and Enhancing a Risk M anagement Framew ork
Overview – R isk Managem ent Framew ork
Key Considerations When Design ing a F ramework
Docum enting a Framew ork
Risk M anagemen t Governance
Risk M anagemen t Information S ystems
Overview of a Risk Managem ent P rocess
Risk Managem ent Process
Risk and Risk Managem ent R eporting
Developing Desired R isk Management Cu lture
Mon itoring and R eviewing a Risk M gt Framew ork
Attestation P rocess
Con tinuous Imp rovement
3.1.1.1 Purpose of a risk management framework
The purpose of establishing an organisational risk management framework is to ensure that key risks are effectively identified and responded to in a manner that is appropriate to:
Ultimately risk needs to be managed so that the organisation maximises its ability to meet its strategic objectives as well as associated operational targets and goals.
3.1.1.2 “Hard” versus “soft” aspects of risk management
For a risk management framework to be effective, there must be an appropriate balance in focus on both the “hard” aspects of risk management (i.e. processes and structures) and the “soft” aspects (i.e. culture and people).
For example, an organisation may have highly sophisticated processes and structures established to manage risks. However, unless these structures and processes are supported by management and staff with the appropriate competencies, attitudes and behaviours, the framework will most likely be ineffective.
The Standard defines risk management as the culture, processes, and structures that are directed towards realising potential opportunities whilst managing adverse effects. This is illustrated in the following figure.
GUIDE-DEVELOPING-RISK-FRAMEWORK 19
the nature of the risks faced by the organisation
the organisation’s ability to accept and/or manage risk/s
the resources available to manage risks within the organisation
the organisation’s culture.
This guide encapsulates both “hard” and “soft” risk management aspects:
Section 3 (Developing a risk management framework) focuses primarily on designing the hard aspects of a framework (structures and processes)
Section 4 (Implementing a risk management framework) focuses on developing tailored risk management processes in accordance with The Standard and on developing an appropriate risk reporting regime (both from a procedural and structural perspective). Section 5.4, which focuses on the soft aspects of risk management, provides guidance on how organisations can develop and enhance a risk management culture.
Section 5 (Monitoring and enhancing a risk management framework) focuses on review, monitoring and continuous improvement of risk management structures and processes, as well as risk management culture and capabilities.
3.1.2 What are the minimum requirements?
In accordance with the Victorian Government Risk Management Framework, an organisation’s risk management framework and processes must at a minimum be consistent with the key elements of The Standard.
GUIDE-DEVELOPING-RISK-FRAMEWORK 20
The “Soft” and “Hard” aspects of risk management
Culture (people)
Processes
Risk Management: Coordinated activities to direct and control an organisation with regard to risk. (AS/NZS 31000:2009)
Structures
The key elements of the risk management standard are:
Communicate and consult – communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole
Establish the context – establish the external, internal, and risk management context in which the rest of the process will take place. Criteria against which risk will be assessed should be established and the structure of the analysis defined
Identify risks – identify where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of organisational objectives
Analyse risks – identify and evaluate existing controls. Determine consequences and likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur
Evaluate risks – compare estimated level of risk against the pre-established criteria and consider the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities
Treat risks – develop and implement specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs
Monitor and review – monitor the effectiveness of all steps of the risk management process. This is important for continuous improvement. Risks and the effectiveness of controls and risk treatments need to be monitored to ensure changing circumstances do not alter priorities.
Section 4 provides further guidance on how the key principles and elements of The Standard and can be practically applied for various areas/levels within an organisation.
GUIDE-DEVELOPING-RISK-FRAMEWORK 21
establish context
identify risks
analyse risks
evaluate risks
treat risks
Com
mun
icat
e a
nd
Con
sult
Mo
nito
r an
d R
evie
w
Assess Risk
3.1.3 Linking risk management with other processes
Risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with existing business processes. The following lists some of the key business processes with which risk alignment is necessary.
Internal audit
Internal audit reviews the effectiveness of controls. Alignment between the internal audit function and that of the controls within the risk management process is critical, and the role/s of risk and compliance/ internal audit manager will seek to align these core processes.
The requirement to follow a risk-based approach to internal audit planning, means that risk management outputs, particularly risk assessment outcomes and risk profiles need to be available as an input to the internal audit function.
Similarly, internal audit plays a critical role in the risk management process, specifically in identifying and assessing operational risks, as well as providing assurance that specific risk controls are well designed and are operating effectively.
Business planning (including budgeting)
Identifying risk during the business planning process allows realistic delivery timelines to be set for strategies/ activities or the choice of removing a strategy/ activity if the associated risks are too high or unmanageable. The impact of changing risk levels over the year can then be mapped to the
GUIDE-DEVELOPING-RISK-FRAMEWORK 22
Client Comment:
What benefits can now be seen from establishing a Risk Management Framework?
“The benefits are manifold:
At a simplistic level, we are now compliant with the Whole of Victorian Government risk management framework and are aligned to the Risk Standard 4360, so can fulfill the requirements of the risk attestation.
It has made explicit the management of risk and therefore resources can be diverted towards management and monitoring.
It has provided objective support for making risk a priority and for aligning it more closely with the audit function.”
…Risk Manager Department of Justice
relevant objective, enabling us to conduct more timely expectation management with key stakeholders.
Performance management
Individual performance plans should include all risk responsibilities, whether a general responsibility to use the risk management process or specific responsibilities such as risk ownership or implementation of risk treatments.
3.1.4 Linking strategic planning and risk
Risk management is a process that aims to enhance an organisation’s ability to meet its strategic and operational objectives. Equally, risk management outputs provide boards, executive and management with valuable insights and information that support improved decision making and planning.
To maximise the benefits of risk management, it is important that risk management processes be integrated as closely as possible into existing strategic planning and operational processes.
Strategic and operational planning is about the formulation, implementation and evaluation of cross-functional decisions that will enable the organisation to achieve its objectives. Risk management is designed to identify, analyse, evaluate, treat and monitor those risk that have been identified from strategic and operational planning process that could prevent the achievement of its objectives.
The diagram below shows how the strategic and operational planning process should be integrated and linked to the risk management process. Integrating both strategic planning and risk management improves performance and helps organisations implement strategies and achieving objectives.
Identify ObjectivesStrategy
FormulationStrategy
ImplementationFeedback Update Strategy
Establish Context Identify Risks Analyse Risks Evaluate Risk Treat Risk
Strategic & Operational Planning ProcessRisk Management Process
Monitor Control & Execution Gap
Linking strategic planning and risk
GUIDE-DEVELOPING-RISK-FRAMEWORK 23
GUIDE-DEVELOPING-RISK-FRAMEWORK 24
Client Comment:
“Our hospital produces a strategic plan every three years that guides the organisation’s future direction, and reflects the government’s broad healthcare
objectives and vision. In addition a business plan is produced annually, which is translated into annual business unit targets, budgets and performance
scorecards.
Before finalising the strategic and operational plans, the Executive and Board jointly discuss and score the ‘big-ticket’ risks that could hinder our ability to
deliver on the strategy, operational plans and budgets. This is usually done in a formal ‘risk workshop’ that is facilitated by an external facilitator.
Based on these debates we may decide to: revise the strategy or operational plans, or to implement additional controls or monitoring mechanisms for high risk
areas/ processes.
When brainstorming and rating the organisation’s strategic risks the Board and Executive prefer to start with a blank page rather than work through all of the
risks in the risk register. Our risk officer subsequently updates the risk register to incorporate any new risks identified and adjustments to risk information
already in the register.
Since involving the Board in annual risk workshops, I have noticed that they are more supportive of risk reporting initiatives and take a specific interest in progress on managing risks that they have identified during the planning
workshops.”
Executive Management Team Member
Regional Hospital
3.1.5 Incorporating risk management within projects
Many public sector agencies, particularly in the infrastructure cluster, use projects and project management approaches to delivering on their mandates. Projects can be distinguished from normal business processes by the fact that projects have a:
Defined start and end date
Clearly documented set of deliverables or outputs that need to be delivered on time, within an agreed budget and in accordance with pre-defined quality criteria for the project to succeed.
Project success criteria and budgets and accountabilities are defined and agreed before the project commences.
Many of the principles of project management are now being applied to ongoing business processes to improve accountability, monitoring and business performance.
Organisations that regularly undertake significant projects should already have project management methodologies in place. Common methodologies include: The Victorian Public Sector’s Gateway standard, PRINCE and PMBOK. Such methodologies commonly stipulate the requirement and approach to managing risk within the project (project risk).
When establishing your organisational risk framework, consider:
Including project management risk as a category of risk against which you report.
Whether all project risks are reported in the organisational risk register or whether the project/ programme manager should maintain a separate risk register per project, with only strategic or extreme risks being incorporated into the main risk register, and project risk profiles being reported to the project steering committee. The VMIA recommends the latter option.
Establishing customised Likelihood and Consequence scales for major projects – a cost over-run of 100% of a project budget may be Extreme within the context of the project, but only Moderate or Low within the broader organisational context. Similarly, many organisations use project-specific Consequence descriptors, for example:
− Time/ Timeframes exceeded
− Cost (budget over-runs)
− Quality (project does not deliver pre-defined quality/ functionality criteria
GUIDE-DEVELOPING-RISK-FRAMEWORK 25
− Reputation (adverse publicity, laws breached etc.)
Frequency of reporting on project risk – typically more frequent than organisational risk updates and reporting. It is common for risk updates to be provided to the steering committee whenever they meet.
The VMIA will, in future, be working with Public Sector stakeholders, on developing a more comprehensive approach to managing project risk.
GUIDE-DEVELOPING-RISK-FRAMEWORK 26
Client/ VMIA Perspective:
Is project risk well managed in departments and agencies?
“In my experience, many organisations do not dedicate adequate priority and resources to managing risks on major infrastructure or IT projects, or do not
have the capacity to implement and adhere to project risk management systems.
A common mistake is to perform project risk assessments and risk monitoring/ treatment techniques too late in the project lifecycle – for example by performing risk assessments after project implementation has started, or
even after the project is completed (i.e. a post-implementation review).
Experience has shown that the best time to initiate a project risk process is during the project planning/ scoping phase. This prevents ‘risk or mistakes’
being designed into the project plan, budget or deliverables.
Another area where clients could improve project risk management is by clearly defining both the risk governance and escalation criteria for major
projects. An organisation can deliver successful projects by defining thresholds or triggers that help identify an unacceptable or potentially severe risk, as well as identifying the project/ organisational management that need
to be informed of these risks.
For example, a particular project risk management plan might specify tolerance and escalation thresholds for project risk that meet the following
criteria are escalated to appropriate authorities/ stakeholders:
Budget over run in excess of 30% of project/ program budget
Completion date exceeded by more than 2 months
Core project outcomes at risk
Risk of significant damage to organisation’s reputation or breach of legislative requirements.”
3.2 Key considerations when developing a risk management framework
Most Victorian departments and agencies have already adopted risk management practices and frameworks, which, to a greater or lesser extent, are consistent with the Risk Standard.
Before developing or revising a risk management framework, the organisation should critically review and assess those elements of the risk management process that are already in place.
Some of the key questions that need to be answered are:
These questions are explored in further detail in the following sections.
3.2.1 How advanced should a risk management framework be?
An organisation’s risk management framework should ensure that key risks are effectively identified and responded to in a manner that is appropriate to the organisation.
No single risk framework will be appropriate for all organisations. Every organisation’s board and executive should decide on the appropriate level of risk management sophistication that they aspire to achieve. The desired level of risk maturity may change over time to reflect changes in the organisation’s complexity, size and risk appetite.
GUIDE-DEVELOPING-RISK-FRAMEWORK 27
How advanced should the risk management framework be?
How effective are current risk management practices?
What is the most effective and efficient way of closing the gap?
Developing a Risk Management Framework
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
Overview – Risk Management Framework
Key Considerations When Designing a Framework
Documenting a Framework
Risk Management Governance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt. Framework
Attestation Process
Continuous Improvement
A number of external and internal factors would need to be considered to determine the appropriate level of risk management maturity. Some of the most important factors are discussed in the following sections.
Figure 2.2: Context for Risk Management
Understanding the Context for
Risk Management
Understanding the Context for
Risk Management
Cultural Political Regulatory Financial Economic
Cultural Political Regulatory Financial Economic
External Environment
Strategies Objectives Capabilities Processes Structure Systems Culture
Strategies Objectives Capabilities Processes Structure Systems Culture
Internal Environment
3.2.2 How effective are current risk management practices?
When reviewing the effectiveness of current risk management practices, it is necessary to consider both the “hard” and the “soft” aspects of risk management. The two key questions that need to be answered are:
Are the current risk management practices and framework “fit-for-purpose” given the organisational context (e.g. objectives, size, complexity, structure, culture, risk appetite etc.)?
Are they operating as anticipated (i.e. do people do what they are expected to do)?
There are many approaches that an organisation can adopt when assessing the appropriateness of its current risk management practices. For example:
VMIA’s self assessment questionnaire used during the Risk Framework Quality Review (RFQR)
VAGO’s Good Practice Guide
HB158 Providing Assurance on 4360 Risk Management.
HB158 Providing Assurance on 4360 Risk Management can be purchased from Standards Australia at www.standardsaustralia.com.au.
GUIDE-DEVELOPING-RISK-FRAMEWORK 28
Toolkit reference:
Appendix Q: VAGO Good Practice Guide
3.2.3 Towards organisation wide risk management
There are many names to describe the approach used when looking at all risk across a company, organisation or entity. Such an approach can be referred to as enterprise wide, whole of entity, organisation-wide, holistic, integrated etc.
For the purposes of this guide, and to reflect common practice within the Victorian Public Sector, the term organisation-wide has been used to describe this approach.
In general, organisation-wide risk management is the risk management practices that aim to look at all risk across a company, organisation or entity. There are many competing definitions and several frameworks that attempt to define organisation-wide risk management, but no universally accepted definition or standard. This is probably because organisation-wide risk management, in practice, is different depending on the background of the practitioner, the size and nature of the company and the time at which organisation-wide risk management was adopted.
Organisation-wide risk management. is a holistic approach to managing and prioritising responses to critical risks across the organisation in a manner that will support business strategy and plans. Effective risk assessment fundamentally consists of risk identification and evaluation across all areas of the organisation, followed by a process to ensure that critical risks are treated and managed in accordance with the organisation’s risk appetite.
Organisation-wide risk management seeks to provide a consolidated view of risk across the organisation. The scope of organisation-wide risk management therefore encompasses the use of common risk language, risk assessment techniques and response strategies across all functional and risk/assurance functions within the organisation, for example:
occupational health and safety risk
loss control and internal audit
legal and regulatory compliance risk
IT and information security
healthcare clinical risk
strategic risk.
GUIDE-DEVELOPING-RISK-FRAMEWORK 29
Whilst physical hazards and financial management represent significant sources of risk for most organisations, other risk areas such as operational and strategic are often neglected. For many organisations, strategic and operational risks may be the greatest threat to achieving strategic objectives and meeting stakeholder expectations.
For example, misaligned products, supplier problems and cost overruns all relate equally to the public sector and indicates that organisations need to pay increased attention to identifying and managing our strategic and operational risks. This will assist in achieving objectives and delivering on stakeholder expectations.
Public and private sector organisations are increasingly adopting Organisation-wide risk management frameworks that provide a holistic approach to identifying, assessing, managing, and monitoring and prioritising responses to all critical risks across the organisation in a manner that supports business strategies and plans. The chart below illustrates the key attributes of an Organisation-wide risk management framework.
Risk Management Maturity
“Basic ” “Mature ” “ Advanced ”“ Basic ” “Mature ” “ Advanced ”
Enterprise - Wide Risk Management
Organisation Wide Risk Management
“ Traditional ”Risk Management
“ Traditional ”Risk Management
Emphasis on protecting assets
Focus on physical and financial assets
Risks managed within functional silos
Inconsistent approaches
Emphasis on protecting assets
Focus on physical and financial assets
Risks managed within functional silos
Inconsistent approaches
Board/executive support of risk management Clear accountabilities Appropriate risk oversight structures Dedicated risk management coordinator Explicit consideration of both operational and strategic risks Risk management integrated with operational and general
management processes
Clear accountability and timeframes for treatment of risks Differentiated risk reporting tailored to specific stakeholders Regular reviews of risks and risk management processes
Board/executive support of risk management Clear accountabilities Appropriate risk oversight structures Dedicated risk management coordinator Explicit consideration of both operational and strategic risks
Risk management integrated with operational and general management processes
Clear accountability and timeframes for treatment of risks
Differentiated risk reporting tailored to specific stakeholders Regular reviews of risks and risk management processes
3.2.3.1 Optimising risk management maturity
When determining an organisation’s desired risk management maturity, the objective should be to maximise the value created through the risk management framework and practices.
The value of risk management can be defined as follows: Value = Benefits – Costs
The cost side of the equation is normally relatively easy to quantify, and would include:
direct costs associated with increasing the maturity of the organisation’s risk management framework, as well as the direct costs associated with maintaining the desired level of risk management maturity
GUIDE-DEVELOPING-RISK-FRAMEWORK 30
indirect costs associated with increased focus on risk management activities. This will effectively be the opportunity costs associated with
the additional time spent on risk management activities by management and staff.
The benefits of risk management are often harder to quantify. Some of the benefits typically achieved by organisations with “advanced” risk management practices include:
appropriate balance between realising opportunities for gains while minimising losses
better corporate governance, including risk oversight
improved decision-making and facilitating continuous improvement in performance
organisations that manage risk effectively and efficiently are more likely to achieve their objectives and do so at lower overall cost.
GUIDE-DEVELOPING-RISK-FRAMEWORK 31
The chart below illustrates the value associated with increasing risk management maturity.
Optimising Your Risk Management Maturity
$
Risk Management
Maturity
Basic Mature Advanced Basic Mature Advanced
Risk Management
Value
(Benefits – Costs)
High
Low
Optimal Risk Management
Maturity
Key observations:
target risk management maturity will differ for each organisation depending on a range of internal and external considerations as outlined above.
the value of increasing an organisation’s risk management maturity will increase as long as the benefits exceed the costs. However, the increase in value is not linear. For example, the value of shifting an organisation’s maturity from ‘basic’ to ‘mature’ is normally higher than from shifting from ‘mature’ to ‘advanced’. This is because most organisations can move from ‘basic’ to ‘mature’ without spending significant resources while the benefits are likely to be significant. Moving from ‘mature’ to ‘advanced’ is more expensive, as it typically requires significant investments in software and other infrastructure, as well as significant time commitments by management and staff.
improving risk management maturity requires time and resources. Time can to some extent be substituted by increased focus/effort. Accordingly:
– an organisation with limited resources and low risk management commitment would take very long to reach the desired level of risk management maturity
– organisations with extensive resources and strong commitment to rapidly enhancing its risk practices may be able to shorten the time required to reach its desired level of risk management maturity.
improving risk management maturity requires balanced enhancement
developing a proactive risk management culture and embedding/integrating risk management practices in business processes always takes time.
3.2.4 What is the most effective and efficient way of closing the gap?
GUIDE-DEVELOPING-RISK-FRAMEWORK 32
Once the organisation has taken a critical look at the effectiveness of the current risk management practices and determined an appropriate level of risk management maturity, it needs to figure out how to get there.
3.2.4.1 Developing a plan
The likelihood of successfully enhancing the maturity of your risk management framework to the desired level increases dramatically if you plan it well. The best way to do this would often be through the development of a formal risk management strategy or plan, and associated risk policy and procedure documents – this will outline how the organisation intends to achieve its targeted level of risk management maturity while clarifying the responsibility and processes for achieving risk management goals.
GUIDE-DEVELOPING-RISK-FRAMEWORK 33
Toolkit reference:
Appendix B: Risk management strategy - template
Appendix C: Risk management policy - template
Appendix D: Risk management procedure – template
Appendix Q: VAGO good practice guide
Client Comment:
What aspects of risk management did your organisation struggle with?
How did you overcome them?
“We initially struggled with a negative perception of risk management as the previous incumbent had assiduously followed all elements of 4360 – thus making
the risk process very complex and hard to engage with. As a result, the risk function had been devolved to those who could become experts or who had the
time to devote to it - generally not those in management.
This was overcome by stripping the risk process back to its functional elements and focusing on using risk as a tool. Risk also had to be re-presented in a manner
that engaged the target audience - for example the executive, looking at the overall context of risk and then drilling down to the state, private sector and
departmental level.
Trust in the risk process and benefits associated with participation in updating the risk register also had to be developed and built upon. By making explicit the
benefits and the associations of risk as a tool (for example, being used to develop the audit workplan), trust was slowly gained. This is an evolutionary process.
Having some aspects of risk management as mandatory (Victorian Government risk management framework and risk attestation) has supported this process.”
…Risk Manager General Government
The above templates are examples of information commonly contained within risk documentation. However, the content and level of detail should always reflect the specific context of the organisation and its preferences, size and overall business strategy.
3.2.4.2 Avoiding the common pitfalls
Common areas where organisations struggle with embedding risk management include:
ensuring business planning is integrated with risk management
better defining risk descriptions
improved identification of inter agency risk management
aligning risk committee and boards with what's happening on the ground
linking internal audit and risk management
improving the quality and content of risk registers
embedding operational risk management
identifying controls and their effectiveness
allocating accountability for risk
improving risk reporting and measurement
project risk management.
GUIDE-DEVELOPING-RISK-FRAMEWORK 34
The following thoughts reflect one organisation’s view on the essential elements that need to be in place to ensure the success of a risk management initiative:
3.2.4.3 Characteristics of high achievers
The VMIA has identified through the Risk Framework Quality Review program that those organisations with well developed and embedded risk frameworks exhibit the following characteristics:
commitment from the executive and board
integration of risk and corporate planning processes
well defined governance framework
strong reporting processes
risk support systems, processes and infrastructure for managing risk
clearly defined roles and responsibilities
strong risk culture
GUIDE-DEVELOPING-RISK-FRAMEWORK 35
Client Comment:
What lessons have you learned about the requirements for successfully implementing and improving your risk management framework?
“Success relies on...
Demonstrating how risk management can be used in everyday decision making to add value.
Writing risk management documents using 'non-threatening' almost conversational language.
Ensuring risk management expectations are achievable - don't put stuff in policy docs that you've got no hope of achieving.
Busy people want to know that you've got empathy for the challenges they face everyday - this must be reflected in the framework.
Having the executive group demonstrating commitment to the risk framework, not just verbally endorsing it!!
Don’t push to implement at a pace the organisation can't keep up with - this will turn Risk Management into a compliance exercise rather than a cultural
change.”
…Risk Manager Austin Health
3.2.4.4 Public Sector challenges
There are many challenges in implementing a successful organisation wide risk framework. Some of the more compelling are:
competing objectives of delivering more with less
risk compliance often competes with “risk culture”
public sector risk management expertise
the public and private sector are becoming more connected requiring a whole-of-government approach to risk management
attaining risk maturity is a long road.
To those that overcome the challenges, some of the benefits to be reaped include:
strengthened corporate governance processes
improved controls assurance
more informed decisions aligned to delivery of objectives
a source of competitive advantage, and
improved shareholder/stakeholder value
3.2.4.5 Key messages in developing your framework
In the VMIA’s experience, delivering risk management within government is complex, but the benefits are tangible. To be successful an organisational risk management framework must be driven from a strategic position down and across the organisation and be supported by a strong risk management culture.
GUIDE-DEVELOPING-RISK-FRAMEWORK 36
You are best to start with the basics and implement progressively over time. Identify the value drivers of risk management as a key to success and build upon these quick wins.
Developing an organisational risk management framework is as much a cultural journey, as it is about systems and procedures. Don’t forget to focus on people and principles when progressing your framework.
Manager, Strategic Risk The VMIA
3.3 Documenting a framework Documenting a framework
3.3.1 Why is risk management documentation important? 3.3.1 Why is risk management documentation important?
Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including:
Documenting an organisation’s risk management framework and recording each step of the risk management process is critical for a number of reasons, including:
demonstrating to stakeholders that the process has been conducted properly
demonstrating to stakeholders that the process has been conducted properly
providing evidence of a systematic approach to risk identification and analysis
providing evidence of a systematic approach to risk identification and analysis
enabling decisions or processes to be reviewed enabling decisions or processes to be reviewed
providing a record of risks and to develop the organisation’s knowledge database
providing a record of risks and to develop the organisation’s knowledge database
providing decision makers with a risk management plan for approval and subsequent implementation
providing decision makers with a risk management plan for approval and subsequent implementation
providing an accountability mechanism and tool providing an accountability mechanism and tool
facilitating ongoing monitoring, review and continuous improvement facilitating ongoing monitoring, review and continuous improvement
providing an audit trail providing an audit trail
sharing and communicating information. sharing and communicating information.
3.3.2 What are the attestation requirements? 3.3.2 What are the attestation requirements?
The Victorian Government Risk Management Framework does not prescribe the type and extent of documentation required to satisfy the attestation The Victorian Government Risk Management Framework does not prescribe the type and extent of documentation required to satisfy the attestation
GUIDE-DEVELOPING-RISK-FRAMEWORK 37
Developing a Risk Management Framework
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
Overview – Risk Management Framework
Key Considerations When Designing a Framework
Documenting a Framework
Risk Management Governance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt Framework
Attestation Process
Continuous Improvement
requirements. However, departments and agencies must have sufficient documentation to demonstrate that:
a risk management processes is in place consistent with the Standard (or equivalent designated standard)
monitoring and review activities have been conducted and they confirm the effectiveness of the risk management process in controlling the risks to a satisfactory level
a responsible body or audit committee verifies that view.
3.3.3 What needs to be documented
The following areas of your organisation’s risk management framework need to be documented:
objectives and rationale for managing risk
accountabilities and responsibilities for managing and overseeing risks
processes and methods to be used for managing risks – i.e. how the AS/NZS4360 Risk Management process will be applied in the organisation
commitment to the periodic review and verification of the risk management framework and its continual improvement
rhe way in which risk management performance will be measured and reported
resources available to assist those accountable or responsible for managing risks
organisation’s risk appetite translated into risk rating criteria
links between risk management and the organisation’s objectives
links between risk management and other processes and activities
scope and application of risk management within the organisation
requirements for recording and documentation of the risk management process (e.g. communication plan, stakeholder analysis, risk register, risk profile, and risk reporting).
3.3.4 Is there a preferred way to structure your documentation?
The Standard does not prescribe how organisations should structure their risk management framework documentation but proposes the following be included in a risk framework:
Objectives
GUIDE-DEVELOPING-RISK-FRAMEWORK 38
Mandate and commitment to manage
Operational policies
Procedures and practices
Risk management plan/s and allocation of responsibilities.
Some organisations may include all of the above components into a single plan, or may create separate policy, procedure and plan plan documents. As long as the required areas of the framework have been documented (as outlined in Section 4.3.3), it is up to the organisation to select an appropriate document structure.
An example of how key framework elements could be documented is shown below:
Risk Management Framework Documentation
Risk Management
Policy
RiskManagement
Plan
• Intentions and direction • Risk management
purpose/objectives • Key roles & responsibilities • Risk management governance
arrangements • Procedures
• Detailed roles and responsibilities
• Detailed description of process steps
• Risk rating scales • Risk reporting
templates • Risk management
activities
• Scope of risk management • Strategy and Approach • Resources• Procedures• Responsibilities• Sequence and timing of activities• “Roadmap” for enhancement of
risk management practices
Risk Management
Procedure
The above framework documents typically include, or are accompanied by, detailed documentation such as:
charters for the board, board audit committee, board risk committee, executive committee, internal audit function etc
position descriptions describing risk responsibilities
risk management tools, templates and guidelines
risk management training schedule/s
risk register/s
operational plans for risk treatment
risk management reports.
GUIDE-DEVELOPING-RISK-FRAMEWORK 39
Indicative content of core risk management framework documentation is included in the following sections.
3.3.5 Risk management strategy
A risk management strategy typically documents factors such as:
objectives and rationale for managing risk
the organisation’s overall appetite/tolerance for risks
the organisation’s strategic objectives and the strategies deployed to achieve these objectives
key risks associated with these strategies within a one to three year time frame
the organisation’s high level approach to managing these risks
a plan for progressive enhancement of the organisation's risk management practices and competencies, including key risk management initiatives.
The following key questions would need to be answered in the process of formulating a risk management strategy:
what are the organisation’s key objectives and strategies?
what are the risks associated with these?
how is the organisation assessing, managing and monitoring these risks?
are the risk management processes working effectively?
There is no prescribed format for how a risk management strategy should be documented. Some
organisations disclose their risk management strategy in their annual reports
organisations chose to have a separate document, in addition to a risk management policy and procedure document
organisations incorporate their risk management strategy within their Business Plan, outlining how risks associated with business plan objectives will be managed.
GUIDE-DEVELOPING-RISK-FRAMEWORK 40
A risk management strategy template is appended to this guide, but it is important to recognise that this is only one way of documenting your organisation’s risk management strategy.
3.3.6 Risk management policy
The risk management policy should clearly articulate the organisation's objectives for and commitment to risk management. The policy typically specifies:
accountabilities and responsibilities for managing risk
commitment to the periodic review and verification of the risk management policy and framework, and its continual improvement
links between this policy and the organisation’s objectives
the organisation’s risk appetite (refer to section 4.2.3.4 for further detail)
the organisation's rationale for managing risk
processes and methods to be used for managing risk
resources available to assist those accountable or responsible for managing risk
the way in which risk management performance will be measured and reported.
3.3.7 Risk management procedures
The risk management policy is typically supported by a more comprehensive risk management procedure document outlining the organisation’s detailed approach to managing risk.
Typical content of the risk management procedure include:
Risk management definitions/language – a common risk language will promote consistent understanding of risk management concepts and provide clarify of communication and action.
Risk management roles and responsibilities – an organisation’s ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and
GUIDE-DEVELOPING-RISK-FRAMEWORK 41
Toolkit reference:
Appendix B: Risk management strategy - template
Toolkit reference:
Appendix C: Risk management policy – template
Appendix D: risk Management Procedure – template
responsibilities. Risk management roles and responsibilities are discussed in detail in section 3.3.4.
Relationship and integration with other initiatives – risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with existing business processes. The integration between risk management and other processes is discussed further in section 3.1.3.
Description of how each step of the risk management process will be applied within the organisation – in accordance with the Victorian Government Risk Management Framework, an organisation’s risk management framework and processes must as a minimum requirement be consistent with the key principles of the Standard.
Overview of the organisation’s risk reporting framework – content, format, frequency and recipients of risk reports. Risk Management reporting is discussed in further detail in section 4.3.
Risk assessment criteria – agreed criteria for assessment of risk likelihood, consequence, and overall risk rating. Risk rating criteria are discussed in further detail in 4.2.3
Is it OK to combine risk management policy, strategy, and procedures into a single risk management plan or manual?
Yes. Many organisations have successfully combined these into one document. As long as the right areas are documented, it is fine to have them as one document.
3.3.8 Risk register
A risk register is a comprehensive record of all risks across an organisation, business unit or project depending on the purpose/context of the register (Victorian Auditor General’s Office).
3.3.8.1 Risk register content
At a minimum, the risk register records:
the risk
how and why the risk can happen
the existing internal controls that may minimise the likelihood of the risk occurring
the likelihood and consequences of the risk to the organisation, business unit or project
GUIDE-DEVELOPING-RISK-FRAMEWORK 42
Toolkit reference:
Appendix D: Risk management procedure – template
a risk level rating based on pre-established criteria
framework, including an assessment of whether the risk is acceptable or whether it needs to be treated
a clear prioritisation of risks (risk profile)
accountability for risk treatment (may be part of the risk treatment plan)
timeframe for risk treatment.
3.3.8.2 Risk register format
Risk registers may take various forms, including:
Excel/Word based
risk management software/system.
i) Internally developed
ii) Externally developed (standardised vs. proprietary)
Section 3.5 provides guidance on factors to consider when developing a risk management information system.
Sections 4.2 and 4.3 provide guidance on how each element of the risk management process should be recorded and reported on.
3.3.8.3 Risk treatment plans
Risk treatment plans identify responsibilities, schedules, the expected outcome of treatments, budgets, performance measures and the review process to be set in place.
The risk treatment plan usually provides detail on:
actions to be taken and the risks they address
who has responsibility for implementing the plan
what resources are to be utilised
the budget allocation
the timetable for implementation
details of the mechanism and frequency of review of the status of the treatment plan.
GUIDE-DEVELOPING-RISK-FRAMEWORK 43
Toolkit reference:
Appendix K: Risk management database – MS Access tool
Appendix L: Risk register – MS Excel template
Appendix M: Risk management register – worked example
Section 4.2.7 provides further guidance on risk treatment plans.
Toolkit reference:
Appendix J: Risk assessment template
3.3.8.4 Risk and risk management reports
Regular reports made available to executive management, boards and audit committees that inform how key risks (statewide risks, strategic risks and emerging risks) are being managed
[Victorian Auditor General’s Office].
Some of the basic questions that risk reports should answer include:
what are the risks?
what is the level of each risk?
what has been done about them?
who is responsible for managing the risk?
has the level of risks changed as a result of implementing risk treatments?
what are the risks that need to be escalated to strategic risks?
what are the risks that are no longer regarded as strategic risks and why?
Section 4.3 provides guidance on risk and risk management reporting.
GUIDE-DEVELOPING-RISK-FRAMEWORK 44
Toolkit reference:
Appendix G: Risk reporting – MS Word templates
3.4 Risk management governance
An organisation’s ability to conduct effective risk management is dependent upon having an appropriate risk management governance structure and well-defined roles and responsibilities.
It is important for everyone to be aware of individual and collective risk management responsibilities. In order for risks to be effectively managed, it is essential to have people behaving in a way that is consistent with the organisation’s approved approach.
This indicates that risk management is not merely about having a well-defined process but also about facilitating the behavioural change necessary for risk management to be embedded in all organisational activities.
3.4.1 Mandate and commitment
Any major organisational initiative needs appropriate sponsorship to be successfully implemented and sustained. Given its importance and strategic nature, risk management requires strong and sustained commitment by the organisation’s board, audit/risk committee, and the CEO / Secretary.
Management should:
articulate and endorse the risk management policy
communicate the benefits of risk management to all stakeholders
define risk management performance indicators that align with organisational performance
ensure alignment of risk management objectives with the objectives and strategies of the organisation
ensure legal and regulatory compliance; and
GUIDE-DEVELOPING-RISK-FRAMEWORK 45
Developing a Risk Management Framework
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
Overview – Risk Management Framework
Key Considerations When Designing a Framework
Documenting a Framework
Risk Management Governance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt Framework
Attestation Process
Continuous Improvement
ensure that the necessary resources are allocated to risk management.
The board, risk committee and executive can all play a lead role in setting the tone for effective risk management throughout the organisation. This can be demonstrated in a number of ways but is often achieved through the authorisation and sponsorship of key risk management documentation that outlines both the ‘why’ and the ‘how’ behind effective risk management.
The board, risk committee and executive can also help to drive effective risk management by incorporating risk management and reporting into the corporate and strategic planning processes, thereby setting an example on how it can be incorporated into normal operations.
3.4.2 Accountability
The organisation should ensure that there is accountability and authority for:
managing risks
adequacy and effectiveness of risk controls
implementing and sustaining the risk management framework/process.
This may be facilitated by:
ensuring appropriate levels of recognition, reward, approval, and sanction
establishing performance measurement and internal and/or external reporting and escalation processes
specifying risk owners for implementing risk treatments, maintenance of risk controls and internal reporting of relevant risk information
specifying who is accountable for the development, implementation and maintenance of the framework for the management of risk.
3.4.3 What are the key factors to consider when developing a risk management governance structure?
A number of factors should be considered when determining an organisation’s risk management governance structure, including:
current organisational structure and authorities
current level of understanding, appreciation, and commitment to risk management by key individuals
current level of change readiness within the organisation (often evolutionary change works better than revolutionary change)
key types of risks faced by the organisation and functions currently managing the key risks
GUIDE-DEVELOPING-RISK-FRAMEWORK 46
the existence of logical “risk champions” within the organisation.
3.4.4 Indicative roles and responsibilities for risk management
Proactive communication and dialogue with the board and audit/risk committee is a critical element of effective risk management governance. The board and its committees retain an obligation to remain informed not only of the risks to the organisation, but also to the effectiveness of risk management efforts. The board and the audit/risk committee have responsibility to the stakeholders of the organisation to ensure that the risk management framework of the organisation is appropriate to the nature of the organisation and the risks the organisation faces.
A key component of effective risk management governance is to establish clear lines of risk and risk management accountability. The specific roles of the various parties such as the board, audit/risk committee, the CEO/Secretary, executive management, and staff would vary according to the organisational structure, complexity, size and maturity. A sample risk governance structure is illustrated as follows:
GUIDE-DEVELOPING-RISK-FRAMEWORK 47
Client Comment:
How did you link or integrate your governance and risk frameworks?
“Quite simply, form followed function. In order to best manage risk across the department, a framework was developed and then a governance structure was
created to complement and support the risk operations of the department.”
…Risk Manager General Government
RISK GOVERNANCE STRUCTURE
Risk Committee Audit Committee
Staff & Contractors
Risk Owners
Executive & Management
CEO
Board
A description of roles and accountabilities of each of the key parties to whom risk management duties have been delegated is as follows:
3.4.4.1 Board
The board provides direction and oversight of risk management across the organisation. The board’s key risk management responsibilities may include:
approving the organisation’s risk management documentation including the strategic risk profile, risk appetite and tolerance, risk management policy and risk management procedure
setting the standards and expectations of the organisation with respect to conduct and behaviour, and ensuring that effective risk management is enforced through an effective performance management system
monitoring the management of high and significant risks, and the effectiveness of associated controls through the review and discussion of six monthly risk management reports
satisfying itself that risks with lower ratings are effectively managed, with appropriate controls in place and effective reporting structures
approving major decisions affecting the organisation’s risk profile or exposure.
3.4.4.2 Chief Executive Officer (and Secretary)
The CEO’s / Secretary’s key risk management responsibilities may include:
participating in the review and update of the strategic risk profile
GUIDE-DEVELOPING-RISK-FRAMEWORK 48
Can be combined
reviewing key risk information, identifying key risk trends and assessing the impact for the organisation as a whole
monitoring the management of high and significant risks and the effectiveness of associated controls through the review and discussion of regular risk management reports
ensuring that adequate processes are being followed in relation to lower level risks
setting the tone and promoting a strong risk management culture by providing firm and visible support for risk management.
3.4.4.3 Audit / risk committee
The audit / risk committee is accountable to the board, and meets and reports to the Board advising of its activities, findings and recommendations, including risk management policies.
The primary objective of the audit / risk committee is to assist the board in discharging its responsibilities to exercise due care, diligence and skill in relation to business operations and to advice on any matters of financial or regulatory significance which may be referred to it from time to time. In addition, the committee is to assist the board in fulfilling its responsibilities relating to compliance by the organisation with legal and contractual obligations.
The organisation may also choose to have an executive risk management committee to promote the coordination and oversight of risk management activities.
3.4.4.4 Executive and management
The executive and management are responsible for the oversight of the risk management framework, including the consideration and review of risk management policies and procedures on an annual basis. The executive and management are also responsible for establishing policies and reviewing the effectiveness of the organisation’s approach to risk management including the status of major business risks.
The typical composition of an executive risk management committee would be:
Core Members:
CEO
Risk Manager
Chief Financial Officer
Operations Manager
GUIDE-DEVELOPING-RISK-FRAMEWORK 49
Internal Auditor
Occupational Health and Safety Officer
Core service (e.g. within Healthcare sector may include: Allied Health, Nursing, Aged Care etc.)
Optional Members:
Human Resources Manager
IT Manager
Legal Counsel
Other functional specialists
3.4.4.5 Chief risk officer / risk manager
Chief risk officers, risk managers (or equivalent) are typically employed to:
develop, enhance and implement appropriate risk management policies, procedures and systems
co-ordinate and monitor the implementation of risk management initiatives within an organisation
work with risk owners to ensure that the risk management processes are implemented in accordance with agreed risk management policy and strategy
collate and review all risk registers for consistency and completeness
provide advice and tools to staff, management, the Executive and Board on risk management issues within the organisation, including facilitating workshops in risk identification
promote understanding of and support for risk management, including delivery of risk management training
GUIDE-DEVELOPING-RISK-FRAMEWORK 50
It is important to note that most ‘risk managers’ act primarily as advisors and co-ordinators for risk and do not typically have a direct operational responsibility for specific categories of risk.
Operational responsibility for specific types of risk generally rests with functional area line management. For example an IT and Systems Manager would take responsibility for managing IT-related risk/s. Some organisations create a risk management job role that incorporates operational responsibility for a particular risk area. For example the Risk Manager may also act as the organisation’s OH&S Officer.
oversee and update organisational-wide risk profiles, with input from risk owners
ensure that relevant risk information is reported and escalated or cascaded, as the case may be, in a timely manner that supports organisational requirements
attendance at risk committee or audit committees where risk management issues are discussed.
Regardless of the job title or function it is critical that there be clarity around roles and responsibilities in order to progress risk management throughout the organisation.
3.4.4.6 Risk owners
Risk owners are typically line managers, or functional specialists who assume responsibility for designing, implementing, and/or monitoring risk treatments.
Risk owners may be responsible for the following:
manage the risk they have accountability for
review the risk on a regular basis
identify where current control deficiencies may exist;
update risk information pertaining to the risk
escalate the risk where the risk is increasing in likelihood or consequence
provide information about the risk when it is requested.
3.4.4.7 Staff and contractors
It is the responsibility of all personnel, stakeholders and contractors to apply the risk management process to their respective roles. Their focus should be upon identifying risks and reporting these to the relevant risk owner. Where possible and appropriate, they should also manage these risks.
GUIDE-DEVELOPING-RISK-FRAMEWORK 51
3.5 Risk management information systems
Developing a risk management framework involves identifying the appropriate tools and technology that will help your organisation capture, analyse and communicate risk related information.
GUIDE-DEVELOPING-RISK-FRAMEWORK 52
Client Comment:
What does your organisational structure for risk management look like?
“A twofold structure exists.
The first is the reporting lines. The audit and risk committee is the committee that monitors and manages the risk register and gives final
approval to the risk attestation. This committee reports findings by exception to the Justice Executive Committee and the Secretary.
Operationally, the departmental risk register is completely reviewed by the Justice Executive Committee on an annual basis. The audit and risk
committee then monitor the treatment of risks outlined in the register - this occurs on a monthly basis, or by exception. The divisional registers are
completely reviewed on an annual basis and a desktop review is conducted every six months.
Business unit risk registers are a component part of the business planning process and the departmentally endorsed business plan template”.
…Risk Manager Department of Justice
Developing a Risk Management Framework
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
Overview – Risk Management Framework
Key Considerations When Designing a Framework
Documenting a Framework
Risk Management Governance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt Framework
Attestation Process
Continuous Improvement
The objective is to provide the right information to the right people at the right time to make appropriate decisions with regards to risks.
In general, risk management information systems should possess the capability to:
record details of risks, controls and priorities and show any changes therein
record risk treatments and associated resource requirements
record details of incidents and loss events and the lessons learned
track accountability for risks, controls and treatments
track progress and record the completion of risk treatment actions
allow progress against the risk management plan/strategy to be measured
trigger monitoring and assurance activity.
This section provides guidelines in identifying suitable tools and technology to enable your risk management framework.
Risk Information Management Planning
Identify your risk management information requirements
Identify your risk management information requirements
Develop appropriate tools and technology
Develop appropriate tools and technology
Select appropriate risk management software
Select appropriate risk management software
Risk data you need to capture Who you will capture it
from How you capture risk
data Users and their needs
Risk data you need to capture Who you will capture it
from How you capture risk
data Users and their needs
Capturing risk data and information Monitoring and
recording Analysis and reporting Communicating
Capturing risk data and information Monitoring and
recording Analysis and reporting Communicating
Cost Functionality Scalability Accessibility
Cost Functionality Scalability Accessibility
3.5.1 Identifying your requirements
The first step in the process of managing risk information is to identify your requirements. The key questions to ask are:
What risk information or data do you need to capture?
How do you capture these risk information?
GUIDE-DEVELOPING-RISK-FRAMEWORK 53
Who are your end-users and what do they need?
Your requirements will generally involve capturing risk data, monitoring and recording risk information, developing capability to analyse and report risk performance, and communicating relevant and timely risk management information to the right stakeholders.
3.5.2 Developing appropriate tools and technology
Developing the appropriate tools and technology according to your requirements would generally depend on the scale and scope of your risk management framework as well as the stakeholders involved. For instance, who are your users for the tools and technology? Which parts of the business will the tools and technology be applied to?
Choose the appropriate tools that provide comprehensive, relevant, timely and accurate risk information. This will facilitate better, and more informed decision-making.
An organisation may find that the costs associated with acquiring and maintaining software exceeds the benefits. In such circumstances, it is probably preferable to invest these resources in improving other areas of risk management – e.g. to fund critical risk treatments/controls, or to train staff.
3.5.2.1 Capturing risk information
To effectively identify risks, it will be useful to have tools that capture risk information from various sources across the organisation, including:
leadership team
business unit managers
selected staff
other stakeholders.
Your tools and technology should be able to capture typical risk management information, including:
actual losses, potential losses, and near miss events
business risk profile, including new and changed exposure to key risks
significant control weaknesses, (which affect significant risks)
progress on action plans to deal with significant risk or control weaknesses.
3.5.2.2 Monitoring and recording risk information
Many organisations use tools and technology with functionality to generate risk reports with information about:
extreme risks
GUIDE-DEVELOPING-RISK-FRAMEWORK 54
total risk profile
reasons for risk rating movements
risk treatment actions
assurance coverage of key risks
risk management strategy
new and emerging risk issues
detailed risk register.
Details of these types of information are discussed in Section 4.3 of this guide.
3.5.2.3 Capability to analyse and report risk performance
To effectively analyse and report risk performance, you will need tools and technology that:
analyse risks based on quantitative or qualitative parameters
– qualitative risk analysis will require tools that have the capability to classify risks according to categories, impact and likelihood.
– quantitative risk analysis will require tools that have the capability to calculate and/or simulate value of risk.
facilitate ranking or prioritisation of risks
facilitate trend analysis
aggregate risk information at various levels as required by different levels of staff/management.
Section 4.3 further describes how to analyse and report risk performance.
3.5.2.4 Communicating risk management information
Effective communication facilitates awareness, understanding, adoption of and commitment to the risk management framework.
The communication tools you will require would ideally have the capability to:
provide easy reporting and access of risk information for all relevant stakeholders
archive lessons learned from implementing the risk management framework
store risk management policies, procedures and other documents
trace user access to determine reach utilisation
provide audit trail to ensure integrity of information
GUIDE-DEVELOPING-RISK-FRAMEWORK 55
enable escalation of risk-related issues and incidents.
3.5.3 Selecting your risk management software
Depending on factors such as size and complexity of an organisation and the nature of the risks it manages, it may be feasible to acquire or develop risk management software to facilitate the recording, analysis, and reporting of risk management information.
The key areas to consider when assessing an organisation’s need for risk management software are:
costs
functionality
accessibility
scalability.
There are various risk management softwares available in the market that meets different requirements. As a guide, consider the following in choosing the most suitable option.
Costs – Determine the costs associated with the software. How much does the license cost? Ensure that you understand what the licensing conditions are for the software.
Functionality – What are the functions that the software provides? Does it meet all your requirements? Could the software be integrated with other existing tools, technology and systems that your organisation currently has? If no, how much transition effort is required?
Accessibility – Does the software allow users to access it easily, anytime, anywhere, as and when required? Does it provide control of access to ensure the integrity of risk management information?
Scalability – Does the software allow expanding the user/s and functions without significant additional costs? If you expand the scope of your risk management framework, will the software still be applicable?
GUIDE-DEVELOPING-RISK-FRAMEWORK 56
Toolkit reference:
Appendix P: Risk management information systems – checklist
3.6 Checklist – Developing a risk management framework
The following check list provides a number of questions relating to the development of your organisation’s risk management framework. Considering the answer to these questions will help you check your progress in implementing a robust and flexible risk management framework.
The checklist distinguishes between those elements essential to ensure an effective risk framework, and those typically associated with relatively mature or sophisticated frameworks typically found in large organisations.
Toolkit reference:
Appendix O: Risk management checklist
GUIDE-DEVELOPING-RISK-FRAMEWORK 57
# Section Requirement Essential (E)/ Advanced (A)
In place (Yes/No)
Developing a risk management framework
1 Communicate and consult
Has the board and executive expressed their support for a Risk Management programme?
E
2 Establish the context
Have you identified a person who will be responsible for implementing risk management?
E
3 Establish the context
Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?
E
4 Establish the context
Have you defined categories of risk relevant to your organisation and industry?
E
5 Establish the context
Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?
E
6 Establish the context
Is there a clear organisational strategy (or objectives) articulated for the organisation?
A
7 Establish the context
Have you defined and agreed a Likelihood scale to assess the potential for the risk to occur throughout the organisation?
E
8 Establish the context
Have you defined and agreed a Consequence scale to help assess risk impacts across the organisation?
E
9 Establish the context
Does your Consequence scale describe both financial and non-financial impacts?
E
10 Establish the Context
Does your Risk management framework consider the effectiveness of controls or risk treatments?
E
In place Essential (E)/ # Section Requirement Advanced (A) (Yes/No)
11 Establish the context
Is there an agreed template or format for recording risk (a risk register)?
E
12 Establish the context
Has a risk policy been defined? E
13 Establish the context
Does the organisation have a documented risk management strategy?
A
14 Communicate and consult
Has the Risk Committee (or equivalent) and the Board reviewed and approved the Risk Policy/ Strategy?
E
15 Establish the context
Do job descriptions of key stakeholders include responsibilities for risk management?
E
16 Establish the context
Is a formal project management methodology used to manage projects?
A
17 Establish the context
Is a mechanism in place to identify, assess, record and monitor risks on projects?
A
18 Establish the context
Has the organisation agreed what types and levels of risk are unacceptable?
E
19 Establish the context
Is there an agreed format/ template for reporting on risk?
E
20 Establish the context
Is there a process and/or template where staff and the Executive can record new risks?
E
GUIDE-DEVELOPING-RISK-FRAMEWORK 58
4 Implementing a risk management framework
This section provides an overview of how a risk management process consistent with that outlined in the Standard can be implemented across an organisation. It also provides guidance on the process and content for risk and risk management reporting and outlines a practical approach for developing a proactive risk management culture.
4.1 Overview of the risk management process
According to the Victorian Government Risk Management Framework, departments and agencies should, at a minimum, establish risk management frameworks and processes consistent with the key principles of the Standard.
The key steps in implementing a risk management process consistent with the Standard are illustrated in the following figure:
GUIDE-DEVELOPING-RISK-FRAMEWORK 59
Developing a Risk Management Framework
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
Overview – Risk Management Framework
Key Considerations When Designing a Framework
Documenting a Framework
Risk Management Governance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt Framework
Attestation Process
Continuous Improvement
GUIDE-DEVELOPING-RISK-FRAMEWORK 60
As depicted in the figure above, Communicate and Consult and Monitor and Review are ongoing activities that occur at each stage in the risk management process. Accordingly, these activities are discussed both as separate risk management process steps (refer to sections 5.2.1 and 5.2.7, respectively) and as sub-activities of each of the other risk management process steps (i.e. establish context, identify risks, analyse risks, evaluate risks, and treat risks).
The subsequent sections will describe each of the steps in the risk management process in detail.
The sections aim to answer the following questions:
1. what is the purpose of each step in the process?
2. why is it important?
3. how you implement it?
4. how do you communicate/consult and monitor/review?
5. what tools and techniques are used to implement?
The following table summarises the key risk management processes, the input, output tools and techniques.
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Communicate and Consult
Monitor and Review
GUIDE-DEVELOPING-RISK-FRAMEWORK 61
Establish Context Identify Risks Analyse Risks Evaluate Risks Treat RisksIN
PU
TO
UT
PU
T
• External Context- external environment information
• Internal Context- organisational information
• Risk Criteria• Risk Tolerance• Risk Management
Policy • Risk Management
Framework
• Stakeholder consultation
• Organisational records
• Risks that matter• Risk Register
• Likelihood of risks• Consequence of
risks• Current controls
around risks
• Risk rating criteria- likelihood rating- consequence rating
• Overall risk rating• Risk profile• Risk priorities• Inter-relationship
among the risks
• Risk tolerance
• Treatment plan:- to reduce
likelihood- to reduce
consequence- to maximise
upside risks• Resources and
timeframe
• Treatment Options• Risk Ownership
TO
OL
S &
TE
CH
NIQ
UE
S
• Stakeholder consultation plan
• Communication plan
• Risk Universe• Brainstorming• “what-if” and
scenario analysis• Process mapping &
flowcharting• Systems analysis• Operational
modelling• Expert opinion
• Heat map• Numerical ranking
of risks• Decision trees
• Risk transfer, i.e. insurance, outsourcing
• Risk mitigation• Risk avoidance• Cost-benefit analysis
• Qualitative analysis• Semi-quantitative
analysis• Quantitative
analysis
GUIDE-DEVELOPING-RISK-FRAMEWORK 62
The “Establish the Context” section describes how each organisation should adjust and customise its approach to risk management to reflect the:
sector it operates in, and the unique challenges and risk faced within the sector
size of the organisation and resources it has to manage risk
culture of the organisation, and its willingness and ability to take calculated risks
appropriate and desired level of sophistication of its risk management capability.
To demonstrate how different organisations may tailor their approach to risk framework development and implementation, we will share the experiences of two fictitious organisations throughout the guide, namely Hamishtown Regional Health (HRH), and Melbourne Education Services (MES)
Hamishtown Regional Health (HRH):
Hamishtown Regional Health (HRH) is a smaller public healthcare provider based in country Victoria. It operates 40 hospital beds; an emergency ward and an aged care facility on an annual budget of $20 million per annum. Meeting budgetary targets is a constant challenge, in part due to the increasing cost of, and demand for complex medical procedures, needed by the ageing population within the region.
Its staff establishment provides for the equivalent of 50 full time medical staff members and 30 support staff. Currently, 25% of specialist positions are vacant, as many specialists and new graduates prefer to further their careers in larger metropolitan hospitals or in private practice.
The hospital operates at over 90% of capacity throughout the year. However, its aged care facilities are not fully utilised, with occupancy in the last financial year running at 60%.
Although the hospital has recently passed its accreditation review, concerns were raised about HRH’s patient admissions systems, which did not adequately capture information on a patient’s medical history, including current treatment regimes being followed.
There is a private hospital 20 km. from HRH and 3 similar public healthcare
GUIDE-DEVELOPING-RISK-FRAMEWORK 63
providers in the region. Hamishtown Regional Health has established co-operative relationships with other regional hospitals/ health services, where many of its patients travel to receive specialist medical services not offered by HRH.
The CEO, Bob Brown heads up an executive management team made up as follows:
Director of Medical Services
Director of Nursing
Director of Finance
Director of Corporate Services (HR, IT and Facilities)
Manager, Aged Care Services
Health and Safety Officer
Quality of Care Officer
The organisation does not have a dedicated risk manager or internal auditor. However, periodic reviews have been performed by external consultants and accreditation bodies in areas such as:
Financial management processes (billing, supplier payments and payroll)
WorkSafe Occupational Health & Safety standards
Quality of Care – performance indicators, such as the number of patient falls, medication errors and sentinel events, were reviewed as part of the recent accreditation process, and continue to be recorded and reported on, as required by the Department of Human Services
HRH has recently completed a three year Strategic Plan that has identified the following Strategic Objectives:
1. Ensure high standards of patient care 2. Optimise the use of resources within HRH to ensure future sustainability
of service 3. Implement and maintain processes to reduce patient harm or adverse
events 4. Ensure that HRH is staffed by appropriately skilled and experienced
professionals 5. Promote the sharing of information and research between regional
healthcare providers 6. Provide a safe and modern infrastructure to the benefit of staff and
patients
MELBOURNE EDUCATION SERVICES (MES):
Melbourne Education Services (MES) is a large regional education provider of both higher education and TAFE in the greater Melbourne Metropolitan area. Its 25,000+ Australian and International students receive academic and practical education in a full range of academic disciplines at an under-graduate band postgraduate level. MES also runs a range of short-term community education and vocational skills training courses.
The organisation's academic and support staff of over 1800 support curriculum development and delivery across nine campuses dispersed across the Melbourne CBD and its surrounding suburbs.
In addition to its core academic services, MES supports other student and community services, including:
Student and Staff Accommodation Sports Clubs and Facilities Food and Catering Services Privately-funded Science and Technology Research Laboratories Catering and Laundry Services Inter-campus Transportation Student Counselling Community Outreach Programmes
Although MES is a state-funded public institution, which derives the majority of its revenue from the state and student fees, it has managed to expand its funding model to include significant income from its “Grants, sponsorships and endowments” programme that targets private sector institutions and other benefactors.
Vice-Chancellor and President of MES, Sally White, is supported by the MES Council, an Executive Team of 25, as well as a number of Policy, Planning and Operational Committees.
It has been able to deliver an operating surplus for the last 3 years, which it has reinvested in an infrastructure maintenance fund.
MES has identified the following as key priorities during its annual strategic planning process:
1. Use of modern ICT technology to support effective learning techniques 2. Promote MES as a trusted skills provider to the commercial and public
sector 3. Effectively utilise financial and other resources to meet demand for
services 4. Enhance ability of MES to attract and integrate foreign students 5. Expand capacity of MES to meet growing demand for quality TAFE/ higher
education, particularly in Technology and Business Sciences. 6. Ensure quality and relevance of curriculum development, delivery and
examinations processes 7. Attract top students and researchers to MES
GUIDE-DEVELOPING-RISK-FRAMEWORK 64
HRH GOVERNANCE:
The organisational chart below illustrates the Governance structure for HRH:
BOARD OF MANAGEMENT
CHIEF EXECUTIVEOFFICER
QUALITY & PATIENT CARE COMMITTEE
AUDIT COMMITTEE
(& RISK)
DIRECTOR: CORPORATE
SERVICES
DIRECTOR: COMMUNITY
SERVICES
DIRECTOR:FINANCE
DIRECTOR: MEDICAL SERVICES
RISK & QUALITYOFFICER
FACILITIES MANAGER
Indirect Reporting Line:
GUIDE-DEVELOPING-RISK-FRAMEWORK 65
HRH has two executive committees, Audit and Quality of Patient Care.
The Audit Committee is comprised of the:
Chairman of the Board of Management CEO Director of Finance Legal Counsel External Audit firm representative
The Quality of Patient Care Committee is comprised of:
CEO All Directors Deputy Directors of Nursing and – Medicine Quality Officer Facilities Manager
Due to budgetary constraints and the size of the organisation, it was decided to expand the role of the Quality of Care Officer, who currently has a responsibility for Clinical Risk, to include co-ordinating corporate risk efforts.
GUIDE-DEVELOPING-RISK-FRAMEWORK 66
HRH has also decided to expand the responsibilities of the current Audit Committee to include Risk oversight. To ensure that the expanded Risk and Audit Committee is able to address all aspects of risk, the Directors of Nursing and – Medicine have been co-opted onto the Committee.
It has been agreed that the Risk and Audit Committee will focus specifically on reviewing and reporting to the Board on risk every quarter. This decision was taken in conjunction with the Board of Management.
The Risk and Quality Officer will have a recurring invite to attend Committee meetings and will be tasked with:
Co-ordinating the organisation’s risk identification processes Working with functional area management to develop risk response strategies Reporting on clinical and corporate risks and response strategies Training all staff and managers in risk management Overseeing the clinical incident reporting process.
MES GOVERNANCE:
The Following structure illustrates the MES Governance structure for Risk.
MES has appointed a dedicated Chief Risk Officer (CRO) for the organisation, responsible for overseeing all aspects of risk management. Although the CRO’s responsibilities are similar to those of HRH’s Risk & Quality Officer, there are some important distinctions:
The Chief Risk Officer, who reports directly to the MES Vice Chancellor, and the Risk Committee has a team of 5 risk specialists she supervises, namely: An Occupational Health & Safety Manager A Risk Manager 2 Internal Audit and Compliance Officers 1 IT Security specialist While these staff also report into operational line managers, the CRO is able to draw on their skills to identify and assess risks and controls, as well as to aid in the design and implementation of risk treatment plans.
The CRO is a member of the Executive Team and is also represented on the following Committees:
Risk Management Audit Finance Facilities and Infrastructure Policy and Planning Occupational Health & Safety Information Technology and Systems. Discussions between the MES Vice Chancellor, Council, Audit Committee and Risk Committee, chaired by the Chief Risk Officer has resulted in the following being agreed:
That the CRO will present monthly status reports on risk management issues, plans and progress to the Risk Committee and the Executive Team
The Audit Committee will receive a quarterly Risk Progress Report as well as ad hoc reports as requested
Risk Owners will receive monthly status reports on all risks allocated to them for risk treatment or monitoring
The CRO will work with the Project Management Committee to formally identify and track risk on all projects with a capital values in excess of $1,000,000, or those classed as ‘Strategic’ or ‘High Risk’ by the Project Committee.
Functional area and operational management will continue to be accountable for the management of risk within their areas of competence. The CRO and her team will provide advisory, co-ordinating and risk reporting services to these managers.
GUIDE-DEVELOPING-RISK-FRAMEWORK 67
4.2 Implementing a risk management process Implementing a risk management process
4.2.1 Communicate and consult 4.2.1 Communicate and consult
4.2.1.1 What is it? 4.2.1.1 What is it?
Risk communication is generally defined as an interactive process of exchange of information and opinion, involving multiple messages about the nature of risk and risk management. This applies to internal communication in the organisation, and to communication to external stakeholders.
Risk communication is generally defined as an interactive process of exchange of information and opinion, involving multiple messages about the nature of risk and risk management. This applies to internal communication in the organisation, and to communication to external stakeholders.
Consultation can be described as a process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on a particular issue. Consultation is a process not an outcome, it impacts on a decision making through influence rather than power, and it is about inputs to decision making not necessarily joint decision making.
Consultation can be described as a process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on a particular issue. Consultation is a process not an outcome, it impacts on a decision making through influence rather than power, and it is about inputs to decision making not necessarily joint decision making.
GUIDE-DEVELOPING-RISK-FRAMEWORK 68
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Communicate and Consult
Monitor and Review
Developing a Risk Management Framework
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
Overview – Risk Management Framework
Key Considerations When Designing a Framework
Documenting a Framework
Risk Management Governance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt Framework
Attestation Process
Continuous Improvement
GUIDE-DEVELOPING-RISK-FRAMEWORK 69
4.2.1.2 Why do it?
Communication and consultation with internal and external stakeholders are fundamental to effective risk management and should take place at each step of the risk management process as far as necessary.
Effective internal and external communication is important to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and why particular actions are required.
Stakeholders are likely to make judgements about risk based on their perceptions. These can vary due to differences in values, needs, assumptions, concepts, and concerns as they relate to the risks or the issues under discussion. Since the views of stakeholders can have a significant impact on the decisions made, it is important that their perceptions of risk be identified, recorded and integrated into the decision making process.
4.2.1.3 How to communicate and consult
The key steps to communication and consultation are:
establish communication and consultation objectives
analyse stakeholders or recipients of message
develop key messages and purpose
identify communication owners and senders
identify appropriate channels
determine timing of communication
deliver key messages.
4.2.1.4 Objectives of communication and consultation
Objectives of communication may include:
Building awareness and understanding about a particular issue
Learning from stakeholders
Influencing the target audience
Obtaining a better understanding of the context, the risk criteria, the risk, or the effect of risk treatments
Achieving an attitudinal or behavioural shift in relation to a particular matter
Any combination of the above.
Developing a communication plan is essential to ensure that key messages are delivered effectively to the right people at the right time using the most appropriate channels at every step of the risk management process.
The following diagram illustrates the key elements of a communication plan.
A stakeholder consultation plan helps to ensure that “all bases are covered” when it comes to understanding perceptions around risk and risk management, identifying, analysing and evaluating risks, as well as developing treatment options. The plan is also useful in ensuring the consultation is as inclusive as appropriate.
When implemented effectively, a stakeholder consultation plan should:
appropriately define an organisation’s context (refer to section 4.2.3)
GUIDE-DEVELOPING-RISK-FRAMEWORK 70
Communication Plan
One-off for each stakeholder
April 30-May 5
Workshops and interviews
Customer survey
Views on desired state, challenges, risks and opportunities
Expectations on the agency
Gather input for the development of the corporate plan, annual plan and business improvement plan and process development
ConsultantsConsultantsAll stakeholders(see stakeholder plan for detail)
One-off30 AprilWorkshop• Proposed scope, deliverables and templates
Kick-off the RM project
Agree on team/resources, scope, deliverables
RM ConsultantsRM ConsultantsCEO
Fortnightly or monthly for brief updates
Whole duration of project
Email, staff meetings, team meetings
Update on plans and process developments framed within larger context of business excellence journey
Keep staff informed on the progress to sustain support for the business excellence journey
CEOCEO All staff
One-offOne week before kick-off (week of 23 April)
Email or Staff meeting (if applicable)
Anticipated impact, involvement, changes arising from the project
Intent of project
Strategically introduce and position the corporate development projects as part of the risk culture change journey
CEOCEOAll staff
Weekly30 April to 30 July
Meeting with risk consultants and project team(face to face/ by teleconference)
Progress on implementation
Issues/risks that need to be addressed
Update on progress of project
Address any project issues
Consultants and RM Project Co-ordinator
ConsultantsRM Project Team
One-offOne week before kick-off (week of 23 April)
Email Expected involvement in the project- who would be interviewed and when- who would be participating in workshops and when- who would likely be in the project team
Generate awareness on the risk governance and process development/ project implementation
Generate support
GM- Corporate Services and RM consultants
CEOManagement Team
Method/Delivery
Responsibility for Preparation
Purpose Content/Message FrequencyTimingCommunicatorsStakeholders
One-off for each stakeholder
April 30-May 5
Workshops and interviews
Customer survey
Views on desired state, challenges, risks and opportunities
Expectations on the agency
Gather input for the development of the corporate plan, annual plan and business improvement plan and process development
ConsultantsConsultantsAll stakeholders(see stakeholder plan for detail)
One-off30 AprilWorkshop• Proposed scope, deliverables and templates
Kick-off the RM project
Agree on team/resources, scope, deliverables
RM ConsultantsRM ConsultantsCEO
Fortnightly or monthly for brief updates
Whole duration of project
Email, staff meetings, team meetings
Update on plans and process developments framed within larger context of business excellence journey
Keep staff informed on the progress to sustain support for the business excellence journey
CEOCEO All staff
One-offOne week before kick-off (week of 23 April)
Email or Staff meeting (if applicable)
Anticipated impact, involvement, changes arising from the project
Intent of project
Strategically introduce and position the corporate development projects as part of the risk culture change journey
CEOCEOAll staff
Weekly30 April to 30 July
Meeting with risk consultants and project team(face to face/ by teleconference)
Progress on implementation
Issues/risks that need to be addressed
Update on progress of project
Address any project issues
Consultants and RM Project Co-ordinator
ConsultantsRM Project Team
One-offOne week before kick-off (week of 23 April)
Email Expected involvement in the project- who would be interviewed and when- who would be participating in workshops and when- who would likely be in the project team
Generate awareness on the risk governance and process development/ project implementation
Generate support
GM- Corporate Services and RM consultants
CEOManagement Team
Method/Delivery
Responsibility for Preparation
Purpose Content/Message FrequencyTimingCommunicatorsStakeholders
Stakeholders are the audience for the
communication of risk and risk management
Stakeholders are the audience for the
communication of risk and risk management
Communicators send the message, and should be
carefully selected as perception of the sender influences how people receive the message
Communicators send the message, and should be
carefully selected as perception of the sender influences how people receive the message
Responsibility for preparation is the person who is
knowledgeable on the topic and prepares the content of
the messages of communication to be
delivered
Responsibility for preparation is the person who is
knowledgeable on the topic and prepares the content of
the messages of communication to be
delivered
Purpose sets out the objective of the communication
Purpose sets out the objective of the communication
Content/Message indicates the key messages to be
delivered
Content/Message indicates the key messages to be
delivered
Method/delivery is how the message will be delivered through what channel/s, i.e.
workshop, internet, e-mail, newsletter, etc.
Method/delivery is how the message will be delivered through what channel/s, i.e.
workshop, internet, e-mail, newsletter, etc.
Timing is when the message will be delivered; it is important
to have the right timing to ensure people pay attention to
the message and are not distracted by other information
Timing is when the message will be delivered; it is important
to have the right timing to ensure people pay attention to
the message and are not distracted by other information
Frequency indicates how often the
messages will be delivered, i.e. one-
off, weekly, annually, etc.
Frequency indicates how often the
messages will be delivered, i.e. one-
off, weekly, annually, etc.
DEVELOPING-RISK-FRAMEWORK 71
understood and considered
different views are appropriately considered in evaluating
the risk
ntrols and the need to endorse and support a risk treatment
llowing diagram illustrates the basic components of a stakeholder plan:
ensure that the interests of stakeholders are
help ensure risks are adequately identified
bring different areas of expertise together in analysing risks
ensure that risks
ensure appropriate change management techniques during management process (refer to section 4.4)
promote “ownership” of risk by managers
engage stakeholders to allow them to appreciate the benefits of particular coplan.
The fo
Stakeholder Consultation Plan
•RM Consultants1-2 daysWorkshop Agree on risk management policy/objectives
Establish consensus on risk management processes
Articulate/translate risks and issues around strategic purpose and vision
RM Consultants1 dayWorkshop Define operational level KRIs that support strategic level KRIs
• CEO1 hrWorkshopGenerate understanding and commitment to the corporate governance implementation project
Communicate strategic intent and vision
Management Team
•Heather Andrews/Mark Anthony
1 hr (anytime week of 30 April)
• InterviewGather views on desired state, opportunities, risks and challenges for h next 3 yrs
Head of Information Management
Howard Gardner2 days (week of April 30)
SurveyGather views on desired state, opportunities, risks and challenges for h next 3 yrs
Staff
•Heather Andrews5 days (including co-
•Interviews
•Surveys
Determine expectations from Agency
Identify any risks and issues with regards toe expectation
Industry/Experts (Companies)
•Mark Anthony5 days (including co-ordination)
•Interviews Identify expected interdependencies for service delivery
Expectations for whole-of-government approach
Relevant agencies (state and/or commonwealth)
•Mary Antoinette1 day • Interview Identify expectations from Agency within the next 3-5 years
Parliamentary Secretary
• John Smith1 day (including organising)
• Interview Identify expectations from Agency within the next 3-5 years qnd to what extent current/intended corporate plan meets expectations
Minister
ordination)
Owner/FacilitatorTimingMethodPurposeExternal Stakeholders
Team leaders2 days (week of 1 June)
Workshops input into individual and team KRIs
•Heather Andrews1 hr (anytime week of 30 April)
• Interview Revisit risks, issues and next steps (HR)
Gather views on desired state, opportunities, risks and challenges for h next 3 yrs
Head of Human Resources
•Mark Anthony1 hr (anytime week of 30 April)
• Interview Revisit risks, issues and next steps (FN and procurement)
Gather views on desired state, opportunities, risks and challenges for h next 3 yrs
GM- Corporate Services)
•John Smith1.5 hrs (anytime week of 30 April)
• Workshop Clarify their roles and expectations as part of formalising Riskcorporate governance charter
Communicate intended directions for Risk Management
Board
• John Smith1 hr (anytime week of 30 April)
• Interview Clarify Risk Management implementation structure including the management team and non-executive board charter
Identify Chief Executive KRIs (if any)
Establish intended scope for the Risk Management
View on Risk Universe
Chief Executive
MethodPurpose Owner/FacilitatorTimingInternal Stakeholders
•RM Consultants1-2 daysWorkshop Agree on risk management policy/objectives
Establish consensus on risk management processes
Articulate/translate risks and issues around strategic purpose and vision
RM Consultants1 dayWorkshop Define operational level KRIs that support strategic level KRIs
• CEO1 hrWorkshopGenerate understanding and commitment to the corporate governance implementation project
Communicate strategic intent and vision
Management Team
•Heather Andrews/Mark Anthony
1 hr (anytime week of 30 April)
• InterviewGather views on desired state, opportunities, risks and challenges for h next 3 yrs
Head of Information Management
Howard Gardner2 days (week of April 30)
SurveyGather views on desired state, opportunities, risks and challenges for h next 3 yrs
Staff
•Heather Andrews5 days (including co-
•Interviews
•Surveys
Determine expectations from Agency
Identify any risks and issues with regards toe expectation
Industry/Experts (Companies)
•Mark Anthony5 days (including co-ordination)
•Interviews Identify expected interdependencies for service delivery
Expectations for whole-of-government approach
Relevant agencies (state and/or commonwealth)
•Mary Antoinette1 day • Interview Identify expectations from Agency within the next 3-5 years
Parliamentary Secretary
• John Smith1 day (including organising)
• Interview Identify expectations from Agency within the next 3-5 years qnd to what extent current/intended corporate plan meets expectations
Minister
ordination)
Owner/FacilitatorTimingMethodPurposeExternal Stakeholders
Team leaders2 days (week of 1 June)
Workshops input into individual and team KRIs
•Heather Andrews1 hr (anytime week of 30 April)
• Interview Revisit risks, issues and next steps (HR)
Gather views on desired state, opportunities, risks and challenges for h next 3 yrs
Head of Human Resources
•Mark Anthony1 hr (anytime week of 30 April)
• Interview Revisit risks, issues and next steps (FN and procurement)
Gather views on desired state, opportunities, risks and challenges for h next 3 yrs
GM- Corporate Services)
•John Smith1.5 hrs (anytime week of 30 April)
• Workshop Clarify their roles and expectations as part of formalising Riskcorporate governance charter
Communicate intended directions for Risk Management
Board
• John Smith1 hr (anytime week of 30 April)
• Interview Clarify Risk Management implementation structure including the management team and non-executive board charter
Identify Chief Executive KRIs (if any)
Establish intended scope for the Risk Management
View on Risk Universe
Chief Executive
MethodPurpose Owner/FacilitatorTimingInternal Stakeholders
GUIDE-
Stakeholders are consulted to provide input into the risk
management process; includes both internal and external
stakeholders. It is important to have a good representation of
stakeholders to generate comprehensive perspectives on
risk and risk management.
Stakeholders are consulted to provide input into the risk
management process; includes both internal and external
stakeholders. It is important to have a good representation of
stakeholders to generate comprehensive perspectives on
risk and risk management.
Purpose sets out the intent or agenda for the
consultation
Purpose sets out the intent or agenda for the
consultation
Method is the approach in consultation, i.e. interviews, surveys, workshops, focused
group discussions
Method is the approach in consultation, i.e. interviews, surveys, workshops, focused
group discussions
Timing indicates the time required (for budgeting and
resourcing purposes) to conduct the consultation; where known, the dates for consultation are also indicated in this section
Timing indicates the time required (for budgeting and
resourcing purposes) to conduct the consultation; where known, the dates for consultation are also indicated in this section
Owner/Facilitator is the person who will administer the
consultation process. It is important to choose the right facilitator to make
sure appropriate level of response is generated
Owner/Facilitator is the person who will administer the
consultation process. It is important to choose the right facilitator to make
sure appropriate level of response is generated
DEVELOPING-RISK-FRAMEWORK 72
he ,
nalyse Risks, Evaluate Risks, and Treat Risks).
4.2.1.5 R :
Key considerations for effective communication and consultation throughout the risk management process are outlined at the conclusion of each of tfollowing process steps (i.e. Establish the Context, Risk IdentificationA
Client Comment:
“I have worked as a risk manager in different organisations and have found that it is very difficult to obtain support for risk management unless I have the
cking of the CEO or other senior executives. A simple email or statement bf that stresses the importance of risk manag
eferences and links
Toolkit reference:
Appendix G: Communication and consultation plan - template
GUIDE-
ba y the CEO to staf ement helps to
In
with an
s
r W n
done to addincrease participation in risk identification and solution
General Government
improve staff awareness and participation.
the past we required staff to complete a 2 page form to report a risk. Theform required that information was recorded about the risk, its causes,
examples of previous risk events, risk scores, accountabilities, proposed treatment approach and who would monitor the risk. Most staff were
intimidated by this process and did not feel comfortable rating risk or proposing risk plans. We have simplified the reporting form, which now requires staff to describe the risk and how it impacts on the organisation or their jobs, together
any other comments or suggestions they wish to make. This process calso be done informally through a phone call or email. Functional area pecialists, with input from the risk manager now take responsibility for assessing and evaluating risks and developing response strategies.
Also, many staff felt that nothing happened with risks or incidents they eported, which resulted in many staff not reporting risks they were aware of.
e now use internal communication channels to show staff what has beeress their particular concerns. We expect this approach to
.”
Risk Officer
4.2.2 Establish the context
Communicate and Consult
DEVELOPING-RISK-FRAMEWORK 73
4.2.2.1 What is it?
Establishing the context is concerned with understanding the background of the organisation and its risks, scoping the risk management activities being undertaken, and developing a structure for the risk management tasks to follow.
Many of the internal and external parameters that constitute an organisation’s context are similar to those considered when developing the risk management framework (refer to section 4). However, when applied to the risk management process, they need to be considered in greater detail and particularly how they relate to each step of the risk management process.
4.2.2.2 Why do it?
The objective of this step is to provide a comprehensive appreciation of all the factors that may have an influence on the ability of an organisation to achieve its intended outcomes.
The outcome is a concise statement of the organisational objectives and specific criteria for success, the objectives and scope for risk management, and a set of key elements for structuring the risk identification activity in the next stage.
4.2.2.3 How to establish the context
This process requires the following key steps:
understand your external context
understand your internal context
develop your risk management context.
Identify Analyse Evaluate Treat Establish Risks Risks Risks Risks Context
Monitor and Review
GUIDE-
Establishing Context
Risk Management Framework
External Context Cultural, political, legal, regulatory,
financial, economic and competitive environment, whether international, national or regional
Key drivers and trends having impact on the objectives of the organisation
Perceptions and values of external stakeholders.It is particularly important to take into account the perceptions and values of external stakeholders and establish policies for communication with these parties.
Risk Management Policy
Risk Assessment Criteria
Risk Tolerance
Internal Context Capabilities (e.g. capital, people,
competencies, processes, systems and technologies)
Information flows and decision making processes
Internal stakeholders
Objectives, and the strategies that are in place to achieve them
Perceptions, values and culture
Policies and processes
Standards and reference models adopted by the organisation
Structures (e.g. governance, roles and accountabilities).
Risk Management Context Definition of responsibilities
Depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions
Extent of the project, process, function, or activity in terms of time or location
Project, process, function, or activity and its goals and objectives
Relationship between a particular project or activity and other projects or activities of the organisation
Definition of risk assessment methodologies
How performance is evaluated in the management of risks
What decisions have to be made
Scoping or framing studies needed, their extent, objectives, and the resources required for such studies
i) Understand external context
According to the Standard, the external context defines the external environment in which the organisation operates. It also defines the relationship between the organisation and its external environment as illustrated by the diagram above.
GUIDE-DEVELOPING-RISK-FRAMEWORK 74
Understanding the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are captured during the “risk identification” step.
ii) Understand internal context
Understanding the organisation is required before commencing any risk management activity, at any level. According to the Standard, understanding the internal context is important because:
risk management takes place in the context of the goals and objectives of the organisation
the major risk for most organisations is that they fail to achieve their strategic, business or project objectives, or are perceived to have failed by stakeholders
organisational objectives, policies, and processes help define the organisation’s risk management policy, specific objectives and criteria of a project.
GUIDE-DEVELOPING-RISK-FRAMEWORK 75
In order for risk management systems and processes to reflect each organisation’s specific needs the following steps were taken prior to conducting formal risk identification exercises.
Identifying key stakeholders who would need to be involved in risk management communication
Definition of risk categories to reflect the types of risk faced by the organisation
Definition and approval of risk criteria (risk rating scales) to be used when assessing and prioritising risks.
Hamishtown Regional Health (HRH) and Melbourne Education Services (MES) Stakeholders:
The identification of stakeholders will assist to identify stakeholders who may need to be included in risk communication plans, as well as identify those stakeholders who may either be a source of risk for the organisation or that it may work together with, to define or implement risk treatment strategies and plans.
HRH and MES, as public sector organisations, share common stakeholder groups, such as DTF, VAGO and the Press. However, each organisation will have unique stakeholders that reflect its specific industry or sector focus, such as the Curriculum and Assessment Authority that provides services to educational institutions.
The following stakeholders were identified during the definition of HRH and MES’s initial risk planning processes.
STAKE-HOLDERS:
COMMON STAKEHOLDERS
HRH- SPECIFIC
MES-SPECIFIC
Internal Staff
Management
Executive
Board of Management
Management Committees
Patients
Doctors
Nurses
Academic Staff
Support Staff
Executive Team
MES Council and Senate
Compliance Committees
Operational Committees
Australian Students
Students
Student Societies
External Local Community
State Government
Community Organisations
Charities
Press
Suppliers
VAGO
DTF
Trade Unions
Other Departments
Education Institutions
WorkSafe
DHS
Health Services Minister of Health
ACHS
DEECD
Australian Universities Quality Agency (AUQA)
Higher Learning Institutions
Feeder Schools
Minister of Education
Staff Unions (VTA, AEU)
Examination Bodies
Victorian Curriculum & Assessment Authority (VCAA)
GUIDE-DEVELOPING-RISK-FRAMEWORK 76
iii) Develop risk management context
After understanding the internal and external context, the next step is to develop the risk management context for your organisation. The Risk Standard recommends taking into consideration the following when developing your risk management context:
objectives and strategies for risk management
scope, i.e. parts of the organisation where you apply the risk management processes
parameters for risk management activities
resources required
records to be established.
The outcome of this process is to ensure that the risk management approach adopted is appropriate and proportionate to the situation of the organisation and to the risks affecting the achievement of its objectives.
Risk management context application: risk tolerance
Once the risk management context is understood and established, a key output of the process is risk tolerance. Risk tolerance is defined as
…an organisation’s readiness to bear the risk, after treatments in order to achieve its objectives
Organisations are prepared to ‘tolerate’ some risks under certain circumstances in return for specified benefits. Tolerance levels may vary by context and are influenced by the:
ability and willingness of the board and executive to take and manage risks
size and type of organisation
maturity and sophistication of risk management processes and control environments
financial strength of the organisation and its ability to withstand shocks
sector in which the organisation operates.
How do you establish your risk tolerance?
The typical steps involved in establishing and implementing risk tolerance are:
GUIDE-DEVELOPING-RISK-FRAMEWORK 77
1. Complete an analysis of the organisations ability to physically and financially recover from a significant event (e.g. risk such as human
influenza pandemic, loss of major plant or facility, inability to supply or manufacture product, loss of major business partner, credit crunch etc)
2. The above analysis will highlight the need and importance of contingency plans, financial, physical and human resources and the importance of controls. From the analysis determine the tolerance the orgnanisation can bear or accept
3. Management determines the level of tolerance which should then be endorsed by the board
The risk tolerance levels set by the organisation will be reflected in the risk rating scales used to assess organisational risks.
How do you define risk tolerance levels?
Risk tolerance levels can be defined by dividing risks into a number of bands as appropriate for the organisation (three in this example):
An upper band where adverse risks are intolerable, whatever benefits the activity may bring, and risk reduction measures are essential whatever their cost.
A middle band (or ‘grey’ area) where costs and benefits are taken into account and opportunities balanced against potential adverse consequences.
A lower band where positive or negative risks are negligible, or the costs associated with implementing treatment actions outweigh the costs of the impact of the risk should it occur.
These levels of risk tolerance will help determine the type and extent of actions required to treat risks, and the level of management/board attention required in managing and monitoring the risks. Risk tolerance levels can be practically defined through colour coding of a risk likelihood/consequence matrix. This is illustrated in the following sample risk matrix (or heat map):
GUIDE-DEVELOPING-RISK-FRAMEWORK 78
Sample Risk ‘Heat Map’
ExtremeMajorModerateMinorInsignificant
Consequence
Rare
Likely
Unlikely
Possible
Almost certain
Lik
elih
oo
d
• Bi-monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings
•No immediate need to develop further treatment plans or response strategies
Low
•Escalation of risk to line management for discussion on appropriate treatment plan response
•Monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings
Medium
•Immediate escalation of risk to senior management for prioritised risk and treatment plan response
•Weekly reviews of progress by senior management to be undertaken
High
EscalationRisk Rating
• Bi-monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings
•No immediate need to develop further treatment plans or response strategies
Low
•Escalation of risk to line management for discussion on appropriate treatment plan response
•Monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings
Medium
•Immediate escalation of risk to senior management for prioritised risk and treatment plan response
•Weekly reviews of progress by senior management to be undertaken
High
EscalationRisk Rating
Risk management context application: risk criteria
Having established its risk tolerance, the organisation can now develop its risk criteria. The risk criteria take into consideration the risk management context. It is the basis on which risks are analysed and evaluated.
Risk criteria express the organisation’s values, objectives and resources. Some criteria may be imposed by, or derived from, legal and regulatory requirements. Risk criteria should be consistent with the organisation’s risk management policy.
GUIDE-DEVELOPING-RISK-FRAMEWORK 79
When defining risk criteria, factors to be considered should include the following:
How likelihood will be defined
How the level of risk is to be determined
Nature and types of consequences that may occur and how they will be measured
The level at which risk becomes acceptable
The timeframe of the likelihood and/or consequence
What level of risk may require treatment
Whether combinations of multiple risks should be taken into account.
The following diagrams illustrate what risk criteria may look like and the key elements included.
Outage of non-critical service for less than 1 day
Outage of non-critical service for 1 - 3 days
Outage of non-critical service for 3-7 days
Outage of non-critical service for 1 - 2 weeks
Outage of critical service for less than one day
Outage of non-critical service for more than 2 weeks
Outage of critical service for one day or more
Service Delivery
Single incident resulting in no material environmental harm
Minor, transient environmental harm
Environmental harm that is reversible within 2 years
Environmental harm that is reversible within 5 years
Irreversible environmental harm and or environmental harm that is reversible within 10 years
Environmental
First aid treatment only Minor legal issues that could be easily resolved
Loss of under $50,000 Budget reduced by less
than 5%
Insignificant1
Minor medical attention required
Minor legal issues, non-compliances and/or breaches
Loss of between $50,000 – $200,000
Budget reduced by 5% - 10%
Minor2
Significant reversible disability to less than 2 persons
Serious failure to comply with legislation and regulations
Moderate failure in statutory duty
Loss of between $200,000 - $1M
Budget reduced by 10%
Moderate3
Significant irreversible disability to less than 2 persons or significant reversible disability to greater than 2 persons
Partial failure in statutory duty
Major failure to comply with legislation and regulations
Loss of between $1M -$5M
Budget reduced by 20%
Major4
Single fatality or significant irreversible disability to greater than 2 persons
Severe failure in statutory duty
Extreme failure to comply with legislation and regulations
Loss of over $5M Budget reduced by
30%
Catastrophic 5
SafetyLegalFinancialDescriptionRating
Outage of non-critical service for less than 1 day
Outage of non-critical service for 1 - 3 days
Outage of non-critical service for 3-7 days
Outage of non-critical service for 1 - 2 weeks
Outage of critical service for less than one day
Outage of non-critical service for more than 2 weeks
Outage of critical service for one day or more
Service Delivery
Single incident resulting in no material environmental harm
Minor, transient environmental harm
Environmental harm that is reversible within 2 years
Environmental harm that is reversible within 5 years
Irreversible environmental harm and or environmental harm that is reversible within 10 years
Environmental
First aid treatment only Minor legal issues that could be easily resolved
Loss of under $50,000 Budget reduced by less
than 5%
Insignificant1
Minor medical attention required
Minor legal issues, non-compliances and/or breaches
Loss of between $50,000 – $200,000
Budget reduced by 5% - 10%
Minor2
Significant reversible disability to less than 2 persons
Serious failure to comply with legislation and regulations
Moderate failure in statutory duty
Loss of between $200,000 - $1M
Budget reduced by 10%
Moderate3
Significant irreversible disability to less than 2 persons or significant reversible disability to greater than 2 persons
Partial failure in statutory duty
Major failure to comply with legislation and regulations
Loss of between $1M -$5M
Budget reduced by 20%
Major4
Single fatality or significant irreversible disability to greater than 2 persons
Severe failure in statutory duty
Extreme failure to comply with legislation and regulations
Loss of over $5M Budget reduced by
30%
Catastrophic 5
SafetyLegalFinancialDescriptionRating
Risk Criteria: Consequence
Description rating is defined based on the different levels of impact. The ratings could
be from 1-3 or 1-5 or any other variations that is
appropriate to the context of the agency
Description rating is defined based on the different levels of impact. The ratings could
be from 1-3 or 1-5 or any other variations that is
appropriate to the context of the agency
Consequence criteria will depend on the nature of the
agency and it’s organisational purpose and strategies. In this example there 5 different criteria.
Consequence criteria will depend on the nature of the
agency and it’s organisational purpose and strategies. In this example there 5 different criteria.
GUIDE-DEVELOPING-RISK-FRAMEWORK 80
Customised consequence rating scale for Hamishtown Regional Health (HRH)
Hamishtown Regional Health has customised its Consequence scales to reflect its organisational context. Specifically its Financial criteria, where a loss of greater than $100,000 reflects its relatively small size and budget. Similarly, its impact descriptions include reference to patient safety and harm, reflectings its core operational focus.
SCORE DESCRIPTION FINANCIAL LOSS
REPUTATION LEGAL OPERATIONAL/
1 INSIGNIFICANT < $5,000 Little or no impact
Little or no impact
Little or no impact
2 MINOR $5,000 to $25,000
Sporadic localised unfavourable publicity; No impact on staff morale
Minor delays in meeting legal requirements/ fulfilling SLAs etc.
Inefficiencies and/or delays in delivery of support services and non-critical functions. No impact on patient care standards.
SCORE DESCRIPTION FINANCIAL LOSS
REPUTATION LEGAL OPERATIONAL/
3 MODERATE $25,000 to $50,000
Localised negative publicity; Short-term impact on staff morale - managed by appropriate response by institution’s Communication function.
Breach of material terms of key contracts/ SLAs. Threat of legal action against institution, but able to be resolved through negotiation/ remedial action.
Inability to provide key support services according to minimal expected service levels (billing, security; payroll, canteen; staff training etc.). No notable impact on patient care standards. Low probability of patient harm.
4 MAJOR $50,000 to $100,000
Significant/ continued negative publicity in local/ regional press; Low staff morale; Intervention of institution’s CEO to answer public concerns.
Noticeable increase in claims and legal liability; Most exposures covered by existing insurance cover
Delays and inefficiencies in core processes and systems impacting significantly on quality of patient care standards. Increased risk of serious patient injury, disability or sentinel event.
5 CATASTROPHIC >$100,000
Significant/ continued negative publicity in national press; Loss of key staff; Permanent loss of public trust; Withdrawal of funding/ key grants; Intervention of Minister.
Significant increase in legal exposures/ claims; Critical services impacted by cancellation of supplier contracts; Significant exposures not insured.
Critical processes/ systems not available for extended period. Inability to perform core patient care functions. Prolonged inability to provide basic medical services. High probability of multiple preventable deaths due to interruptions to basic services or staff negligence or malice.
In addition to the above categories, MES also uses the following consequence categories: reputation, health and safety, and business interruption. MES has also set its financial thresholds considerably higher to reflect its larger size: (catastrophic: > $5,000,000; and insignificant <$50,000).
GUIDE-DEVELOPING-RISK-FRAMEWORK 81
Expected to occur once every 100 yearsNo recorded or known incidentsRare1
Expected to occur once every thirty yearsFew recorded or known incidentsUnlikely2
Expected to occur once every ten yearsSome incidents have been recorded50/503
Expected to occur once every three yearsSeveral incidents have been recordedLikely4
Expected to occur once a year or more frequentlyMultiple incidents have been recordedAlmost certain5
FrequencyDescriptionDescriptorRating
Expected to occur once every 100 yearsNo recorded or known incidentsRare1
Expected to occur once every thirty yearsFew recorded or known incidentsUnlikely2
Expected to occur once every ten yearsSome incidents have been recorded50/503
Expected to occur once every three yearsSeveral incidents have been recordedLikely4
Expected to occur once a year or more frequentlyMultiple incidents have been recordedAlmost certain5
FrequencyDescriptionDescriptorRating
Risk Criteria: Likelihood
Descriptor defines what each of the scale in the likelihood rating
mean.
Descriptor defines what each of the scale in the likelihood rating
mean.
Rating of likelihood is typically from 1-5. In some cases, it’s from
1-3.
Rating of likelihood is typically from 1-5. In some cases, it’s from
1-3.
Description defines in further detail what the rating scale means in
the context of the agency.
Description defines in further detail what the rating scale means in
the context of the agency.
Frequency indicates the timeframe within
which the event is likely to occur for a
given rating.
Frequency indicates the timeframe within
which the event is likely to occur for a
given rating.
The following example illustrates an example of an organisational likelihood scale:
Customised likelihood rating scale for HRH
LIKELIHOOD
SCORE DESCRIPTION
1 RARE Highly unlikely to occur in next 5 years. No history of adverse event in organisation.
2 UNLIKELY Event not likely to occur in next 12 months, but there is a slight possibility of occurrence.
3 POSSIBLE 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not.
4 LIKELY There is a strong likelihood that the event will occur at least once in the next 6-12 months. History of event/s in institution or similar organisations.
5 ALMOST CERTAIN The adverse event will definitely occur, probably multiple times in a year.
GUIDE-DEVELOPING-RISK-FRAMEWORK 82
Control effectiveness criteria:
When analysing a risk, it is important to understand the effectiveness of current controls that are in place. Controls are systems, processes, policies etc. that are implemented to reduce risk levels, either by reducing the consequence of a risk if it does occur and/or to reduce the likelihood of the risk occurring.
Where controls are operating effectively and as intended, they will reduce the level of risk. Conversely, where a control is not effective, is not working as designed, or there are no controls in place, control effectiveness will be low and the risk level will not be reduced.
In the first instance, managers should be able to make a subjective assessment as to the effectiveness of the control using a control effectiveness rating scale using a scale such as the one shown below:
Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/ or very limited operational effectiveness.
Uncontrolled
Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively.
Very Poor
While the design of the controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective.OrSome of the controls do not seem correctly designed in that they do not operate at al effectively.
Poor
Most controls are designed correctly ad are in place and effective. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability.
Satisfactory
Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, address the root causes and Management believes that they are effective and reliable at all times.
Good
DescriptorRating
Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/ or very limited operational effectiveness.
Uncontrolled
Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively.
Very Poor
While the design of the controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective.OrSome of the controls do not seem correctly designed in that they do not operate at al effectively.
Poor
Most controls are designed correctly ad are in place and effective. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability.
Satisfactory
Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, address the root causes and Management believes that they are effective and reliable at all times.
Good
DescriptorRating
Sample Risk Criteria: Control Effectiveness
Rating defines what each scale in the control effectiveness rating means.The ratings could be from 1-5 or 1-3
or any other variation that is appropriate in the context of the
agency
Rating defines what each scale in the control effectiveness rating means.The ratings could be from 1-5 or 1-3
or any other variation that is appropriate in the context of the
agency
Descriptor defines in further detail what the rating scale means in the context of the agency. It takes into
account the effectiveness of the design and operation of the controls.
Descriptor defines in further detail what the rating scale means in the context of the agency. It takes into
account the effectiveness of the design and operation of the controls.
Source: HB 158-2006
GUIDE-DEVELOPING-RISK-FRAMEWORK 83
For example: having fire extinguishers and other fire suppression systems in place are controls that can reduce the consequences (injury and damage) following a fire. Similarly, the risks associated with unauthorised access to confidential records can be reduced by the use of secure document storage systems, including document safes and password-protected databases.
Periodic independent assurance is also needed – to provide an objective view – based on testing of controls – of the adequacy and effectiveness of the controls. Independent verification of control effectiveness can be sought from external and internal auditors.
4.2.2.4 Communication and consultation and monitoring and review activities
The following table describes the steps to follow in establishing and subsequently monitoring and reviewing the organisation’s risk context:
Establish the context: Monitoring and Review
Monitor any strategic changes as identified in the strategic planning cycle. Review the current risk management context to ensure it remains aligned to the strategic intent of the organisation.
Monitor significant changes to business operations. This merits a review of the risk management context in view of potential changes to the internal context.
Monitor any changes in the external environment. Review the current risk management context to ensure that it remains relevant considering the changes.
Workshops once or twice a year with key stakeholders may help to ensure the context for risk management remains relevant.
Establish the context: Communication and Consultation
Identify which stakeholders need to be consulted or taken into consideration in establishing the risk management context.
Using the stakeholder consultation plan template, establish how the organisation will consult these stakeholders.
Examples of consultation process that maybe applicable to this stage includes interviews and workshops with key executives.
Articulate the risk management context in the risk management framework and policy which then is signed-off by the board.
Communicate this by presenting to the executive team meeting
4.2.2.5 Toolkit references:
GUIDE-DEVELOPING-RISK-FRAMEWORK 84
Toolkit reference:
Appendix F: Common risk categories for the public sector
Appendix G: Stakeholder communication and consultation plan - template
Appendix J: Risk rating criteria - template
4.2.3 Risk identification
4.2.3.1 What is it?
The Standard defines risk identification as “the process of determining what, where, when, why, and how something could happen”.
4.2.3.2 Why do it?
The objective of risk identification is to generate a comprehensive list of risks based on those events and circumstances that might enhance, prevent, degrade or delay the achievement of the objectives. This list of risks is then used to guide the analysis, evaluation, treatment and monitoring of key risks.
Comprehensive identification and recording is critical, because a risk that is not identified at this stage may be excluded from further analysis. The risk identification process should include all risks, whether or not they are under the control of the organisation.
In identifying risks, it is also important to consider the risks associated with not pursuing an opportunity, e.g. loss of market share.
4.2.3.3 How to identify risks
This section will cover the key steps necessary to effectively identify risks from across the organisation.
These steps are:
i) understand what to consider when identifying risks
ii) gather information from different sources to identify risks
iii) apply risk identification tools and techniques
iv) use risk categories for comprehensiveness
v) document the risks
vi) document the risk identification process
vii) assess the effectiveness of the risk identification process.
GUIDE-DEVELOPING-RISK-FRAMEWORK 85
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Communicate and Consult
Monitor and Review
GUIDE-DEVELOPING-RISK-FRAMEWORK 86
i) Understand what to consider
The Standard recommends that in order to develop a comprehensive list of risks, a systematic process should be used that starts with the statement of context. To demonstrate that risks have been identified effectively, it is useful to step through the process, project or activity in a structured way using the key elements defined while establishing the context. This can help provide confidence that the process of risk identification is complete and major issues have not been missed.
The process then asks the following questions about each of the key elements:
Risk Identification
What is the source of each risk?
What is the source of each risk?
What might happen that could: Increase or decrease the effective achievement of objectives Make the achievement of the objectives more or less efficient
(e.g. financial, people, time) Cause stakeholders to take action that may influence the
achievement of objectives Produce additional benefits
What might happen that could: Increase or decrease the effective achievement of objectives Make the achievement of the objectives more or less efficient
(e.g. financial, people, time) Cause stakeholders to take action that may influence the
achievement of objectives Produce additional benefits
Other considerations: What would the effect on objectives be? When, where, why, how are these risks (both positive and negative) likely to occur? Who might be involved or impacted? What controls currently exist to treat this risk (maximise positive risks or minimise negative risks)? What could cause the control not to have the desired affect on the risk?
Other considerations: What would the effect on objectives be? When, where, why, how are these risks (both positive and negative) likely to occur? Who might be involved or impacted? What controls currently exist to treat this risk (maximise positive risks or minimise negative risks)? What could cause the control not to have the desired affect on the risk?
ii) Gather information to identify risks
Good quality information is important in identifying risks. The starting point for risk identification may be historical information about this or similar organisations and then discussions with a wide range of stakeholders about historical, current and evolving issues, some examples are listed below.
GUIDE-DEVELOPING-RISK-FRAMEWORK 87
(something happens)leading to
(outcomes expressed in terms of impact on
Objectives)
Risk Identification: Tools & Techniques
Structures Interviews
Audit Reports
Checklists
Surveys and Questionnaires
Focus Groups
Strategic and Business Plans
Post-event Reports
Local and OverseasExperience
iii) Apply risk identification tools and techniques
The Standard recommends that organisations apply a set of risk identification tools and techniques that are suited to its objectives and capabilities, and to the risk the organisation faces. Relevant and up-to-date information is important in identifying risks. This should include suitable background information where possible. People with appropriate knowledge should be involved in identifying risks.
Approaches used to identify risks could include the use of checklists, judgments based on experience and records, flow charts, brainstorming, systems analysis, scenario analysis, and system engineering techniques. The approach used will depend on the nature of the activities under review, types of risks, the organisational context, and the purpose of the risk management exercise.
Team-based brainstorming for example, where facilitated workshops is a preferred approach as it encourages commitment, considers different perspectives and incorporates differing experiences.
Structured techniques such as flow charting, system design review, systems analysis, Hazard and Operability (HAZOP) studies and operational modelling should be used where the potential consequences are catastrophic and the use of such intensive techniques are cost effective.
For less clearly defined situations, such as the identification of strategic risks, processes with a more general structure, such as ‘what-if’ and scenario analysis could be used.
Where resources available for risk identification and analysis are constrained, the structure and approach may have to be adapted to achieve efficient outcomes within budget limitations. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used.
GUIDE-DEVELOPING-RISK-FRAMEWORK 88
iv) Use relevant risk categories for comprehensiveness
The risk profiles of public sector organisations may differ from that of commercial organisations, given the difference in organisational objectives and stakeholder groups. A possible public sector risk categorisation model is illustrated below:
Public Sector Risk CategoriesStrategicStrategic
StakeholderStakeholder Market StructureMarket
StructureGovernanceGovernance
Service ProviderService Provider
NationalGovernment
NationalGovernment
DTFDTF
MinisterMinister
ElementsElements
PrinciplesPrinciples
Change ManagementChange Management
EconomicEconomic
LogisticsLogistics
Market DynamicsMarket Dynamics
CompetitorCompetitor
InformationInformation
IT SystemsIT Systems Intellectual Property
Intellectual Property
Information ManagementInformation
Management
Database Planning & Development
Database Planning & Development
OperationsOperations
Organisation & Monitoring
Organisation & Monitoring
Intangible Capital/Assets
Intangible Capital/Assets
Knowledge ManagementKnowledge
Management
FinancialFinancial
Liquidity & Credit
Liquidity & Credit
CollectabilityCollectability
Cash Management& Treasury
Cash Management& Treasury
FundingFunding
Capital StructureCapital
Structure
EquityEquity
DebtDebt
MarketMarket
Interest RateInterest Rate
Foreign ExchangeForeign Exchange
ReportingReporting
AccountingAccounting
Regulatory & Compliance
Regulatory & Compliance
OperationsOperations
ProcessProcess Physical AssetPhysical Asset
Service DeliveryService Delivery
Supply ChainManagementSupply ChainManagement
Transfer PaymentsTransfer
Payments
Plant, Estate & Property
Plant, Estate & Property
EquipmentEquipment
People & Culture
People & Culture
Occupational Health& Safety
Occupational Health& Safety
Skills DevelopmentSkills Development
LegalLegal
LiabilityLiability
ContractContract
Legislative & Regulatory
Legislative & Regulatory
New Service Development
Human ResourcesHuman Resources
FraudFraud
Victorian CabinetVictorian Cabinet
Growth Strategy & Development
Growth Strategy & Development
SupportProcessesSupport
Processes
Trade UnionsTrade Unions
Other Departments/
Agencies
Other Departments/
Agencies
Public entitiesPublic entities
VAGOVAGO
Business PartnerBusiness Partner
Financial InstitutionsFinancial
Institutions
PublicPublic
FiscalFiscal
Regulatory FrameworkRegulatory Framework
PPP & Procurement
PPP & Procurement
Internal AuditInternal Audit
FleetFleet
Other TangiblesOther Tangibles
Budget Implementation
Budget Implementation
Accounting Norms &
Standards
Accounting Norms &
Standards
Compliance & Reporting
Compliance & Reporting
Economic IndicatorsEconomic Indicators
Capital MarketsCapital Markets
CPIXCPIX
Intangible AssetsIntangible AssetsBusiness ContinuityBusiness Continuity
HardwareHardware
SoftwareSoftware
NetworksNetworks
SecuritySecurity
ArchivingArchiving
Change Man, ControlChange Man, Control
Policies &ProceduresPolicies &
Procedures
ReputationReputation
MonitoringMonitoring
Authority &Responsibility
Authority &Responsibility
Resource AllocationResource Allocation
StrategicPlanningStrategicPlanning
EthicsEthics
EnvironmentEnvironment
IT Strategy, PlanningIT Strategy, Planning
EXAMPLE
GUIDE-DEVELOPING-RISK-FRAMEWORK 89
Risk Categorisation Model
HRH:
HRH has agreed on the following risk categories against which to measure risk. It is anticipated that a significant number of risks will fall in the clinical category as this represents the core service delivery area for the health service.
MES Ris gories k Cate
The MES Risk Committee has developed and approved the following risk categories. In addition to standard risk categories, curriculum-related risk and student support services has been defined as a core operational risk area for the education institution.
The Risk and Audit Committee defined a draft risk categorisation model, which was modified to reflect additional risk categories identified after an initial risk brainstorming session was held with the Executive Team.
STRATEGIC PLANNING
GOVERNANCE
STAKEHOLDER RELATIONS
LEGISLATION & COMPLIANCE
REPUTATION
BUSINESS CONTINUITY
MARKET CONDITIONS
NATURAL RESOURCES
QUALITY OF STUDENT OUTCOMES
INNOVATION & RESEARCH
FUNDING & SUSTAINABILITY
STRATEGIC
CURRICULUM DEVELOPMENT
CURRICULUM DELIVERY
EXAMINATIONS
HR & TRAINING
OCC. HEALTH & SAFETY
SUPPLY CHAIN
LEGAL & CONTRACTS
OTHER
ASSET MANAGEMENT
FACILITIES MANAGEMENT
STUDENT SUPPORT SERVICES
OPERATIONAL
BUDGETING
LIQUIDITY AND CREDIT
REPORTING
CAPITAL
DEBTORS
FRAUD & THEFT
GRANTS & BURSARIES
FINANCIAL
SYSTEM DESIGN
INFORMATION SECURITY
QUALITY OF INFORMATION
INTELLECTUAL PROPERTY
IT AND INFORMATION
RISK CATEGORIES
v) Document the risks identified
The risks identified during the risk identification are typically documented in a risk register that, at this stage in the risk assessment process, includes:
risk description
how and why the risk can happen (i.e. causes and consequences)
the existing internal controls that that may reduce the likelihood or consequences of the risks.
It is critically important at this stage to understand the cause-effect relationships between a risk, its causes, and the potential consequences should the risk occur. If the “wrong” risk is identified at this stage (e.g. causes or consequences, rather than the actual risk itself), it will reduce the value of the rest of the risk management process.
Toolkit reference:
Appendix F: Common risk categories for the public sector
GUIDE-DEVELOPING-RISK-FRAMEWORK 90
DEVELOPING-RISK-FRAMEWORK 91
One can see from the following examples that failure to correctly define your risks will result in flow on effects to the your control identification, mitigation plans and ultimately reporting. It’s the old “garbage in garbage out” analogy.
Below, we have provided some examples of “good” and “bad” risk descriptions:
The VMIA has found that one of the weakest elements of an organisation’s an be the capturing and defining of risks. It is essential
se
ts that make up a risk and this level of detail will enable an organisation to more completely understand the risk
risk framework cwhen describing a risk to consider the following three elements:
description/event – an occurrence or a particular set of circumstances
causes - the factors that may contribute to a risk occurring or increathe likelihood of a risk occurring
consequences – the outcome(s) or impact(s) of an event.
It is the combination of these elemen
GUIDE-
Example 1: Good Risk Descriptions
Example 2: Poor Risk Descriptions Explanation
Lack of succession planning is a lack of a control.
Fines are really the impact to the organisation. Also, the reason for identifying the cause is so that you can identify the right controls. This description is so wide that a control is difficult to define, other than “put in place a full compliance program”.
System not backed up is a control failure. Also an IT failure is not the cause of the system not being backed up, poor work practices are.
vi) Document your risk identification process
In addition to documenting the risks identified, it is also necessary to document the risk identification to help guide future risk identification exercises and to ensure good practices are maintained by drawing on lessons learned through previous exercises. Documentation of this step should include:
the approach or method used for identifying risks
the scope covered by the identification
the participants in the risk identification and the information sources consulted.
GUIDE-DEVELOPING-RISK-FRAMEWORK 92
DEVELOPING-RISK-FRAMEWORK 93
4.2.3.4 w activities
and Review
Monitor the reliability / currency of the sources of information used to identify risks.
Monitor any changes / enhancements to the risk identification process over the period.
Monitor the impact these changes may have on future risk identification exercises.
sk identification: Communication and Consultation
Identify the key stakeholders who need to be informed of the risk identification process and how it will be implemented across the organisation.
Communicate / articulate the risk identification process to ensure all stakeholaware of and undeprocess.
Consultation may i
o Risk identification consultation plan.
Communication and consultation and monitoring and revie
Risk identification: Monitoring Ri
ders are rstand the
nclude:
4.2.3.5 References and links:
Toolkit reference:
Appendix I: Common example risks
Appendix F: Common risk categories for the public sector
GUIDE-
DEVELOPING-RISK-FRAMEWORK 94
4.2.4 An
4.2.4.1 What is it?
The Standard defines risk analysis as a s tand the nature of risk and determine the level of risk. The risk analysis step aims
ing of the risk. It provides an input to decisions on whether risks need to be treated and the most appropriate and cost-effective
ies.
alyse risks
ystematic process to unders
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
TreaRisk
t s
Communica
to develop an understand
risk treatment strateg
4.2.4.2 Why do it?
Risk analysis is a fundamental component of the risk management process. It helps to guide the evaluation of risks by defining the key parameters of the risk and how these may impact on the achievement of organisational
GUIDE-
t e and Consult
Monitor and Review
DEVELOPING-RISK-FRAMEWORK 95
objectives. One of the key outcomes of the risk analysis process is determining levels of risk exposure for the organisation.
ta and related information collected during the risk analysis process can be used to
4.2.4.3 How to analyse risks
Risk analysis involves the following key steps:
1) nd evaexisting control effectiveness
2) determine risk (probability or frequency of risk occurrence)
e risk ence (outcome
The following section on how to analyse risks is structured as follows:
i) identify and evaluate existing controls
ii) determine risk consequence and likelihood
iii) determine overall risk level
iv) document your risk analysis process.
i) Identify and evaluate existing controls
When assessing a risk, it is important to identify what controls are in place to mitigate the risk. Many controls are built-into existing business operations and systems.
In addition, the daassist in guiding risk treatment decisions.
identify a luate
likelihood
GUIDE-
3) determinconsequor impact of an event)
4) determine risk level.
DEVELOPING-RISK-FRAMEWORK 96
unction for which it is intended
work as practically
Examples of controls:
Controlled physical access (e.g. security codes, access cards, security personnel)
Employee code of conduct
tocols
e controls (e.g. temperature control)
procedures
processes
anagement
ement
to specialists
ts and Service Level Agreements
Media and public relations strategies/pro
Specified training (e.g. software, hazardous substances)
Automated softwar
Policies and
Standardised business
Insurance
Quality control m
Budget manag
Outsourcing functions
Formalised contrac
Audits (internal and
Controls should be considered on the basis of:
design effectiveness – is the control “fit for purpose” in theory i.e. is the control designed appropriately for the f
operational effectiveness – does the controlintended.
In order to understand the level of residual risk remaining after controls have been taken into account, it is essential as part of the risk analysis process to be able to estimate the effectiveness of existing controls
In the first instance, management should be able to make a subjective assessment as to the effectiveness of the controls using a rating scale such as that contained in section 4.2.2.3. Periodic independent assurance is also needed to provide an objective view - based on testing - of the adequacy and effectiveness of the controls e.g. internal and external audit.
It is useful to involve staff with an understanding of the controls when rating them. Internal audit, business analysts and operational/ financial management can all provide input into control identification and assessment.
A well-designed and implemented control can often mitigate or reduce more than one risk or type of risk.
GUIDE-
external).
DEVELOPING-RISK-FRAMEWORK 97
ii) Determine risk consequence and likelihood
he tvent, s ur, and the likelihood of the event and its associated on q in the context of the effectiveness of the xi
o e analysis nd a ilable,
subjective e which reflect an individual’s or group’s eg e event or outcome will occur.
he o and techniques should be used h a nsequences and likelihood.
T S andard recommends that the magnitude of the consequences of an hould it occe
ce
se uences, should be assessedsting strategies and controls.
C ns quences and likelihood may be estimated using statistical a c lculations. Where no reliable or relevant past data is ava
stimates may be made re of belief that a particular d
T m sources of information st relevanten nalysing cow
S u
P
experience
Relevant published literature
Market research
dels
Specialist and expert
o rces of information: Techniques:
red interviews with experts in the area of interest
Use of multi-disciplinary groups of experts
Individual evaluations using questionnaires
ast records
Practice and relevant
Structu
The results of public consultation
Experiments and prototypes
Economic, engineering or other mo
judgements.
GUIDE-
Use of models and simulations.
GUIDE-DEVELOPING-RISK-FRAMEWORK 98
Types of Analysis
Risk analysis may be undertaken to varying degrees of detail deanalysis, and the information, data and resources available. Anal
pending upon the risk, the purpose of the ysis may be qualitative, semi-quantitative or
tive and l of risk and
y be necessary to undertake more specific or quantitative analysis on
stablishing the
quantitative or a combination of these, depending on the circumstances.
The order of complexity and costs of these analyses, in ascending order, is qualitative, semi quantitaquantitative. In practice, qualitative analysis is often used first to obtain a general indication of the leveto reveal the major risk issues. Later it mathe major risk issues.
The form of analysis should be consistent with the risk evaluation criteria developed as part of erisk management context (see section ABC)
Semi- quantitative AnalysisQualitative Analysis Quantitative Analysis
Use of words to describe the magnitude of potential consequences and the likelihood
ted to suit the different
esenting
Use of nominal ranking scales, i.e. values are assigned to likelihood and consequence scales
Numbers should only bcombined using a formu harecognizes the limitatio tkinds of scales used
Scales are context-spec Typically used in prioritis r
sed on numerical ranking
Use of numerical values for both consequences and likelihood
Quality of analysis depends on racy and completeness of rical values used
n from ast data
deriving financial
that those consequences will occur
Scales can be adjuscircumstances, anddescriptions may be used for different risks
Typically used in proverall risk profile i.e. heat map
accunumee
la t t ns of he
Consequences may be determined by modelling the outcomes of an event or set of
ificing isks
events, or by extrapolatioexperimental studies or p
Typically used inbarisk reserves
Consequence
Low Minor Moderate High Extreme
Like
lihoo
d
Mod
erat
eLi
kely
Rar
eU
nlik
ely
Alm
ost C
erta
in
12
3
4
5
6
7
8
9
10
11
12 13
14
15
CONSLIKE
EQUENCE: 4 (oLIHOOD: (o ikely
OVERALL RISK = 8
ut of 5) – Major2 ut of 5) – Unl= 4 * 2
Illustration to be updated
LIKELIHOOD: 50% (Within 1 CONSEQU
(out of 25)
Year) - Possible
ENCE: $120,000 - Significant OVERALL RISK EXPOURE: 50% * $120,000 = $60,000
Before you determine the overall risk rating you will need to determine the level of likelihood and consequence for each risk. Each organisation will need to establish its own likelihood and consequence tables. An example risk consequence scale is shown below:
The categories below are potential categories only – from the review of the risk universe of the organization consider those risks most applicable for the particular organization.
Description
Rating Financial
Service Quality
Reputation
People & Knowledge
Stakeholders Compliance, Governance & Legal
Systems & Processes
Fundamental
Major
Moderate
Minor
Insignificant
GUIDE-DEVELOPING-RISK-FRAMEWORK 99
It is also necessary to establish your likelihood table. A generic sample is noted below.
iii) Determine the overall risk rating
Once you have rated the likelihood and consequence, combine the two to determine the overall risk rating.
Based on the risk analysis, risks are classified by level to determine the appropriate level of response to those risks. Specific responses are defined in the “Treat Risks” phase.
Rating Descriptor Frequency Description/s
5 Almost Certain
4 Likely
3 Possible
2 Unlikely
1 Remote
Risk Analysis: Sample Risk Severity Rating Scale
Immediate escalation of risk to senior management/ Executive for prioritised response and treatment plan development.
Incorporate management of risk into established strategic governance and operational processes.
Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s.
SEVERE/ EXTREME15-25
Develop risk response strategies as part of risk management and operational processes.
Ongoing monitoring of risk and progress of risk response or treatment plans.
Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s.
HIGH10-14
Regular monitoring and re-evaluation of potential risk and any factors that may increase consequence or likelihood occurrence.
Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s as resources/ circumstances permit.
MODERATE5-9
No immediate response required. Risk ownership may not be allocated. Could be excluded from risk monitoring activities. Infrequent re-evaluation of risk.
LOW1-4
LIKELY RESPONSEQUALITATIVE RATING
QUALITATIVE RATING
Immediate escalation of risk to senior management/ Executive for prioritised response and treatment plan development.
Incorporate management of risk into established strategic governance and operational processes.
Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s.
SEVERE/ EXTREME15-25
Develop risk response strategies as part of risk management and operational processes.
Ongoing monitoring of risk and progress of risk response or treatment plans.
Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s.
HIGH10-14
Regular monitoring and re-evaluation of potential risk and any factors that may increase consequence or likelihood occurrence.
Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s as resources/ circumstances permit.
MODERATE5-9
No immediate response required. Risk ownership may not be allocated. Could be excluded from risk monitoring activities. Infrequent re-evaluation of risk.
LOW1-4
LIKELY RESPONSEQUALITATIVE RATING
QUALITATIVE RATING
GUIDE-DEVELOPING-RISK-FRAMEWORK 100
OPING-RISK-FRAMEWORK 101
n of the risk analysis process provides a record of how risks were analysed in previous periods, thereby informing future risk analysis
xercises. A key outcome of documenting the risk analysis process is enabling accurate tracking of risks over ti torica ta.
ocumen ion shou
key assumptions and limitations
sources of information used
explanation of the analysis method, and the definitions of the terms used to specify the likelihood and consequences of each risk
existing controls and their effectiveness
description and severity of consequences
rrences
e required for very low risks; however a s.
4.2.4.4 Communication and consultation and monitoring and review activities
Analyse risks: Monitoring and Review
Monitor the implementation of each step of the risk analysis process to test for currency and appropriateness for the organisational context.
Monitor the effectiveness and relevance of controls. Is the assessment of control effectiveness being done in a consistent way?
Monitor the approach used to determine likelihood and consequence for each risk. Is the approach still relevant / effective?
Analyse risks: Communication and Consultation
Identify the key stakeholders who need to be informed of the results of the risk analysis process.
Communicate the results. Ensure those with risk ownership / reporting responsibilities are informed of the results of the risk analysis.
Communicate any necessary/proposed changes in the risk analysis approach.
Consultation may include:
− Meetings / focus groups
− Strategic Planning
− Internal Memorandum
iv) Document your risk analysis process
Documentatio
eme using his l reference da
D tat ld include:
the likelihood of these specific occu
resulting level of risk
Detailed documentation may not brecord should be kept of the rationale for initial screening of very low risk
Tool
Appendix E: Risk rating criteria (likelihood and consequence) - template
A
kit reference:
ppendix D: Risk management procedure - temp
GUIDE-DEVEL
late
OPING-RISK-FRAMEWORK 102
4.2.5 E
4.2.5.1
ll exposure against the e.
4.2
mes of risk analysis, atments.
The output of a risk evaluation generally consists of a prioritised list of risks
g key steps are involv
valuate risks
Communicate and Consult
What is it?
Risk evaluation involves comparing a risk’s overaorganisation’s risk toleranc
This allows the determination of whether further controls are required to bring the risk within a level acceptable to the organisation. The output of the risk evaluation phase is a prioritised list of risks.
.5.2 Why do it?
Consistent with the Risk Management Standard, the purpose of risk evaluation is to make decisions, based on the outco
bout which risks need treatment and to prioritise trea
that require further action.
4.2.5.3 How to evaluate risks?
The followin ed in evaluating risks:
i) Rank the risks based on th
ii) Consider the overall risk
iii) Develop a list of priority
e outcome of the risk analysis process
profile
risks.
i) Rank the risks
Risks can be ranked either qualitatively or quantitatively.
Applying qualitative analysis, you can rank the risks using a heatatrix with each colour indicating the
map. The level of
th This ntext”, as it
is a part of the organisation’s ris
heat map is a colour-coded mrisk. This heat map representswould have been developed in the e
e tolerance level of your organisation. arlier phase of “Establish Co
k management context.
Identify Analyse isks
Evaluate Risks
Treat Risks
Establish Risks RContext
GUIDE-DEVEL
Monitor and Review
Based on the control effectiveness rating, likelihood of the risk occurring and ences identified in the earlier phase, plot the risks against
Applying semi-quantitati
potential consequthe matrix. The completed matrix is your risk profile.
ve analysis, the organisation can also rank the risks based on their numerical value. The numerical value is a combination of the values assigned by the organisation to control effectiveness, likelihood and consequence.
The most common approach to visu rding risk is using a 5 by 5 heat map as illustrated below. A risk heat map is sometimes referred to as a risk matrix.
ally reco
Ri sk P r of i l e
Risk Ranking: Heat Ma
1
10
13192 0
2
45
6
8
11
1517
3
4
4
elih
ood
12
16
2 1 3
7
9
18
2
3
5
6
2 2 3 3 4 4 5 5 6
Consequence
Lik
e
Hig h R isk
1
1 1E xt r em
1
2
5Sig nif icant
R isk
M od erat e skR i
Lo w R isk
t e
Hi ghM oder aM i nor Low
p Example
a heat map:
rating scales.
Al most
Cer t ai n
Li kel y
M oder at e
Unl i kel y
Rar e
Some organisations use the following matrices to create
3 by 3
4 by 4
4 by 3
GUIDE-DEVELOPING-RISK-FRAMEWORK 103
4 by 5
The matrices you select will reflect your organisation’s risk
For example: If your risk consequence and likelihood used 3 point scales, such as those shown below, a 3 by 3 heat map would be appropriate:
SCORE LIKELIHOOD CONSEQUENCE
1 Unlikely Low
2 Possible Moderate
3 Likely Severe
Example Risk Profile for HRH
OPING-RISK-FRAMEWORK 104
5
210
74, 8
96
32
5
210
74, 8
96
32Almost Certain
LI
Incorrect diagnosis or medication errors resulting in patient harm10
Inability to meet increasing demand for aged care services9
Damage to medical equipment as a result of improper use8
Unauthorised disclosure of patient confidentiality resulting in potential legal liabilities 7
Billing errors as a result of staff mistakes, resulting in inaccurate patient bills or revenue not being collected.
6
Severe damage to HHS facilities as a result of a natural disaster (flood, fire etc.)5
Declining demand for maternity services as a result of aging population in the area4
Inability to attract suitably qualified nursing staff3
Patient harm suffered as a result of slips, trips and falls2
Failure to maintain ACHS accreditation1
LikelyKE
PossibleLI
UnlikelyOD
Rare
Insignificant Minor Moderate Major Catastrophic
CONSEQUENCE
HO
RISK DESCRIPTIONRISK NO.RISK NO. RISK DESCRIPTION
Incorrect diagnosis or medication errors resulting in patient harm10
Inability to meet increasing demand for aged care services9
Damage to medical equipment as a result of improper use8
Unauthorised disclosure of patient confidentiality resulting in potential legal liabilities 7
Billing errors as a result of staff mistakes, resulting in inaccurate patient bills or revenue not being collected.
6
Severe damage to HHS facilities as a result of a natural disaster (flood, fire etc.)5
Declining demand for maternity services as a result of aging population in the area4
Inability to attract suitably qualified nursing staff3
Patient harm suffered as a result of slips, trips and falls2
Failure to maintain ACHS accreditation1
1
GUIDE-DEVEL
ii) Consider the overall risk profile
Once the initial risk profile has been developed, the organisation may need to consider how each risk ranks in relation to the other risks. This step allows the organisati to c sanity check” of the risks that have been placed on the heat map to ensure that risks are rated correctly when compared to h o . “Risk manager may be off sick with flu” is not rated the same as “Project objectives may not be met”).
ossible outcomes of this step include:
ss the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of reality
The organisation may recognise that some risks are similar to the other risks, or are contributing factors to other risks. Hence they may be incorporated into the risk description of other risks within the risk register
The organisation may consider the interdependencies between the risks and consider the consequence on the organisation if more than one risk occurred at the same time. This may result in changes to the overall risk ratings.
i) Develop priority list of risks
he primary objective of evaluation is to prioritise risks. This helps to inform e allocation of resources to manage risks, both non-financial and financial.
he priority list can be categorised by a number of different criteria ependent on what is most relevant for the organisation e.g. risk rating, nctional area or by type of impact (i.e. strategic or operational). This will
e the focus for risk treatment.
4.2.5.4 w activities
Evaluate risks: Monitoring and Review
Monitor consistent application
Evaluate risks: Communication and Consultation
Identify the stakeholders who need to be informed of the risk treatment process.
Communicate the outcomes of the risk evaluation process (e.g. the prioritisation of risks)
Methods of communication may include:
− Minutes from relevant risk evaluation meetings / focus groups
Consultation may include:
− Focus groups involving risk owners and those with risk reporting responsibility
on onduct a “
eac ther (e.g
P
GUIDE-DEVELOPING-RISK-FRAMEWORK 105
The organisation may reasse
ii
Tth
Tdfufurther refin
Communication and consultation and monitoring and revie
OPING-RISK-FRAMEWORK 106
4.2.6 T
4.2.6.1
Risk treatment involves identifying the range of options for treating risks,
f assessing a risk treatment, deciding that current risk levels are not tolerable, generating new risk
ct of that treatment until a level of risk is ganisation can tolerate based on the
4.2.6.2
ring
er, not all risks will require treatment as some may be accepted by the organisation and only require
T utside of th e those w e tion to a p g risks is to minimise or
4.2.6.3 How to treat risks
Treating risks involves the following key steps, each of which are covered in detail in this section:
identify risk treatment options
select risk treatment options
assign risk ownership
prepare risk treatment plans
reat risks
Communicate and Consult
What is risk treatment?
assessing these options and the preparation and implementation of treatment plans.
Risk treatment may involve a cyclical process o
treatment/s, and assessing the effereached which is one which the oragreed risk criteria.
Why treat risks?
A key outcome of the risk evaluation process is a list of those risks requifurther treatment, as determined by the overall level of the risk against the organisation’s risk tolerance levels. Howev
occasional monitoring throughout the period.
he risks that fall ohich pose a significant potchieve set objectives. The
e organisation’s risk tolerance levels arntial impact on the ability of the organisaurpose of treatin
eliminate the potential imobjectives.
pact the risk may pose to the achievement of set
Identify Analyse Evaluate Risks
Treat Risks
Establish Risks Risks Context
GUIDE-DEVEL
Monitor and Review
OPING-RISK-FRAMEWORK 107
identify risk treatment options.
i) Identify risk treatment options
Risk treatment design nsive understanding of how risks arise. This includes understanding not only the immediate causes of an event but also the underlying factors that influence whether the p tme ffect
Risk treatment options in all circumstances.
M only $5M, it may not be
should be based on a comprehe
roposed trea nt will be e ive.
are not necessarily mutually exclusive or appropriate
Risk Treatment Options
ii) Select options for treatment
The Standard recommends that consideration be given to the cost of the treatment as compared to the likely risk reduction that will result. For example, if the only available treatment option would cost in excess of $10to implement and the cost impact of the risk is advisable.
Accept the impact of the risk Retain the risk
Transfer ownership and liability to a Third party (e.g. Insurance) Share/ transfer the risk
Undertake actions aimed at reducing the impact of the risk Change the consequence
Undertake actions aimed at reducing the probability of the risk occurring Change the likelihood
Change business processes or objectives so as to avoid the risk
GUIDE-DEVEL
Avoid the risk
OPING-RISK-FRAMEWORK 108
benefits associated with each risk treatment option, it is necessary to conduct a cost-benefit analysis.
In order to understand the costs and
Basic cost benefit analysis:
Define, or breakdown the risk into its elements by drawing up a flowchart or list of inputs, outputs, activities and events.
Calculate, research or estimate the cost and benefit associated with eacelement. (Include if possible direct, indirect, financial and social costs abenefits).
h nd
Compare the sum of the the benefits. costs with the sum of
Cost Benefit Analys
er has ds to loss of employee data”. As a treatment strategy she is deciding whether to
nt a new pers and payroll system. The HR department has only a few computers and are not highly computer literate. She is aware that computerised information will allow more accurate analysis of data and give a higher quality of reliability and service to internal customers.
Her financial cost/benefit analysis is shown below:
& Installation @ $4,600 Payroll Software @ $15,000 Training costs: Computer introduction - 8 people @ $400 each Keyboard skills - 8 people @ $400 each Payroll System - 4 people @ $700 each Other costs: Lost time: 40 man days @ $200 / day Total cost: $68,400 Benefits: Doubling of payroll capacity: estimate: $40,000 / year Improved efficiency and reliability of client service: estimate: $50,000 / year Improved accuracy of customer information: estimate: $10,000 / year Reduction of payroll and processing effort: $30,000 / year
is Example:
An HR manag a risk of “Ineffective records management lea
impleme onnel management
GUIDE-DEVEL
Costs: New computer equipment: 10 PCs with supporting software @ $2,450 each 1 server @ $3,500 3 printers @ $1,200 each Cabling
ii) Assign risk ownership
Tresponsibilit
he CEO and/or the Executive Management Committee typically allocate y for risk to an operational or functional area line manager.
Assigning Risk Ownership: Example
IT ManagerIT and Systems
Chief Executive Officer / Communications ManagerReputational
Risk Officer or Facilities ManagerBusiness Continuity
Facilities Manager or Human Resources ManagerHealth and Safety
Finance Manager / Chief Financial Officer
Chief Executive OfficerStrategic
Risk OwnerRisk Type
Finance/Budgeting
Human Resources ManagerHuman Resources
IT ManagerIT and Systems
Chief Executive Officer / Communications ManagerReputational
Risk Officer or Facilities ManagerBusiness Continuity
Facilities Manager or Human Resources ManagerHealth and Safety
Finance Manager / Chief Financial Officer
Chief Executive OfficerStrategic
Risk OwnerRisk Type
Human Resources Human Resources Manager
Finance/Budgeting
Risk owners nominated by executive management should assume resp ctive risk treatment plans. The risk owner shou cient technical know treatment is required.
The onsibility (but not accountability) to his/h r detailed plan development and impl
iv) P
Once treatment options f been selected, all treatment optio ion plans and/or strategies. As one pact on multiple risks, treatment actions for different risks need to be combined and compared so as to identify and reso between plans and to reduce duplication of effort.
Trea
, be set in
place
onsibility for developing effeld be a senior staff member or manager with suffi
and/or risk area for which a ledge about the risk
risk owner will often delegate resps foer direct reports or consultant
ementation.
repare treatment plans
or individual risks have ns should be consolidated into risk act
risk treatment may im
lve conflicts
tment plans should:
identify responsibilities, schedules, the expected outcome of treatmentsbudgets, performance measures and the review process to
GUIDE-DEVELOPING-RISK-FRAMEWORK 109
OPING-RISK-FRAMEWORK 110
assessing and monitoring treatment context of individual responsibilities and
n
should all arise from the treatment design process
document how, practically, the chosen options will be implemented.
The successful implementation of the risk treatment plan requires an effective management system that specifies the methods chosen, assigns responsibilities and individual accountabilities for actions, and monitors them against specified criteria. Communication is a very important part of treatment plan implementation.
4.2.6.4 Communication and consultation and monitoring and review activities
Treat risks: Monitoring and Review
Monitor / test the effectiveness of risk treatment plans: Does the risk require further treatment – Y/N?
Monitor the utilisation of resources for the treatment of risks. Is the need for resources greater for treating other risks?
Treat risks: Communication and Consultation
Identify the stakeholders who need to be informed of the risk treatment process.
Communicate the risk treatment plan to relevant stakeholders. This should specify who is responsible for risk treatments, timeframe for
s
isk
time to inform further risk
ing risk.
Communicate any urgent changes required to further
ings
include mechanisms for effectiveness, within theorganisational objectives, and processes for monitoring treatment planprogress against critical implementation milestones. This informatio
Continually monitor changes in risk levels (reflected in changes to risk ratings) over time.
completion and resourceavailable.
Communicate changes to rratings (risk levels) levels over
treatment decisions and identify successes in manag
reduce risk levels.
Consultation may include:
− Focus group discussions
− Internal Audit find
GUIDE-DEVEL
Toolkit Reference:
Appendix J: Risk assessment - template
OPING-RISK-FRAMEWORK 111
4.2.7
Monitoring and reviewing risk management involves:
ing and learning lessons fro ges and trends
es
nd
e yste ts
4.2.7.2 Why do it?
Regular monitoring throughout the rito:
ensure currency of risk info morganisation is operating is constantly changing and so thererisks. If risk information is inaccuramake poor decisions it cou
ensure effectiveness and adequac esses
continuously evolve to desired lev
continuously improve, adopting better practices and developments in
4.2.7.3 How
The key steps to Monitor and Review are:
Monitor and review
Communicate and Consult
4.2.7.1 What is monitoring and review?
analys m events, chan
detecting changes in the externalto the risk itself which may requpriorities
and internal context including changire revision of risk treatments and
ensuring that the risk contboth design and operation.
Monitoring and review is an essential is one of the most important steps of t
rol and treatment measures are effective in
and integral part of managing risk, ahe risk management process. It is veness and appropriateness of th
ms set up to implement risk treatmennecessary to monitor risks, the effectistrategies and management sand the risk management plan and system as a whole.
sk management process is necessary
r ation - the environment in which the fore are its
te, it may cause the organisation to ld otherwise have avoided
y of risk management proc
els of risk management maturity
risk management.
to monitor and review
Identify Analyse Evaluate Treat Establish Risks Risks Risks Risks Context
GUIDE-DEVEL
Monitor and Review
OPING-RISK-FRAMEWORK 112
i) understand the different types and levels of monitoring and review
ii) establish your monitoring and review cycle
iii) measure risk man
i) Understand different levels and types of monitoring and review
Different types of monitoring and review will be dependent on the tdecision isk management. This also implies varying levels of frequency and aggregation of risk information depending on the purpose of the review:
At the task level, routine measurement or checking of particular parameters (for example pollution levels, or cash flows) is often required through continuous (or at least frequent) monitoring.
level, line management reviews risks reviewed within a
ent framework is also reviewed at this level.
context of risk management and an organisation’s risk management strategy. Typically,
On an annual basis
agement performance.
ype of s made around risks and r
At the functional or operational and their treatments on a regular basis. Risks arepredefined scope and prioritised according to agreed criteria.
At an organisational level, a risk function, manager or committee reviews enterprise-level risks. At this level of monitoring, relevance and alignment to organisational strategies are reviewed. The risk managem
Monitoring and review of risk management framework
el. riteria,
and such as surveys and
benchmarking, comparing against latest risk management better practices.
ty of risk management can be monitored comparing the current level
annually).
The context of risk management needs to be reviewed at enterprise levThis may include ensuring the currency of the organisation’s risk crisk tolerance, risk categories.
The maturity of the risk management framework in terms of design implementation could be monitored through tools
ii) Establish your monitoring and review cycle
The monitoring and review cycle will vary depending on the
, the entire risk profile will be reviewed by the Risk & Compliance Committee (or equivalent); however this may be more frequent if major business changes are occurring.
Every three years the risk management framework and associated documentation will be reviewed either as part of the internal audit
dent third party. process, or by an indepen
GUIDE-DEVEL
Maturiof maturity and the desired level of maturity at regular intervals (i.e.
4.2.7.4 Measuring risk management performance
OPING-RISK-FRAMEWORK 113
measures of the level of performance of a
measurable and appropriate to individual
cesses to
example, specific losses or gains) or
however outcome performance indicators usually significantly lag the changes that give
he
treatments or processes with the greatest potential for improvements in efficiency.
included in risk
Performance Indicators (PIs) are quantitative
given item or activity. They need to be
business units and hold individuals accountable while forming the basis for continuing improvement.
Organisations should use their normal organisational planning progenerate performance measures for the risk management system and processes. The performance indicators should reflect the range of key organisational objectives defined when the context was established at the start of the process. Performance indicators may monitor outcomes (for
processes (for example, consistent performance of risk treatment procedures).
Normally a blend of indicators is used,
rise to them, so in a dynamic environment operational process indicators are likely to be more useful.
Performance indicators should reflect trelative importance of risk management actions, with the greatest effort and focus applied to:
the highest risks
the most critical treatments or other processes
In choosing performance indicators, it is important to check that:
ably able
ent in terms effort
and resources
g
tes esirable behaviours and
viours
ion of
d understand ected
nd have the portunity to input to the
procedure
re captured orted in a form
they are reasonto be measured
they are efficiof demands on time,
the measurinprocess/surveillance encourages or facilitaddoes not motivateundesirable beha(such as fabricatdata)
those involvethe process and expbenefits aop
Risk management performance indicators may be management reports to senior management and the Board.
Risk management monitoring and review should also include an attestation process. Attestation is a formal reporting and sign-off in the Annual Report on the organisation’s risk management implementation. The attestation process is described in further detail in section 5.2.
GUIDE-DEVEL
the results aand repthat will facilitate learningand improvement.
OPING-RISK-FRAMEWORK 114
4.3 orting
an organisat to ues d to
ation.
4.3.1 The need for risk reporting
uent and open communication
definition of a risk communications and reporting plan a rganisational risk management (or ERM) programme.
orate governance by senior managers and
lace to manage these risks. The Board of a public entity is also required to inform the Minister and department head of known
The availability of this information can be used to support management
4.3.2 Foundations of good reporting
he following principles should be remembered when developing a risk reporting solution:
The quality of risk reporting is dependent on a fully functioning risk management system. Incomplete or unreliable risk identification,
Risk and risk management rep
f appropriate risk
Risk reporting is the regular provision oto stakeholders and decision-makers withinsupport understanding of risk management issin performing their duties within the organis
-related information ion in order
an assist stakeholders
Successful risk management requires freqwith a broad group of internal and external stakeholders. This makes risk reporting and the key component of an o
Effective risk reporting also contributes to good corpproviding reliable and current information to Boards,other stakeholders regarding the risks faced by the organisation as well as the treatment plans in p
major risks.
decision-making during strategic planning and operational management processes.
T
Developing a sk Management amework
RiFr
Implementing a Risk ManagementFramework
Monitoring and Enhancing a Risk
ramManagement F ework
OvMa
erview – Risk nagement Framework
KeDe
y Considerations When signing a Framework
DoFra
cumenting a mework
RisGo
k Management vernance
RisInf
k Management ormation Systems
Overview of a Risk ss Management Proce
Risk Management Process
Risk and Risk Management Repo
Mo toring and Reviewing k Mgt Framework
nia Ris
Attestation Process
Contirting
Developing Desired Risk Management Culture
GUIDE-DEVEL
nuous Improvement
OPING-RISK-FRAMEWORK 115
ct in poor
There is no single risk report that meets the needs of all stakeholders. Reports should be developed and customised to reflect the needs and preferences of the target audience and its purpose. Seek input from stakeholders before implementing a risk reporting solution, as this should be part of existing reports and reporting frameworks.
Although all organisations need to report on risk to various stakeholder groups, organisations with more mature and sophisticated risk management frameworks will typically produce a number of customised risk reports to meet the needs of different stakeholder groups throughout the year.
Avoid providing too much or too little information in risk reports. Senior Management and the Board will typically prefer a summary of risks and risk trends, focusing on high risk and strategic issues across the organisation, while those involved in managing specific risks will require detailed information covering their areas of responsibility.
4.3.3 The audience for risk reporting
– CEO and Board of Directors.
ll major
entification of risk and the implementation of risk plans.
ublic (through access to Annual Reports and press releases)
manager, should be responsible for ports to ensure consistency in
Risk reporting can be automated using risk management software such
assessment, prioritisation and treatment outputs will reflereporting outputs.
Risk reports should be delivered to a broad spectrum of organisational stakeholders. Typical recipients of regular formal risk reports shouldinclude:
– Business unit heads of abusiness functions.
– Compliance committees (notably Internal Audit and Risk Management).
– Staff directly responsible for designing and implementing risk management treatments.
– Employees who need to assist in the id
– Government ministries and agencies.
– The p
A single person, typically the riskco-ordinating and drafting risk restandards and format
as the VMIA’s Risk Register, Cura, Riskman etc. However, it is still
GUIDE-DEVEL
important to ensure that reporting formats meet stakeholder requirements.
The risk process should ensure that risks are linked to strategic objectives. This helps to report on risk within a strategic organisational context.
Frequency of risk reporting 4.3.4
eet
The frequency of risk reporting should reflect the cycle of the organisation’s
ed in the following table:
At a minimum, an organisation should update and report on its risk profile onan annual basis. While an annual reporting and update cycle may mstatutory requirements, effective risk management typically requires more frequent reporting on risk.
regular internal reporting. Where the Executive receives monthly or quarterlyprogress reports on Financial, Operational, Health and Safety or IT matters, they may wish to receive similar risk reports.
Typical reporting frequency for various risk report types is outlin
Ad hoc basis, as requiredEmployeesKey Suppliers
Staff Communications (on risk initiativefollowing adverse event/s)
s;
Monthly or QuarterlyAll adverse events recorded immediately following event
Risk ManagerLine Management
Risk Events/Adverse Events Summary
Based on organisational type: Monthly or Quarterly
Functional Area Manager/sProject Managers Staff responsible for implementing risk solutions
Operational Risk Reports (including Clinical Risk)
OPERATIONAL
Monthly or QuarterlyRisk CommitteeCEOInternal Audit
Risk Committee Reports
Quarterly or bi-annuallyBoard of DirectorsCEOCompliance Committees
Board Risk Reports
Based on required Audit Committee frequency
Audit CommitteeInternal AuditExecutive Management
Risk Report to Audit/ Compliance Committee/s
AnnuallyExternal PartiesPublic
Risk Management Statement in Annual Report
STRATEGIC
SUGGESTED FREQUENCYTYPE OF REPORTSTRATEGIC/ OPERATIONAL
RECIPIENT/S
Ad hoc basis, as requiredEmployeesKey Suppliers
Staff Communications (on risk initiativefollowing adverse event/s)
s;
Monthly or QuarterlyAll adverse events recorded immediately following event
Risk ManagerLine Management
Risk Events/Adverse Events Summary
Based on organisational type: Monthly or Quarterly
Functional Area Manager/sProject Managers Staff responsible for implementing risk solutions
Operational Risk Reports (including Clinical Risk)
OPERATIONAL
Monthly or QuarterlyRisk CommitteeCEOInternal Audit
Risk Committee Reports
Quarterly or bi-annuallyBoard of DirectorsCEOCompliance Committees
Board Risk Reports
Based on required Audit Committee frequency
Audit CommitteeInternal AuditExecutive Management
Risk Report to Audit/ Compliance Committee/s
AnnuallyExternal PartiesPublic
Risk Management Statement in Annual Report
STRATEGIC
SUGGESTED FREQUENCYTYPE OF REPORTSTRATEGIC/ OPERATIONAL
RECIPIENT/S
GUIDE-DEVELOPING-RISK-FRAMEWORK 116
4.3.5 of risk reports
e
table illustrates the different types of reporting:
Types and content
The information within risk reports is drawn from the risk register of thorganisation. By filtering the information within the risk register, it is possibleto draft a number of reports tailored to suit the needs of the various recipients. The following
By sorting risks according to due dates for treatment plans/ responses, Risk Managers, Project Mangers and others can identify critical timeframes for responding to key risks as well as identify and manage potential delays and/or non-performance in responding to risk.
Risk Treatments Due or Overdue
By filtering the report by the risk owner, it allows those responsible to view risk treatments that they need to oversee or develop.
Risk Owner/Person Responsible
By grouping all risks that have not been allocated to a responsible person for follow-up and response, management can identify key risks that are not being effectively monitored and managed.
Unallocated Risks
OPERATIONAL
In order to identify the main areas of exposure, it is helpful for Boards to understand where the majority of risk exposures originate. For example, what proportion of risks are Financial, Operational, Strategic, or Compliance related. This information is typically incorporated into the report types listed above.The detail behind these summary reports can also be provided to functional area management and specialists responsible for managing specific types of risk.
Risk Categories/ Risk Types
By identifying significant/ extreme risks with ineffective controls, the Board and Executive are able to identify potential points of business failure that need urgent interventions or resource support.
Risks with Ineffective Controls
By sorting risks according to when they were identified, it is possible to easily report on new risks that may still need to be fully considered and understood. From an emerging risks perspective, types or categories of risks that may begin to emerge over the next 2-3 years or longer should be identified and captured. Details at this stage may only include information regarding what research is being undertaken into the risk, and who is responsible.
New and/or Emerging Risks
When risks are regularly reassessed, it is possible to: Define target risk levels for key risks; Identify which risks are getting worse or where treatments are reducing risk exposures; Identify risk areas that need additional attention; and Demonstrate the success of treatment plans.
Risk Trends
These reports contain a prioritised list of the top 10 to 20 risks based on colikelihood scores. Typically they include details about the risk, information
nsequence and on key controls
and their effectiveness and additional treatments needed with timeframes.
Top Risks/ Strategic Risks
Boards/CEOs and Secretaries that are accountable for the risks of their orgrequired
anisations are to attest in the annual report that: organisations have risk management processes
bout key pproaches to addressing these risks.
in place consistent with the [4360] Standard, and that: These processes are effective in controlling risks to a satisfactory level A responsible body or audit committee verifies that view. This attestation is often accompanied by information for external stakeholders arisks within the organisation and a
Annual Report Attestation
TRATEGIC
COMMENTREPORT TYPE
S
By sorting risks according to due dates for treatment plans/ responses, Risk Managers, Project Mangers and others can identify critical timeframes for responding to key risks as well as identify and manage potential delays and/or non-performance in responding to risk.
Risk Treatments Due or Overdue
By filtering the report by the risk owner, it allows those responsible to view risk treatments that they need to oversee or develop.
Risk Owner/Person Responsible
By grouping all risks that have not been allocated to a responsible person for follow-up and response, management can identify key risks that are not being effectively monitored and managed.
Unallocated Risks
OPERATIONAL
In order to identify the main areas of exposure, it is helpful for Boards to understand where the majority of risk exposures originate. For example, what proportion of risks are Financial, Operational, Strategic, or Compliance related. This information is typically incorporated into the report types listed above.The detail behind these summary reports can also be provided to functional area management and specialists responsible for managing specific types of risk.
Risk Categories/ Risk Types
By identifying significant/ extreme risks with ineffective controls, the Board and Executive are able to identify potential points of business failure that need urgent interventions or resource support.
Risks with Ineffective Controls
By sorting risks according to when they were identified, it is possible to easily report on new risks that may still need to be fully considered and understood. From an emerging risks perspective, types or categories of risks that may begin to emerge over the next 2-3 years or longer should be identified and captured. Details at this stage may only include information regarding what research is being undertaken into the risk, and who is responsible.
New and/or Emerging Risks
When risks are regularly reassessed, it is possible to: Define target risk levels for key risks; Identify which risks are getting worse or where treatments are reducing risk exposures; Identify risk areas that need additional attention; and Demonstrate the success of treatment plans.
Risk Trends
These reports contain a prioritised list of the top 10 to 20 risks based on colikelihood scores. Typically they include details about the risk, information
nsequence and on key controls
and their effectiveness and additional treatments needed with timeframes.
Top Risks/ Strategic Risks
Boards/CEOs and Secretaries that are accountable for the risks of their orgrequired
anisations are to attest in the annual report that: organisations have risk management processes
bout key pproaches to addressing these risks.
in place consistent with the [4360] Standard, and that: These processes are effective in controlling risks to a satisfactory level A responsible body or audit committee verifies that view. This attestation is often accompanied by information for external stakeholders arisks within the organisation and a
Annual Report Attestation
TRATEGIC
COMMENTREPORT TYPE
S
GUIDE-DEVELOPING-RISK-FRAMEWORK 117
OPING-RISK-FRAMEWORK 118
It should be noted that for all the risk report types outlined above, dominantly on an “exception” basis.
only report on risks at the Executive/ Senior Manager level that fulfil predefined characteristics (e.g. significant risks with poor control effectiveness).
This approach prevents the situation where the same risk may justifiably appear on the report time after time as it is rated high, but no further action can be taken to mitigate the risk at that time (i.e. the risk has been accepted as high). In this instance, report recipients may fail to pay attention to the risk report as they become used to seeing the same risk information and therefore begin to regard the risk reporting process as non-value adding. It is important however that there is complete oversight of all risks on at least an annual basis to ensure that there have been no changes to the overall risk profile, and that the executives/senior managers are fulfilling their oversight duties.
4.3.6 Format of risk reports
The way that risk information is presented can make a huge difference in the value it adds.
It is often useful to graphically represent risk information in order to make the formation easily understood, and to show a large volume of information in
a compact manner.
organisations may choose to report preThis means to either:
only report on the changes from the last report rather than producing risk reports that contain data that is largely unchanged from the last reporting cycle
in
Client Comment:
As the Metropolitan Fire and Emergency Services Board’s (MFESB) risk framework and processes developed, the volume of risk data available
significantly increased. The MFESB decided to review industry benchmarks to determine ‘typical’ board reporting models and standards.
This resulted in a model that differentiates between long-term, short term and emerging risks. Long term risks are reported by exception (that is, only when key
control effectiveness falls to a pre-determined level). The effect is to prevent Board reports being continually populated by the same slow changing long term
risks. These are now reported on a six monthly basis irrespective of control effectiveness.
…MFESB Risk Reporting Project Co-funded by VMIA
GUIDE-DEVEL
The following section provides examples of three types of risk repo
i) Strategic risk reports
rts:
e well received by most boards. They are useful as they
ii) Operational risk reports
iii) Key risk indicator reports.
i) Strategic risk report formats
Heat maps are commonly used to report on the top risks faced by theorganisation, and argraphically illustrate the relative severity of risks in relation to each other.
Sample Risk Reporting: Heatmap
Risk Profile
The green areas represenupward and right towards the red sh
GUIDE-DEVELOPING-RISK-FRAMEWORK 119
t the least severe risks, and as the risk moves aded area, the level of risk exposure
Heat maps are less useful (difficult to read) when there is a need to illustrate
increases.
a large number of risks, or where risk scores are very similar for all risks.
The ability to effectively link an organisation’s key risks to its strategic objectives or business goals is aframework. An example is
n indicator of a maturing risk management illustrated in the value chain report below.
ful to board and executive management as it ational strategy and risk. It is also a useful
technique for identifying risks, i.e. what are the risks to the achievement of
Value chain reports are useshows the link between organis
the objectives?
Risk Reporting: Value Chain
GUIDE-DEVELOPING-RISK-FRAMEWORK 120
Linking strategy and risk
MES eet Executive Team identified the following as significant risks to its ability to morgan the Vice isational objectives. The management of these risks is regularly reported toChan this to the cellor (CEO equivalent) and risk committee. The risk committee will presentMES uest. Council upon req
ii) Operational risk report format
Table formats, of which there are many variations, are useful for reporting on a large number of risks or when a greater amount of detail about each risk is required. This approach is best suited to operational risk reporting where, for example, the risk owner or risk manager will want to review more detailed risk and control information such as:
control effectiveness levels
rating scores
treatment plans
treatment due dates.
GUIDE-DEVELOPING-RISK-FRAMEWORK 121
OPING-RISK-FRAMEWORK 122
These reports are used by risk committees, programme managers and risk wners to monitor and manage the update, implementation and review of
ities/ plans. This level of detail can be provided as
t the reporting requirements of a specific target audience. It is also easy to add to or modify content following risk update processes.
orisk management activsupporting information to summary executive reports, or provided where the board or executive wish to review a specific risk or cluster of risks.
A key advantage of table or spreadsheet reports is that they can easily be filtered or sorted to mee
GUIDE-DEVEL
Risk Reporting: Operational Risk Report – Sample Format 1
Risk Reporting: Operational Risk Report Sample Format 2
OPING-RISK-FRAMEWORK 123
be
addition to reports containing qualitative data, once an organisation has stablished an effective system of risk reporting, it may wish to consider the se of quantitative data in the form of KRIs. Indicators are a valuable tool to cilitate the monitoring of risks and controls over time against an
’s risk appetite. Whilst risk and control data in many rganisations is formally updated on a regular basis, key indicators enable n organisation to continuously and predicatively monitor changes to its risk
profile or control framework, and allow actions to be carried out in a more mely and effective manner.
is important to note that use of KRIs is considered to be at the “mature nd” of the risk management spectrum, and therefore organisations should
tors until they have stablished a robust risk management framework that delivers clearly efined and understood risk and control data. In addition, as risk indicators an be costly to implement and maintain, it is recommended that such dicators are only used for significant risks.
or organisations who are keen to focus on more quantitative data but which ry resources to identify and monitor the large
olumes of data required for risk indicators, it is recommended that priority is
iii) Key Risk Indicators (KRIs)
Key risk indicators – which are used to measure risk levels – should developed once an organisation is satisfied that the basic elements of its risk management framework are well established and operating effectively.
Client Comment:
“I had n
Ineufaorganisationoa
ti
Itenot attempt to develop and role out such indicaedcin
Fdo not have the necessav
GUIDE-DEVEL
ever made the connection between the organisation’s risk management processes – which I am not an expert in – and the monthly business performance indicators we receive in preparation for our monthly meetings. After attending a risk management training session for the Board, I realise that we can use existing trend reports covering areas such as:
Variance to budget OH&S incidents Staff turnover and vacancies Medication errors Patient falls to monitor changes in risk levels or to identify new risks. The hospital is planning to define acceptable levels or thresholds for each business indicator it reports on, which if exceeded, would result in a re-appraisal of related risks and escalation of the risk to our Risk and Audit Committee for further action.”
…Non-executive Board Member Regional Healthcare
OPING-RISK-FRAMEWORK 124
nitoring of key control indicators instead
insurance industry relies heavily on risk indicators
use
misjudge the risk and consequently business performance would be significantly (negatively) affected.
t may raise warnings as to potential risks.
lar
potential staff
that can demonstrate a
g in
likelihood or consequence.
given to the identification and mo(see definitions below) as they are easier to identify and capture, and will reflect a weakening in the control environment that is likely to result in an increased level of risk.
For example, the motorwhen determining appropriate policy pricing. Factors such as age of applicant, neighbourhood and number of kilometres driven each year build a profile of the applicant and therefore the ‘risk’ that the insurance firm will have to pay out on a claim. If an insurance company were to attempt to write new business without utilising indicators, underwriters would be forced to
Key indicators allow an
understand how the risk profile changes in different circumstances
ning signals for emerging risks.
their intuition to judge how likely a new customer would be to claim in the future. Whilst some may prove to have good insight, many would
There are three types of key indicators commonly used, Key Performance Indicators, Key Risk Indicators and Key Control Indicators. There is often confusion as to the difference between them. Below is a brief definition of each:
i) Key Performance Indicators (KPIs) are used to monitor the change in overall business performance (e.g. budget) in relation to specific business objectives. KPIs can measure internal or external factors andcan be seen as events tha
ii) Key Risk Indicators (KRIs) are a specific measure relating to a particurisk that shows a change in the likelihood or consequence of that risk event occurring. KRIs that demonstrate increased exposure to risks (e.g. significant increases in business volumes combined withnumbers) can show what level of stress or strain current control activities may be put under.
iii) Key Control Indicators (KCIs) are metricschange in a specific control’s effectiveness (e.g. a control’s design and its actual performance). A deterioration of KCIs reflects a weakeninthe control environment and is likely to result in an increase in a risk’s
GUIDE-DEVEL
organisation to:
appreciate how risk moves and is affected by the business environment
focus attention on risk drivers that are most volatile
ensure controls around the drivers are robust and effective
gain a forward looking perspective of the current risk profile
understand the early war
Examples of such indicators are illustrated in the following table:
Business objective: To deliver major projects on budget
Key Risk Indicator Example
# variations to an
# passed gateway reviews
% difference between target and actual budget
#unacceptable risks
project pl# variations to scope(L)
iations to dget
# varrequired bu(I)
Project delivered 90% within budget
Project plan (prevent)
Business case (prevent)
Risk management (prevent)
Gateway review (detect)
Resource plan (prevent)
Major project cost overrun
KPIControlRisk KRI KCI
Cause: Project creep
Impact: Additional project funding required
I data
nitor KRIs.
Defining an effective system of Key Risk Indicators (KRIs) can be broken down into five phases:
i) identify and document the key risk and control indicators
ii) source and validate existing KR
iii) establish tolerance levels and escalation procedures
iv) analyse, report, and revise the KRIs
v) mo
GUIDE-DEVELOPING-RISK-FRAMEWORK 125
These phases are outlined in further details in the following table:
Phase Activities
• Review existing risk profiles. Ensure that all major risks are captured and the causes and consequences are understood. Understanding the causes is essential for determining the risk metrics that measure changes in the likelihood of a risk occurring; and understanding the consequences is essential for determining the risk metrics that measure changes in the impact of a risk.
• Determine factors that lead to changes in risk consequence or likelihood – these are the KRIs.
• Review the control environment and ensuring that the controls are adequately addressing the risks.
• Identify the Key Control Indicators that indicate changes to control design or performance.
Identify and document the Key Risk and Control
Indicators
OPING-RISK-FRAMEWORK 126
• Collect, extract or produce relevant data.
• Ensure that the KRI and KCI data is providing information that is reliable and of good quality.
• Clarify dependencies on other parties who are responsible for producing and maintaining the data.
• Ensure data history is maintained and ownership established.
• Once the indicators have been sourced, each KRI/ KCI needs to be documented. As a minimum, the information recorded should be:
• Description of the KRI/ KCI
• Owner
• Escalation protocols
• Actions
• Data source
Source and validate existing KRI and KCI data
• Tolerances/ thresholds
Phase Activities
Establish tolerance levels Consider at what level the organisation is prepared to accept a defined level of hom risk data needs to be escalated. Escalation levels e with risk tolerances and risk appetite, and to keep the
an be used to represent the need r) and senior management (Red).
risk, and when and to wshould be defined in lin
and escalation procedures
system simple, Red/ Amber/ Green ratings cto escalate to middle mmanagement (Ambe
• Analyse changes against the defined thresholds and report on a monthly basis.
• Identify trends and tendencies.
fined by the
• Assign the required actions and resolution dates to owners.
•
Analyse, report and revise the KRIs/ KCIs
• Escalate to the relevant level of management as deorganisation’s risk tolerance levels.
Revise the process, indicators and data as required.
KRI and KCI movements and trends should be monitored on a regular basis by linking the data to a risk reporting system, or real time exception based reporting.
Monitor
GUIDE-DEVEL
4.3.7 The use of risk management software for reporting
T em nhe use of risk manag e t software is useful in helping manage risk related information. However, it is not essential to use risk software to achiev and effect
Most specialised risk management and internal audit software tools, such as RiskMan, Cura, ERA and capabilities. Software tools can report on risk managemen
While many generic reporimportant to ensure that the report format and content meets stakeholder req y cas , n consultants, software vendors or intern ITmeet specific reporting require
4.3.8 The VMIA’s Risk Regist s
e a robust ive risk management framework.
RiskAdvisor include automated risk reporting simplify and reduce the time required to
t initiatives.
ts can be drawn from such software, it is still
uirements. In man es an organisation may commissioal specialists to develop customised reports to
ments.
er oftware
T d he VMIA has designe a simple risk recording and reporting tool, VMIA r, that ble free-of-charge to VMIA’s Risk Registe is availainsurance clients.
The software is not designed to replace or replicate the functionality of specialised risk software pa ple and easy to use risk tool for the may not require a compre governanc
The VMIA Risk Register is d to allow organisations to:
Create a single risk register across the organisation
Record pertinent risk information, including:
- Risk descriptions, causes and impacts
- Risk assessment outcomes (likelihood, consequence, control effectiveness etc.)
- Categorisation of risks (risk categories)
GUIDE-DEVELOPING-RISK-FRAMEWORK 127
c VMIA’s insurance clients that
kages. It has been developed to provide a sim
hensive e, risk and compliance software product.
esigned
OPING-RISK-FRAMEWORK 128
d summary and detailed risk reports
4.3.9 C
rting system should not be underestimated as it ultimately supports improved decision-making ability.
also undermine executive and anagement process.
Reports should be viewed as a business tool, rather than a compliance requirement. Remember that there is no ‘right or wrong’ approach to risk reporting, as long as the reports produced:
meet the needs of your stakeholders
are available when needed by the business
contain current, updated quality information
are easily understandable
contain the right level of detail
are supported by detailed underlying risk information, where appropriate
support action and accountability for risk management across the
tions, benefits obtained from risk management processes.
- Linkage of risks to specific business units
- Linkage of risks to specific strategic objectives
- Current control information (summary level)
- Responsibility for risk
- Risk treatment and response (summary level)
- Risk response status and due dates
Select from a range of pre-definein both graphical and text formats. The software is able to generate heat map reports.
onclusion
The importance of an effective risk repo
The failure to effectively report on risk willBoard support for the organisation’s risk m
organisation.
Considering these requirements when designing risk reporting solushould maximise the
Toolkit Reference:
Appendix L: Risk register – MS Excel template
Appendix N: Risk reporting – MS Word templates
Appendix P: Risk management information systems – check-list
ebsite or contact your
GUIDE-DEVEL
VMIA Risk Register software – Refer to the VMIA wVMIA representative
4.4 D ulture
eveloping desired risk management c
OPING-RISK-FRAMEWORK 129
4.4.1 W
und here”. It is the collective way s.
nt is tion. It is about the
accepted ways of being and doing with regards to risk and risk management. e recognise and respond to risk and how risk
4.4.2
s ntial opportunities whilst managing adverse effects’
ce, s
m king, a change in culture may be necessary.
T depending on the unique context of your organisation. To determine this, a starting point is to u
4.4.3 Drivers of culture
There are various drivers within an organisation that shape culture. These drivers influence how well embedded risk management is throughout the organisation.
hat is risk management culture?
Culture is defined as “the way we work aroof doing things, through accepted behaviours and processe
A risk management culture specifically refers to the way risk managemeapplied in the way people work within an organisa
Risk culture involves how peoplis considered in making decisions.
Why is risk management culture important?
Culture is intrinsic to risk management. The accepted behaviour or normaround ‘maximising potedetermines how embedded risk management is in your organisation. Hento have an effective risk management process or framework in place meanhaving an appropriate culture that works for your organisation. If risk
anagement is not wor
he appropriate risk management culture would vary
nderstand the key drivers of culture.
Developing a Implementing a Monitoring and Enhancing a Risk
ent rk
RiskFrame
Management Risk Management work Framework Managem
Framewo
Overview – Risk Overview of a Risk Monitoring and Reviewing Management Process a Risk Mgt Framework Management Framework
Key Considerations When Designing a Framework
Risk Management Process
Attestation Process
Documenting a Framework
Risk and Risk Management Reporting
Continuous Improvement
RisGo
k Management vernance
Developing Desired Risk Management Culture
RisInform
k Management ation Systems
GUIDE-DEVEL
GUIDE-DEVELOPING-RISK-FRAMEWORK 130
Mission, Vision, Values, Purpose
Structure
Systems and Processes
Job Design and Role Definition
Leadership
Desired vs. Actual
Risks are managed on a day to day basis as part of applying the values of the organisation.
The mission, vision and purpose promote a risk culture
Cultural Drivers Risk Management Culture
The management systems and processes enable effective and efficient risk management.
The process for managing risk is integrated with day to day processes
There is a risk organisational structure to enhance accountability and delegation
The structure enables risk-based decision making without bureaucracy, making jobs easier and delivering better outcomes
Leadership skills and attributes around risk management are fostered and rewarded and implemented across the business
Poor behaviours or practices around risk management are not tolerated by leaders
Jobs are designed to reflect risk management and risk policies
Job definitions include performance expectations around risk management
Accountabilities with regards to risk and risk management are clearly articulated
Behaviours
There is a clearly articulated consensus around desired behaviours across the
by leaders and people are responsive to these desired behaviours
takeholders in defining a risk management solution that reflects the needs of the
business
These are modelled
The following client example illustrates the benefit of involving s
organisation:
Client Comment:
During 2007-8, the VMIA was involved in co-funding two projects with the Metropolitan Fire and Emergency Services Board (MFESB) to improve its risk
ses.
f risk g the nal
Risk Projects y VMIA
management proces
The process of involving managers in the testing and redesign omanagement components has lead to their engagement in maintaininprofile of risk management at the MFESB, and further enhanced inter
knowledge and understanding about risk.
…MFESBCo-funded b
4.4.4 Embedding desired risk management culture
Embedding your desired risk management culture is a change journey. Managing change means shifting the organisation from where it is (current state) to where it wants to be (future state).
Fundamentally this involves three key steps:
Determine desiredrisk culture
Assess gaps in current
culture
Implementinterventions toclose the gap
• Visions, Mission, Values and Purpose
• Job design and role definition
• Structure
• Leadership
• Desired vs. Actual Behaviors
• Systems and Processes
• Culture Change Leadership
• Communication & Engagement
• Learning and Development
• Organisational Alignment
• Performance Management
4.4.4.1
el of involvement in risk management that you would like the whole organisation to have. Identify and articulate the desired behaviours around risk management. This inclu k, how people respond to risks and risk events and the general awareness around risk and risk ma
The desired culture would contin epend on the level of maturity that is acceptable to your organisation within a given period of time. Tobenchmindepenbe a top-down approach engage buy-in (i.e. staff briefings, roundtable discussions, forums).
4.4.4.2 Assess w t your organisation’s current risk culture is
he current risk culture is an outcome of collective behaviour driven by existing norms around risk management. Determining your organisation’s current culture and identifying the key drivers that will be useful in identifying the appropriate interventions to achieve the desired risk culture.
The most commonly used tools for assessing current culture are interviews, focused-group discussions and surveys. When conducting the assessment, it will be useful to get input from a sample of participants or respondents across the different part of the organisation, and across different levels.
Clearly define where your organisation wants to be in terms of risk management culture
Define the lev
des tolerance for ris
nagement.
ue to evolve, as it would d
ols that could help you define the desired culture are arking, surveys, workshops with senior management and dent risk framework assessment. Often, the definition process would
, followed by consultation down the line to
ha
GUIDE-DEVELOPING-RISK-FRAMEWORK 131
T
OPING-RISK-FRAMEWORK 132
4.4.4.3 Determine what cultural and behavioural interventions that are useful
the
arting point in prioritising and
4.5 Checklist – Implementing a risk management framework
The following check list provides a number of questions relating to the plementation of your organisation’s risk management framework.
Considering the answer to these questions will help you check your progress
es between those elements essential to ensure an
to help close the gap
Determining the cultural and behavioural intervention will help you closegap between where you currently are and where you want to be in your riskculture. The assessment provides a useful stdeveloping your options for culture change.
im
in implementing a robust and flexible risk management framework.
The checklist distinguisheffective risk framework, and those typically associated with relatively mature or sophisticated frameworks often found in large organisations.
Toolkit reference:
Appendix : Risk management checklist
# Section Requirement Essential (E)/ Advanced (A)
In place (Yes/No)
Implementing a risk management framework
1 Communicate and consult
Is risk management or awareness training provided to astaff?
ll E
2 Comand
municate consult
Does the Risk Manager (or equivalent) have access to the CEO, Board and Audit/ Risk Committee when required?
E
3 Comand
E municate Do your staff know that they have a right and consult responsibility to assist in risk identification and escalation?
4 Comand
municate consult
Do staff know who to report/ escalate risks to? E
Toolkit Reference:
Appendix G: Communication and consultation plan – template
Appendix H: Risk training slides
GUIDE-DEVEL
# Section Requirement Essential (E)/ In place Advanced (A) (Yes/No)
5 Comand
municate consult
Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility?
E
6 Command consult
ded guidance on what information they would like to see in risk reports?
E unicate Have the Executive and the Board provi
7 Communicate and consult
Is there agreement on when and how often risk reports will be produced?
E
8 Communicate and consult
Have the recipients of risk reports been identified and agreed?
E
9 Communicate and consult
Can different risk reports be produced to meet different needs of stakeholder groups?
A
10 Communicate and consult
Has responsibility for managing/ treating specific risks been assig
E ned and communicated to those responsible?
11 Comand
municate consult
Are staff encouraged or incentivised to report risk or suggest risk reduction strategies?
A
12 Riskass
essment
Has a risk-brainstorming workshop (or workshops) been conducted?
E
13 Riskass
essment
Have you considered the history of events and incidents in your organisation during the Risk Assessment process?
A
14 Riskass ent risks in the industry?
Has research been performed to understand common A essm
15 Riskass
ecutive and Board considered risks relating to ment of key organisational goals and
A essment
Has the Exthe achieveobjectives?
16 Riskasse ent
Are risks identified during compliance reviews/ audits always added to the risk register?
E ssm
Risassessment
Have existing controls for risks during the risk assessment process?
k been identified E 17
18 Risk Has the E assessment
perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place?
Treat risks Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')?
E 19
Treat risks Have you identified possible actions/ treatment plans that could help to reduce the risk level?
E 20
21 compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?
GUIDE-DEVELOPING-RISK-FRAMEWORK 133
Treat risks Have the benefits of a treatment approach been A
Essential (E)/ In place # Section Requirement Advanced (A) (Yes/No)
22 Treat risks Have risk treatment or action plans been documeapproved for important risks?
nted and E
23 Treat risks Have due dates/ completion dates been agreed for risk E treatment actions and plans?
24 E Treat risks Is there a clear understanding of who will oversee the risk treatment selection and execution process?
25 een defined and agreed for key A Treat risks Have Key Risk Indicators brisks/ risk areas?
26 Treat risks Are valuable physical assets appropriately insured? E
27 place for critical organisational functions/ processes?
A Treat risks Is a Business Continuity Plan in
28 assessment
E Risk Has the risk register been updated in the last year?
29 assessment
out the year to reflect changes in risk and emerging risks?
A
GUIDE-DEVELOPING-RISK-FRAMEWORK 134
Risk Is the risk register updated through
5 Monitoring and enhancing the risk g
golargely inf inually improved. It is
re review nd ce
that a risk management framework remains fit for purpose and is customised t c prac s,
organisat nificant value from risk management.
ito nagemen
5.1.1 What is it?
Monitoring and reviewing a risk management framework is different to monitoring of risks and their associated controls for effectiveness (as discussed in section 5.2.7). The latter is a sub-set of the former, as obtaining assurance on the effectiveness of the practices in place to manage specific risks; an organisation can be satisfied that at least part of its risk management framework is operating effectively. This review activity would then be coupled with review of additional components of the risk management framework to ensure its overall effectiveness.
mana ement framework The on ing relevance and usefulness of a risk management framework is
ormed by the extent to which it is conttherefoenhan
essential for all departments and agencies to monitor, the effectiveness of their risk management framework. By en
asuring
to mee hanging organisational circumstances and new leadingions will obtain sig
tice
5.1 Mon ring and reviewing a risk mawork
t frame
Developing a sk Managem
rkRiFramewo
ent
Implementing a Monitoring and a Risk
ent Framework
Risk Management Framework
EnhancingManagem
Overview – Risk Management Framework
Overview of a Risk Management Process
Monitoring and Reviewing a Risk Mgt Framework
Key Considerations When Designing a Framework
Risk Management Process
Attestation Process
Documenting a Framework
Risk and Risk Management Reporting
Continuous Improvement
Risk Management Governance
Developing Desired Risk Management Culture
Risk Management Information Systems
GUIDE-DEVELOPING-RISK-FRAMEWORK 135
OPING-RISK-FRAMEWORK 136
e occurring when and ffectiveness and
efficiency of the risk management framework due to it providing the structure
5.1.3 H
l
there is effective monitoring and review by management and executives to detect changes in risks and controls.
There are several approaches available to assist Departments and Agencies in effectively monitoring and reviewing their frameworks, including reviewing the framework against:
i) Risk management process components;
ii) Risk management principles; and/or
iii) A risk management maturity models (Appendix N: VAGO Good Practice Guide).
5.1.2 Why do it?
Monitoring and reviewing the risk management framework is aimed at ensuring that appropriate framework enhancements aras needed. It is important to gain assurance as to the e
within which all risks are managed.
ow to monitor and review your risk management framework
When monitoring and reviewing the framework, particular attention should be paid to whether the framework has been appropriately customised and isoperating in a manner that illustrates that:
risks are being effectively identified and appropriately analysed
this leads to adequate and appropriate risk management and contro
The factors to consider when choosing the appropriate approach include:
the maturity level of the risk management, as determined through any previous maturity assessments
the number of planned risk management improvement initiatives currently being undertaken / recently having been undertaken
findings from previous risk management framework reviews
size and complexity of the organisation
s
GUIDE-DEVEL
the
the
the number of major risks that have eventuated in that year
whether the organisation has entered into providing any new service/ products
whether there have been significant organisational changes
management of inter-agency risk
use of implementation partners.
For example, a medium sized organisation that has been previously
f failure in its risk management practices.
s; however, on a three yearly sment, ment
ts risk management framework
5.1.3.1 dit in the risk management process
l Practices Framework defines e assurance and consulting
function designed to add value and improve an organisation’s operations
the effectiveness of: risk management control
nte l Af the org d party professional services or
aud g f
nte l A
ollo ng it in the risk man em l
ns thInternal Audit function compromised.
assessed as having mature risk management but which had numerousmajor risks eventuate in the last year would most likely to undertake more rigorous monitoring and review of its risk management framework. The fact that the organisation rated well in a previous maturity assessment does not outweigh the fact that the organisation had many risks eventuate, as this would normally indicate some form o
Also, it should be noted that it may be that you choose to use a combination of approaches at different times or alternate the approach used from year toyear. For example, it may be appropriate to conduct an annual review of the framework against the process componentbasis, it may be useful to conduct a risk management maturity assesparticularly if over that period a number of risk management improveinitiatives have occurred.
Further detail is provided below on the different approaches that an organisation may use to monitor and review iincluding examples of how these approaches could be practically implemented.
The role of Internal Au
The Institute of Internal Auditors’ ProfessionaInternal Audit is an independent, objectiv
and accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve
governance processes.
I rna udit services can be provided either by suitably qualified members anisation, or outsourced to a thiro
itin irm. Ieffectiveness of an orga
rna udit has an important role to play in monitoring and evaluating thenisation’s risk management processes. The
f wi tables describe the core roles of Internal Audag ent process, as well as those activities and roles that Interna
Audit should not fulfil or only do so when adequate controls are in place to ure at conflicts of interest do not arise or the independence of the
GUIDE-DEVELOPING-RISK-FRAMEWORK 137
e
Reviewing the management of material risks
Reporting of material risks
E valuating: Ri
G iving A ssurance: C ontrol Systems effectiveness Risk Management P rocesses T hat risks are correctly evaluated
sk Management P rocesses
CORE
ROLES
Reviewing the management of material risks
Reporting of material risks
E valuating: Ri
G iving A ssurance: C ontrol Systems effectiveness Risk Management P rocesses T hat risks are correctly evaluated
sk Management P rocesses
CORE
ROLES
n of duties
membership of the Institute of Internal Auditors that requires strict to
The following safeguards should be considered when involving Internal Audit in the activities described in the table below:
segregatio
professional standards and ethical behaviours are adhered
appropriate Audit and Risk Management qualifications such as CIA (Internal Audit), CISA (IT Audit) and CRM (Risk Management)
appropriate skill levels and knowledge of the organisation
board review and approval of risk management outcomes.
O perating the E RM Framework
Holistic reporting on risk
cation and E valuation
ting:
Developing the R isk Management S trategy for Board approval
C entral co-ordination point for ERM
Risk workshops Management risk response
R isk monitoring across the business
C hampioning establishment of ER M
F acilita
A dvice on R isk IdentifiWITH
SAFEGUARDS
O perating the E RM Framework
Holistic reporting on risk
cation and E valuation
ting:
Developing the R isk Management S trategy for Board approval
C entral co-ordination point for ERM
Risk workshops Management risk response
R isk monitoring across the business
C hampioning establishment of ER M
F acilita
A dvice on R isk IdentifiWITH
SAFEGUARDS
GUIDE-DEVELOPING-RISK-FRAMEWORK 138
The following activities should never be performed by an organisation’s Internal Auditor/s:
T ake decisions on risk response
T ake accountability for risks and controls
Impose risk management processes
Set risk appetite
Manage risks on behalf of management
DO
NOT
T ake decisions on risk response
T ake accountability for risks and controls
Impose risk management processes
Set risk appetite
Manage risks on behalf of management
DO
NOT
Source: StandDelivering assurance based
ards Australia HB158-2006: on AS/NZS 4360:2004 Risk Management
5.1.3.2
and key
this form of ntire risk
management framework; however, the process will depict a large extent of risk management effectiveness within an organisation. Process effectiveness is then looked at in conjunction with the extent to which the right capability exists and the right behaviours are being exhibited to determine overall framework effectiveness.
One available approach for monitoring and reviewing a risk management framework is to review the organisation’s process against the seven steps set out in the Standard. Set out below is further detail on conducting this type of review.
Element 1: Communication and consultation
Risk management process components
The Standard provides non-prescriptive guidance on how to conduct an effective risk management process. The process contained therein,described in the proceeding section of these guidelines identifies seven risk management process elements. It is important to note that review concerns the risk management process rather than the e
Element 1 is defined in the guide as meaning - Communicating and consulting with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole.
The questions which Handbook 158 (handbook supporting implementation of AS/NZS 4360:2004) provides to assist in examining the effectiveness and appropriateness of communication are:
GUIDE-DEVELOPING-RISK-FRAMEWORK 139
Have all key stakeholders have been consulted and involved as
ers’ perceptions of risk been addressed?
Where necessary, has a communication plan been developed?
Is there ownership of risks and controls by members of the organisation?
appropriate?
Have stakehold
Typical Documentation When examining this documentation consider whether:
Stakeholder Account is taken of the fact that different stakeholders management plan should be communicated and consulted with using (either dedicated to different medium and channels. risk management or Different stakeholders are being communicated containing a risk different messages depending on their needed management involvement in the risk management process. element).
The timing of communications and consultation is Communications plan appropriate, for example, it may not be appropriate to
(either dedicated to provide ‘general’ external stakeholders with quarterly risk management updates; however, this may be risk management or
containing a risk required when communicating or consulting with management element).
Communications that have been provided to internal and / or external stakeholders, for example, the risk management component of an Annual Report or internal newsletters or bulletins containing risk management discussion.
Outcomes of communication and consultation
suppliers who are delivering critical outputs on your behalf.
The right mix of communication and consultation occurred, that is, if input from a stakeholder was crucial to the organisation’s ability to make a certain decision, did consultation rather than communication occur with that stakeholder?
Stakeholders, both internal and external, exhibited a greater understanding and awareness of risk management as a result of the communication and consultation that occurred. This may be evidenced by increased participation in risk assessment exercises, increased contribution to risk reporting and / or through the outcomes of surveys.
evaluation exercises.
Element 2: Establishing the context
Element 2 is defined in these guidelines as meaning - Establishing the external, internal, and risk management context in which the rest of the process will take place. Criteria against which risk will be assessed should be established and the structure of the a
GUIDE-DEVELOPING-RISK-FRAMEWORK 140
nalysis defined.
When commencing risk assessment, is there a process to obtain a cleunderstanding of t
ar he organisation’s:
rganisation and its environment, and the organisation’s strengths, weaknesses,
goals and objectives and the strategies that are in place
Risk management contex the goals, objectives, strategies, ra
External context (including the relationship between the o
opportunities and threats)?
Internal context (including the organisation’s capabilities, theorganisation’s to achieve them)?
t (includingscope and pathe organisation to applied); and
Criteria of deciding w
meters of the risk management process, or the part of which the risk management process is being
hen risk is tolerable or not?
Typical Documentation When examining this documentation consider whether:
Risk assessment presentations
Risk assessment criteria including consequence, likelihood and overall risk levels
Risk registers
SWOT analysis outcomes.
The risk assessment process involved examining risks to achieving the organisation’s / area’s / project’s objectives
Identified risks were clearly linked back to the relevant objectives
Consequence and likelihood criteria, and overall risk levels are clearly established, and where appropriate, consistent across the organisation
The right people were involved in establishing the organisation’s consequence and likelihood criteria, and overall risk levels
There was some sort of review, and where appropriate updates, of the risk management framework to reflect any changes that have occurred in the organisation’s internal or external environment. For example, if new business units were established, these business units should now have a current risk register.
Element 3: Risk identification
Element 3 is defined in these guidelines as meaning - Identifying where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of organisational objectives.
Questions to assist in examining the effectiveness and appropriateness risk identification are:
GUIDE-DEVELOPING-RISK-FRAMEWORK 141
of
Is risk identification an integral part of planning including strategic, operational and project plan development, by linking the process to
ctitioners for each process? (It is common for
ification knowledgeable about the risks that must be
managed as a part of that activity?
Is risk identification normally a participative process that involves
isks
objective setting?
Is it an integral part of change management processes?
Does the organisation have ongoing, comprehensive and systematic processes for identifying risks?
Is there a range of risk identification processes available (a tool kit) together with skilled praorganisations to provide guidance on the approach and the level of rigour required. The effort required is usually related to risk severity levels.)
Are the staff involved in risk identprocesses or activity being reviewed and about the
appropriate stake
Are identified r
holders?
allocated to named individuals or positions (risk owners)?
Typical Documentation When examining this documentation consider whether:
Strategic and business planning day a
Risks are identified, or the need for risk management is considered, during the strategic andgendas
and presentations
Strategic an
business planning process
Strategic and business plans clearly identify the key risks to delivery of
d business plans the objectives contained therein
Risk identification occurs at numerous levels within the organisation, that is, at strategic, operational and project levels
Identified risks cover all categories or types of risk to which the organisation is exposed
Project business cases and implementation plans
Risk registers
Lists of participants in risk assessment The right mix of people were involved in the risk exercises. assessment process. For example, were all Executives
involved in identifying the organisation’s strategic risks and were the heads of business units involved in the process of identifying the risks for their business units
The risk register clearly identifies individuals or positions, and not groups of people, who
GUIDE-DEVELOPING-RISK-FRAMEWORK 142
own risks.
sis
Element 4: Risk analy
Element 4 is defined in these guidelines as meaning - Identifying and evaluating existing controls, and determining consequences and the likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur.
Questions to assist in examining the effectiveness and appropriateness of risk analysis are:
Are the existing management and technical systems and proceduresthat are
used to control risks identified and assessed for effectiveness
Are the most critical and important controls identified and are they
Is there a coherent process for the analysis of risk that measures both
Is there appropriate analysis of the nature and extent of consequences?
k risk criteria, the level of uncertainty in the analysis and the needs of
as part of risk analysis?
Is there a robust means of assessing risk control effectiveness?
allocated to specific positions or named individuals?
consequences and corresponding likelihood?
Is there rigour of the ris analysis always in keeping with the context, the
decision makers?
Typical Documentation When examining this documentation consider whether:
Strategic and business planning da
Risk analysis involves identifying and considering the effectiveness of current controls, and determining y agendas
and presentations
Risk registers
Root cause analysis outcomes
Audit repor
the range of consequences that could result if the risk were to occur and the likelihood of the risk occurring
Control effectiveness assessments are supported by information other than management’s initial perceptions
Reliable and appropriate information is used to predict the likelihood and consequences of risks occurring, for example, information on past events and available industry data
The right people are involved in risk analysis to e
ts
Control self-assessment outcomes.
nsure that supported ratings are provided, for example, if there is a specific IT risk, involve the CIO and their relevant support staff in analysing that risk
All risks are analysed using approved, and where appropriate consistent, risk assessment criteria (Likelihood, Consequence etc.).
GUIDE-DEVELOPING-RISK-FRAMEWORK 143
Element 5: Risk evaluation
Element 5 is defined in these guidelines as meaning – Comparing estimated level of risk against the pre-established criteria and considering the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities.
Questions to assist in examining the effectiveness and appropriateness of risk evaluation are:
Are risks evaluated and prioritised for attention using a consistent process?
Does the organisation have treatment plans for the higher priority risks, taking account of benefits and costs?
Typical Documentation When examining this documentation consider whether:
Risk registers
Evidence of discussion
There are overall risk levels given to identified risks
There is a priority order given to identified risks and approval of risks There are pre-defined actions required for certain risk both within and levels
There is a process in place for acceptingbeyond the organisation’s risk tolerance.
risks that are beyond the organisation’s risk tolerance where there are no further viable treatment options available.
Element 6: Risk treatment
Element 6 is defined in these guidelines as meaning - Developing and implementing specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs.
Questions to assisrisk treatment are:
GUIDE-DEVELOPING-RISK-FRAMEWORK 144
t in e
treatm ntrols) in place for each risk d not to be t
Do risk treatment ptiming?
Are performance objectcontrols?
xamining the effectiveness and appropriateness of
ent plan (leading to co Is there a riskthat is judge olerable?
lans include the consideration of resources and
ives set during the design and development of
Typical Documentation When examining this documentation consider whether:
Risk registers
Risk treatment plans (if these are docum
Risk treatments have the resources required to deliver upon those treatments identified and whether these resource requirements have been incorporated into the relevant budgets, particularly where significant ented resources are required separately to the risk
register) Risk treatments have responsible persons and implementation timings identified Budgeting
documentation. Different risk treatment options have been considered for risks
Treatments chosen reflect the organisation’s risk tolerance
All treatment plans have been approved by someone with the requisite authority to do so.
rElement 7: Monito and review
Element 7 is defined in these guidelines as meaning - It is necessary to monitor the effectiveness of all steps of the risk management process and overall risk manageme t framework. This is important for continuous nimprovement and change management. Risks and the effectiveness of controls and risk treatments need to be monitored to ensure changing circumstances do not alter priorities.
Questions to assist in examining the effectiveness and appropriateness of monitoring and reviewing risk are:
ular review and monitoring of:
t process?
ent plans
organisation’s risk management processes have been
ce are also responsible for the implementation of the risk
management process?
Is there reg
– The risk managemen
– The risks and opportunities the organisation faces, and their priorities for treatment?
– The implementation and effectiveness of risk treatm(controls, strategies)?
– Whether theapplied systematically to objectives at the corporate, business unit and project levels?
GUIDE-DEVELOPING-RISK-FRAMEWORK 145
Are independence requirements recognised where 3rd party assuranproviders
Typical Documentation When examining this documentation consider whether:
Risk reports
Minutes of meetings to which risk reports are provided
Reports documenting the result
Risk reporting is provided to all relevant stakeholders and is tailored to meet the relevant stakeholder group’s requirements
An appropriate level of independent review is occurring in respect of risk management
There is a well thought through process for detes of effectivenes
rmining where and risk assurance activities reviews,
for example, Internal s are occurring
All aspects of risk management are being covered by some formAudit Reports of monitoring and review activity.
Evidence of updates to risk registers as a result of review findings.
5.1.4
The following sections provide guidance on the factors to consider when conducting such a review, with the aim of reducing what could otherwise be quite a subjective assessment.
Risk management principles
Another available approach to reviewing the effectiveness of a risk management framework is to do so in relation to established risk management principles.
The risk management principles identified in the Standard are:
value
Risk management is an integral part of all organisational processes
making
ic, structured and timely
7. Risk management is tailored
d inclusive
anisation
1. Risk management creates and protects
2.
3. Risk management is part of decision
4. Risk management explicitly addresses uncertainty
5. Risk management is systemat
6. Risk management is based on the best available information
8. Risk management takes human and cultural factors into account
9. Risk management is transparent an
GUIDE-DEVELOPING-RISK-FRAMEWORK 146
10. Risk management is dynamic, iterative and responsive to change
11. Risk management ifacilitates continual improvement of the org
P erinciple 1: Risk managem nt creates and protects value
AS/NZS 31000 provides the following mation on this principle: further infor
Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, , project management, efficiency in operations, governance and reputation.
For an organisation to demprotecting value, it
onstrate that its risk management is creating and portant to have defined indicators in place to is im
iv d. Some examples of the ways in which an ure va e include:
s in risk level/s, as supported by clear and relevant key risk indicators
achieving objectives, as set out in strategic and business plans, and as demonstrated by meeting clear key performance indicators
hin budget and to the requisite quality
osts.
to er, the fact that no catastrophic or severely
amaging delivery issues have occurred means, by inference that there has een effective risk management. The use of quantifiable indicators helps to upport a more robust process for measuring value.
pr
measure the value being derorganisation may meas
reduction
elu
delivering projects on time, wit
preventing negative outcomes or unnecessary expenditure or c
It is recognised that not all of an organisation’s success may be attributedrisk management; howevdbs
Principle 2: Risk management is an integral part of all organisational ocesses
AS/NZS 31000 provides the following further information on this principle:
Ris rate from the main k management is not a stand-alone activity that is sepaac i t is part of the tivit es and processes of the organisation. Risk managemenres nal ponsibilities of management and an integral part of all organisatiopro s roject and change ce ses, including strategic planning and all pmanagement processes.
Th xtent to which risk ma
e
Strategic planning
Business planning
anagement
e ways in which an organisation may measure the enagement is integrated within its organisational processes is by
d termining whether risk management is considered as part of:
GUIDE-DEVELOPING-RISK-FRAMEWORK 147
Budgeting
Performance planning and m
Project management.
If risk management forms a part of the above-listed processes and is seen to be consistently and correctly applied in those processes, an organisation
should be able to confidently say that it practices integrated risk management.
Principle 3: Risk management is part of decision making
AS/NZS 31000 provides the following further information on this principle:
Risk management helps decision makers make more informed choices, prioritise actions and distinguish among alternative courses of action.
The value to be derived from risk management is diminished if risk information is not used for decision-making purposes. Risk information provides significant insight into whether an activity should be undertaken by
of the
to
project business cases been rejected on the basis of the risks that may be created by undertaking the project?
king
rinciple 4: Risk management explicitly addresses uncertainty
an organisation, or if so, the extent of risk reduction resources needed to manage the risks associated with delivering that activity. Therefore, it is essential that risk information forms an input into decision-making rather than act as a separate stand-alone activity.
Some of the factors to be considered when determining whether risk management is a part of decision-making are:
Have any business strategies or activities been avoided becauseassociated risks?
Have budget changes occurred in order to appropriately manage risks associated with strategies that the organisation has chosen undertake?
Have any
If ‘yes’ has been answered to any of the above questions, or if you can show evidence of why ‘no’ was always answered from a risk perspective (that is, because the risks were too low to cause any changes in business practices), then it could be said that risk management forms part of the decision maof the organisation.
P
AS/NZS 31000 provides the following further information on this principle:
Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
This is a difficult principle to measure; however, it may be possible to
this principle is being followed, by determining whether
GUIDE-DEVELOPING-RISK-FRAMEWORK 148
measure whether
any foreseeable risks have eventuated, which were not captured in the
it s outside of
considered. If risks have occurred that were foreseeable on the basis that there was uncertainty in some form of the internal or external
risk
organisation’s risk register.
Considering that risk management occurs in order to manage uncertainty, is important that when the risk management process occurs, riskthe “norm” are
environment, these should have been identified as part of the assessment process. If they were not, then there is a gap in the effectiveness of the process.
Principle 5: Risk management is systematic, structured and timely
AS/NZS 3100 provides the following further information on this principle:
A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.
Some of the questions that an organisation may ask in order to determinwhether it uses a systematic and structured risk management process are:
Are there more than one set of consequ
e
ence, likelihood and overall risk
in a manner that can be
Internal
?
anagement is based on the best available information
level criteria used across the organisation?
Are risks reported throughout the organisation combined to provide one meaningful and consistent reporting format at Board level?
Are there any independent reviews of the risk ratings or control effectiveness ratings provided by management, for example, byAudit?
Are there regular risk reviews conducted (e.g. monthly) by individuals who understand the risk and control environment
If ‘yes’ was answered to all of the above-listed questions then it is likely that the organisation has a fairly consistent, comparable and reliable risk management approach.
Principle 6: Risk m
AS/NZS 31000 provides the following further information on this principle:
The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and shou
GUIDE-DEVELOPING-RISK-FRAMEWORK 149
ld take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
It is important to learn from both past experience and the experience of others when considering the risks to which an organisation may be exposed
ts and risk management process. An example of
where this principle may not be met is when only one person has been given a
and the best available strategies available for treating those identified risks. As is indicated below, sources of information such as audit and incident reports, the outcomes of previous risk assessment exercises, and expert opinions, are all important inputs into the risk management process, as is theexperience of individuals.
This principle can be demonstrated by ensuring that the right inpuparticipants are involved in the
responsibility for compiling or updating a risk register as this may result inmore subjective and influenced outcome.
Principle 7: Risk management is be tailored
AS/NZS 31000 provides the following further information on this principle:
Risk management is aligned with the organisation’s external and internal context and risk profile.
Some of the ways in which an organisation can demonstrate that it practices tailored risk management are if it has:
Risk categories that reflect its organisational context, for example, a healthcare organisation is likely to have a risk category around ‘patient safety’ as compared to Department which may have a risk category
and tolerance, that is, which are not merely the same as those ;
r ways an organisation could demonstrate that it practices tailored risk management; however, these will be highly dependent
onsidering does practice tailored risk management, look to see
whether the organisation’s risk management approach is solely a “cut and e
around its ‘policy development’ role;
Likelihood, consequence and overall risk level criteria that reflect its risk appetiteprovided as examples in the AS/NZS 4360 Risk Management Standardand
Risk reporting that takes account of existing reporting structures rather than “re-inventing the wheel” for risk reporting.
There are also many othe
on the nature and size and complexity of the organisation. When cwhether an organisation
paste” from a standard or whether the approach being used is tailored to thorganisation’s objectives, structures and existing processes.
Principle 8: Risk management takes human and cultural factors into account
AS/NZS 31000 provides the following further information on this principle:
Risk management recognises the capabilities, perceptions, and intentions of
GUIDE-DEVELOPING-RISK-FRAMEWORK 150
internal abnd external people that can facilitate or hinder achievement of the organisation’s objectives.
Stakeholder management and communication is an important part of achieving effective risk management. Managing people’s risk management perceptions and generating a willingness of people to input into the risk assessment process are essential to its success. Therefore, when reviewing
to
d staff who have knowledge about a risk area, so as to reduce the subjectivity of assessment
input has been gained from external stakeholders who may have an y
k assessment outcomes has occurred in an appropriate manner, for example, the Annual Report includes the
the risk management framework’s effectiveness, attention should be paidwhether:
there is adequate participation in the risk assessment, that is, a cross section of executives, management an
outcomes
informed view as to some of the risks faced by the organisation, or mathemselves form a source of risk
communication of ris
attestation (as described in further detail below) and articulates the organisation’s approach to risk management
approval is sought for key risk management documents including theorganisation’s risk register by groups that have the requisite authority toapprove such documents and who have authority to direct the right amount of resources to risk management activity.
Principle 9: Risk management is transparent and inclusive
AS/NZS 31000 provides the following further information on this principle:
Appropriate and timely involvement and inclusion of stakeholders and, in particular, decision makers at all levels of the organisation ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
Evidence of this principle is determined in a similar way to the principle outlined directly above. The other essential component to this principle is that there is sufficient risk reporting and escalation to support effective risk governance and management throughout the organisation. It is important that the Secretariat / Board receive risk reporting on more than an annual
nisational levels.
basis and that the organisation’s key strategic risks are communicated to thelowest orga
GUIDE-DEVELOPING-RISK-FRAMEWORK 151
For risk management to be truly effective, all people throughout the organisation should understand how their individual actions contribute to achievement of the organisation’s key objectives. The governing body
should be well aware of its risk exposure. Hence, the importance of risk reporting and escalation throughout the entire organisation.
P ve to c
rinciple 10: Risk management is dynamic, iterative, and responsihange
AS/NZS 31000 provides the following further information on this principle:
Risk management continually sesnses and responds to change. As internal and external wevents occur, context and knowledge change, monitoring and review of risks takes place, new risks emerge, some change, and others disappear.
As an organisation’s environment will change regularly, so will its risk
isation has a robust process for
nual e ,
rinciple would still be k
organisation
environment. The risks that an organisation is exposed to and the appropriate treatment strategies can change quickly.
Therefore, it is important that an organmonitoring its risk environment and updating its risk register as and when it is required. For example, if an organisation was only undertaking an anrisk review process and between reviews, no risk or control updates weroccurring, this principle may not be met for some organisations; howeverwhether this inaction resulted in not meeting this pdependent upon the size and nature of the organisation and the type of risenvironment in which it operates.
Principle 11: Risk management facilitates continual improvement of the
AS/NZS 31000 provides the following further information on this principle:
Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation.
For an organisation to demonstrate continuous risk management improvement and enhancement, it would need to show that at least annuallyit is reviewing and updating its risk m
anagement framework as required,
cluding but not limited to, documentation such as: in
risk management policy
risk management procedure
risk appetite and tolerance documentation
risk reporting formats.
GUIDE-DEVELOPING-RISK-FRAMEWORK 152
These changes could be identified by:
internal stakeholders who have ideas for process improvements
independent review parties
OPING-RISK-FRAMEWORK 153
g risk management thought leadership that indicates changes in leadinrisk management practices.
Toolkit reference:
Appendix : 31000 Principles – 20 Questions to Ask
A risk management maturity model
Using a risk
5.1.4.1
management maturity model against which to assess a risk anagement framework is another available approach to reviewing its
esign of with the extent that
t to
r
hen assessing the framework it is important to consider whether the ndard,
anagement through the erformance goals, measurement, review and on of processes, systems, resources, capability
ted accountability for risks, risk controls and risk treatment tasks
3. All decision making within the organisation, whatever the level of s the explicit consideration of risks
e
meffectiveness.
A risk management maturity model should measure the technical dan organisation’s risk management framework coupledthe framework is understood and applied consistently, that is, the extenwhich risk management behaviours and capabilities are exhibited. It is important to concentrate not only upon whether the “right documents” exist but also to consult a cross section of the organisation to determine whethethese documents and the processes contained therein are practised in reality.
A risk management maturity model should allow a framework to be assessed on
cation
ses.
both design and behavioural aspects in relation to:
governance and oversight including risk management reporting and communi
Wfollowing risk management attributes, as contained in the Risk Staare evident: 1. An emphasis on continual improvement in risk m
setting of organisational pthe subsequent modificatiand skills
2. Comprehensive, fully defined and fully accep
importance and significance, involveand the application of risk management to some appropriate degre
GUIDE-DEVEL
integration of risk management with other business processes
the existence and use of a risk management strategy, policy and proces
4. Continual communications with and highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process
5. Risk management is viewed as central to the organisation's cesses so that risks are considered in terms of effect of
mation is provided on each of these five attributes below:
management prouncertainty on objectives.
Further infor
Attributes Description Indicators
1 An emphasis on continual improvement in risk management through the setting of organisational performance goals, measurement, review and the subsequent
This would be indicated by the existence of explicit performance goals against which the organisation's and individual manager's performance is measured. The organisation's performance could be published and communicated. Normally, there would be at least an annual review of performance and then a revision of processes, systems, and the setting of revised performance objectives for the
modification of following period. processes, systems, This risk management performance resources, capability and skills
assessment is an integral part of the overall organisation's performance assessment and measurement system as applied at the business unit and individual level.
2 Comprehensive, fully defined and
Designated individuals fully accept accountability, are appropriately skilled
fully accepted and have adequate resources to check accountability for risks, risk controls and risk treatment
risk controls, monitor risks, improve risk controls and communicate effectively about risks and their management to
tasks internal and external stakeholders.
This would be indicated by all members of an organisation being fully aware of the risks, risk controls and tasks for which they are accountable. Normally this will be recorded in job/position descriptions, database or information system. The definition of risk management roles, accountabilities and responsibilities should be part of all the organisation's introduction programs.
The organisation ensures that those who are accountable are equipped to fulfil that role by providing them with the
GUIDE-DEVELOPING-RISK-FRAMEWORK 154
Attributes Description Indicators
authority, time, resources and skills sufficient to assume their accountabilities.
3 All decision making This is indicated through the within the examination of the records of meetings organisation, and decisions to show that explicit whatever the level discussions on risks took place. Also, it of importance and should be possible to see that all significance, elements of risk management are involves the explicit represented within key processes for consideration of decision-making in the organisation. For risks and the example, for decisions on the allocation application of risk manageme
of capital, on major projects and on re-structuring and organisational changent to
some appropriate degree
s. For these reasons, soundly based risk management is seen within the organisation as providing the basis for effective and prudent governance.
Continual communications
4
with and highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process
This is indicated by communication with interested parties as being clearly regarded as an integral and essential component of risk management so that communication takes place as part of each part of the risk management process. Communication is rightly seen as a two way process so that properly informed decisions can be made about the level of risks and the need for risk treatment against properly established and comprehensive risk criteria.
Highly visible, comprehensive and frequent internal and external reporting of both significant risks to the organisation and of risk management performance contributes substantially to effective governance within the organisation.
Risk management is The organisation's governance structure and process are founded on the management of risk. Effective risk management is regarded by managers
5 viewed as central to the organisation's management
as essential for the achievement of the organisation's objectives.
This is indicated by managers' language
processes so that risks are considered in terms of effect of uncertainty on objectives.
GUIDE-DEVELOPING-RISK-FRAMEWORK 155
and important written materials in the organisation using the term “uncertainty” in connection with risks. This statement is also normally reflected in the organisation’s statements of policy,
Attributes Description Indicators
particularly that relating to risk management. Normally, this attribute would be verified through interviews with managers and through the evidence of their actions and statements.
Types of ac
When condexpected
i) Review of ri
ii) Distribution
iii) Constakeholder
iv) Preparation of a report outlining finrecommendations.
ch of
i) Review of
tivities
ucting a risk managemen that the following types of ac
sk management do
of a survey (optional or
duct of meetings with key ins
t maturity assessment, it would be tivities would be conducted:
cumentation
may replace the meeting process)
ternal, and where appropriate external,
dings and proposed
Ea these activities is described
risk management docume
in further detail below.
ntation
n in-depth understanding of a risk ke a review of current risk
mentation. The types of documents that
The first stemanagemenmanagemen uwould typically be reviewed include:
risk
risk management process and strate
risk identification and assessment to
risk management training prog
risk tolerance documentation incluoverall risk level criteria
risk
ii) Distributio
p towards developing at framework is to undertat and governance doc
management policy
gy documents
ols and templates
ram and materials
ding likelihood, consequence and
risk registers
reports.
n of a survey
n be used to determine thet, both more generally and
d risk management strategy. A and is a usefu
GUIDE-DEVELOPING-RISK-FRAMEWORK 156
A survey camanagemenestablishelarger organisations management knowledge and capa
current understanding of risk in the context of the organisation’s
survey would typically be used in l tool for ascertaining the level of risk bility at lower organisational levels. A
survey would usually ask similar questions to those outlined below under ‘conduct of meetings’.
The use of a survey is optional; howshould be distributed prior to the conmeetings can then be used to confirinformation provided in the survey.
ngs
ever, if it is chosen to be used then it duct of meetings. This is because the
m and, where necessary, clarify the
iii) Conduct of meeti
ent
anagement understanding
bedding risk management within the organisation.
It is important to promote understanding and support of the risk managemprocess by key individuals within an organisation. Therefore, as part of amaturity assessment it is important to conduct interviews with key executives /managers to gain insight into their current risk mand to ascertain their views as to the effectiveness of the existing risk management framework. Meetings can also be used as an opportunity to obtain information on any improvements they consider would assist in furtherintegrating and em
The follwowing questions could be asked during these meetings:
ing you to manage your risks?
Are emerging risks being identified in time to effectively manage them?
able for delivery of risk
ecialists within
nised and rewarded?
es incorporate a risk management component?
risk management incorporated into the organisation’s overall risk management approach?
have you received in risk management?
ed at the lower levels of the organisation?
n
How are risk management practices help
What form of risk reporting do you receive?
How is risk information used by the organisation?
Is there a regular review of existing risks?
How are management held accountmanagement responsibilities?
Does the organisation have risk champions or risk spcertain areas?
How are good risk management practices recog
How would you describe the risk culture of the organisation?
What business process
How is project
What training
How is being manag
How effectively are the aims, objectives and benefits of risk management communicated across the organisation?
How does the organisation determine which risk treatment options cabe implemented? Is this done on a cost versus benefit basis?
How does risk management assist in overall business managemen
GUIDE-DEVELOPING-RISK-FRAMEWORK 157
t?
iv) Preparation of a report
It is important to record outcomes of a risk management maturity re
these gaps could be closed.
assessment into a formal report so that this information is available for futureference. When presenting assessment outcomes, all findings and supporting information should be included and where gaps are identified,recommendations provided on how
GUIDE-DEVELOPING-RISK-FRAMEWORK 158
Toolkit reference:
Appendix: VMIA Risk Framework Maturity Model
OPING-RISK-FRAMEWORK 159
5.2
5.2.1 What is it?
The Victorian Government Risk Management Framework (VGRMF), released in 2007, brings together information on governance policies, accountabilities, and roles and responsibilities for all those involved in risk management across the State.
One of the more significant requirements under the VGRMF is the need for accountable officers (in departments) and the chair of the board (in statutory bodies) to “attest” in their organisation’s Annual Report that:
Risk management processes consistent with the standard (AS/NZS 31000:2009) or equivalent are in place,
An internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures and
The audit committee (for a department) or board (for a statutory authority) verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.
5.2.2 Why do it?
It is recommended that all public sector agencies adopt the VGRMF, however it is mandated under Standing Direction 4.5.5 of the Minister for Finance ‘Risk Management Compliance’ for those agencies that report in the
Risk management attestation
Developing a Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
RF
isk Management ramework
Overview – Risk Overview of a Risk Monitoring and Reviewing a Risk Mgt Framework Management Process Management Framework
Key Considerations When Designing a Framework
Risk Management Process
Attestation Process
Documenting a Framework
Risk and Risk Management Reporting
Continuous Improvement
Risk Management Governance
Developing Desired Risk Management Culture
Risk Management Information Systems
GUIDE-DEVEL
Annual Financial Report for the State of Victoria. This applies to approximately 300 public bodies. The majority of these are departments and
or annual reports completed or issued after July 008.
5.2.3 Roles and responsibilities
Secretaries, chief executive officers, and management of departments and agencies are ultimately responsible for developing and implementing risk management processes and internal control systems, and managing and continuously improving these processes and systems.
The audit committee should take a leading role in the governance and oversight of the department or agency and be actively involved in the monitoring and review of risk management process and control systems.
The accountable officers (in departments) chair of the board (in statutory bodies) will be required to “attest” in their organisation’s annual report and the audit committee (for a department) or board (for a statutory authority) will be required to verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.
5.2.4 Risk frameworks – the current status
The VMIA (through our Risk Framework Quality Review program) has formed the opinion that the majority of public sector departments and agencies have
stralian Risk Stamndard and are evolving their risk f those n e P
T tional risk frameworks and maturity will vaadepartments or agencies attestation
5.2.5
nts. It s on
management framework.
tion
T r a
larger public sector agencies.
Attestation is effective f2
adopted the Aurameworks and risk maturity levels. These findings are consistent withoted in the Victorian Auditor General’s report ‘Managing Risk Across thublic Sector: Towards Good Practice’ (2007).
he VMIA recognises that organisaary according to many factors including size, risk appetite and contextual spects. There is no one size fits all model for risk management, nor is there singular attestation model. Attestation is relative to risk maturity and a
should reflect this.
So what is new or different?
The attestation builds upon current directives and legislative requiremeextends this to mandate use of the Risk Standard and focuses agenciean organisation wide approach to risk management, both of which are widely understood and adopted throughout the public sector. The most significant change is the requirement to attest in an organisation’s annual report on the effectiveness of a department’s or agency’s risk
GUIDE-DEVELOPING-RISK-FRAMEWORK 160
5.2.6 Implementa
he VMIA has developed a number of key principles to guide department ogencies that underpin the attestation process, some of which include:
t as ible.
complexity and risk appetite needs to be n is relative to maturity”.
g
ent as
or
ainst the Risk Standard and organisation wide risk models
porting frameworks for
aps and systems
5.2.7
s all-important practices and processes
Whilst each entity will have its own tailored attestation framework, all entities ing management and the board fully informed of the
rol activities
Attestation is intended to provide “assurance” or demonstrate “performance”. It should not be merely a compliance or “box-ticking”exercise.
Keep the attestation framework and process as pragmatic and relevanposs
The Agency’s maturity, size,considered, since “attestatio
A model, similar to the Australian Stock Exchange’s "if not, why not" reporting style should be used. Thus if the Agency does not attest, youshould explain why not and what you are planning to do about improvinover the coming year.
It is essential that a department or agency treat the attestation requirema formal process. Initially this may require the application of project management principles to ensure the development of an attestation systemframework. Once completed this system should be integrated into risk, compliance and annual reporting processes.
Key stages would include:
Current state assessment/gap analysis ag
Review of current risk and compliance recompliance/gaps/synergies
Education programs for board, management, auditors, planning, risk management and annual reporting staff about the VGRMF, accountabilities and actions.
Development of attestation policy, process m
Rollout and embed procedures into core operations
Review, report and refine policies and procedures
The attestation framework
The objective of the VGRMF is to promote sound risk management principles that embed risk management acrosthroughout the organisation. Thus attestation is intended to provide “assurance” or demonstrate “performance” that this is being achieved.
It is essential that accountable officer/chair of the board “attestors” and audit committee/board “verifiers” act in accordance with the above and do not treatthe attestation process purely as a compliance exercise.
GUIDE-DEVELOPING-RISK-FRAMEWORK 161
will benefit from keeprange and breadth of risk management processes, and contundertaken across the department or agency. In a risk mature organisation this will already be occurring.
OPING-RISK-FRAMEWORK 162
:
dard (or equivalent
ile has been critically reviewed within the last 12
essment or report on the application of and
s
the overall attestation is assuring “the executive understand, manage and satisfactorily control risk exposures”.
ugh a cascading sign off process linked to an entities risk or control register.
A level of assurance will be required to support the attestation that
The Agency has risk management process in place consistent with the Australian/New Zealand Risk Management Standesignated standard) and
The Agency’s risk profmonths.
This could be satisfied by:
Evidence of third party reviews of the risk framework (e.g. VMIA RFQR,internal/external audit or risk service providers)
A management self assadherence to the Risk Management Standard
Risk management strategies and business/action plans
Details of management, executive, board risk assessments/workshopconducted over the past year
A key element in support of
This may be demonstrated thro
Au
Annual plan/s or calendar/s of risk and assurance activities will be of use.
dit CT/ Board Verification
Secretary/Chairman Attestation
Executive Sign Off
Management Sign Of
Audit CT/ Board Verification
Secretary/Chairman Attestation
Executive Sign Off
f Management Sign Of
GUIDE-DEVEL
f
These could include:
OPING-RISK-FRAMEWORK 163
rd
assessments/workshops conducted across the
up of
the range/frequency of risk and audit reports
dates of formal risk and audit meetings of management and the boa
the number/type of audits completed in support of the organisation’s riskframework and key risks
the number/type of risk entity.
The risk and audit plans and calendar would need to be supported by an effective management process, including reporting and followrecommendations, actions items and risk mitigation plans.
GUIDE-DEVEL
In order to complete the process an entity may include a formal report or submission to the audit committee or the board. If the board or audit committee is fully informed of the risk and assurance program throughout the year, (in a manner described above) a formal report may suffice. If, however, the reporting processes or risk maturity are immature, then it would be likely that an entity will need to demonstrate activities more fully.
5.2.7.1 Example attestation statements
set out below: Examples of attestations that could be used are
Examples of Risk Management Attestation
There may however, be reasons that a department or agency may wish to modify the sample attestation wording. Reasons may include the risk maturity of the department or agency, the progress being made towards implementation of a risk framework, incomplete coverage of organisation units, divisions or risk types or the inability to adequately determine the level of “satisfaction” over controls or risk exposure.
Should a department or agency choose to modify the sample attestation wordings, an explanation as to why such modification is required should be made. The VMIA proposes a model similar to the Australian Stock Exchange’s "if not, why not" reporting style. This means that if the department or agency cannot attest, for whatever reason, they should explain why not and what they are planning to do about their risk management framework and process, and control systems over the coming year.
he VMIA would not see this as a negative or non-compliance. On the c e a MF.
5.2.8 I
AI encies attestation process and system should be as pragmatic as possible and in line with the department or agency’s risk maturity, size and complexity.
GUIDE-DEVELOPING-RISK-FRAMEWORK 164
Tontrary, this could be seen as providing leadership and direction to improvn entities risk framework and in accordance with the intent of the VGR
n summary
ttestation is intended to provide “assurance” or demonstrate “performance”. t should not be merely a compliance exercise. The department or ag
OPING-RISK-FRAMEWORK 165
If a department or agency is to attest without variation, they should have a that embeds risk management across
a ciples throughout the organisation.
5.3
5.3.1
hat t
risk management framework in place ll-important practices and processes and embody sound risk prin
Continuous improvement
Developing a isk Management
Framework R
Implementing a Risk Management Framework
Monitoring and Enhancing a Risk Management Framework
OvM
erview – Risk anagement Framework
KeDe
y Considerations When signing a Framework
DoFr
cumenting a amework
RiGo
sk Management vernance
Risk Management Information Systems
Overview of a Risk Management Process
Risk Management Process
Risk and Risk Management Reporting
Developing Desired Risk Management Culture
Monitoring and Reviewing a Risk Mgt Framework
Attestation Process
Continuous Improvement
What it is
The Risk Standard clearly articulates the continuous improvement loop tsupports the ongoing effectiveness of a risk management framework. Seout below is the diagram provided within that Standard to demonstrate this process.
Continuous Improvement Process (ISO31000)
GUIDE-DEVEL
OPING-RISK-FRAMEWORK 166
5.3.2
ithin he greatest benefits from continuous
improvement, it must span all risk management framework elements urs, tools and templates and
uctures, and the practices used to manage actual risks.
5.3.3 How to achieve it?
s is evident in the diagram on the previous page, there is a direct link etween the outcomes of monitoring and review activities and the continual provement of the framework. Continuous improvement is supported and formed by both the monitoring and review of risks and controls (as outlined
in the ‘Implementing the Risk Management Framework’ section), and the onitoring and review of the risk management framework.
s the continual improvement of a risk framework includes discrete risk anagement improvement initiatives, it makes sense that there is a clear
an organisation’s risk management strategy and the initiatives it ishes to undertake to improve its framework. In Section 3 of this guide, the omponents of a risk management strategy were outlined including the need
be developed for the ‘progressive enhancement of the rganisation’s risk management practices and competencies.
es that are identified during monitoring and review activities rioritised and then included within the risk management strategy
once implemented, hence the importance of establishing linkages between the various elements of the process outlined in these guidelines.
Why do it?
Continuous improvement and change management is essential in ensuring the ongoing relevancy and effectiveness of risk management activities wan organisation. To achieve t
including the process, capability, behavioreporting str
Abimin
m
Amlink betweenwcfor a plan to o
The initiativshould be pand risk plans to ensure that they are appropriately approved and supported in their implementation. Inclusion of these initiatives in the strategy will alsoincrease accountability for their delivery and should drive a need to measuretheir value
By continuously improving its risk management framework, a department or agency should obtain benefits including:
Organisational resilience by being more proactive in managing risks as compared to reactive in managing issues
Better governance through regular reporting which strengthens an organisation’s ability to oversee its risks and direct changes in approach where necessary
Increased accountability through well defined risk management responsibilities against which performance is measured
Being able to leverage leading risk management practice in its risk management approach.
GUIDE-DEVEL
5.4
risk . gress
es between those elements essential to ensure an
Checklist – Monitoring and reviewing a risk management framework
The following check list provides a number of questions relating to themanagement monitoring and review processes within your organisationConsidering the answer to these questions will help you check your proin implementing a robust and flexible risk management framework.
The checklist distinguisheffective risk framework, and those typically associated with relatively mature or sophisticated frameworks typically found in large organisations.
Toolkit reference:
Appendix O: Risk management checklist
# Section Requirement Essential (E)/ Advanced (A)
In place (Yes/No)
Monitoring and review / enhancement of a risk management framework
1 Monrevi
E itor and Does your risk process follow the steps described in the ew Risk Standard?
2 Monrevi
itor and ew
Do Internal Audit review risk management processes? A
3 Monrevi
itor and ew
Is an Internal Audit function/ process in place? E
4 Monrevi most critical risks recorded in the risk register?
itor and Do your Internal Auditors focus their time and effort on the A ew
5 Mon orevi
itew
r and
Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels?
A
6 Monitor anrevi
d Has the risk policy been reviewed and approved in the last year?
E ew
7 Monitor anreview
the Victorian Government Risk
d Has the Board and/or Risk Management Committee (or equivalent) made an attestation in the Annual Report in accordance with
E
management framework (if applicable)
8 Monitor anreview
budgeting and audit planning processes?
GUIDE-DEVELOPING-RISK-FRAMEWORK 167
d
Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning,
A
6 Risk management toolkit
6.1
6.2
6.3
6.4 nt procedure – template
6.5 g criteria – template
6.6 Appendix F: Common risk categories for the pu
6 ppen mmunication and consultation –
6 ppendix H: Risk training slides
6 ppen s
6
6.11 agement database – MS s
6.12 Appendix L: Risk register – MS Excel template
6worked example
Appendix A: Risk management glossary
Appendix B: Risk management strategy – template
Appendix C: Risk management policy – template
Appendix D: Risk manageme
Appendix E: Risk ratin
GUIDE-DEVELOPING-RISK-FRAMEWORK 168
blic sector
.7 A dix G: Coplan template
.8 A
.9 A dix I: Common example risk
.10 Appendix J: Risk assessment – template
Appendix K: Risk manAcce s tool
.13 Appendix M: Risk management register –
GUIDE-DEVELOPING-RISK-FRAMEWORK 169
rd
t
n checklist
6.14 Appendix N: Risk reporting – MS Wotemplates
6.15 Appendix O: Risk management checklis
6.16 Appendix P: Risk management informatiosystem –
6.17 Appendix Q: VAGO good practice guide