Embed Size (px)
Citation preview
| P a g e 1
Risk Management Framework Policy
Issue No: 5.0 Dated Issued: JUNE 2014 Document Status: FINAL – Approved by Audit & Finance Committee Prepared by: Risk Manager
Document Reference: Policies
C h a n g e H i s t o r y
Date Change Description
Reason for Change
Author Issue No
01/10/04 Creation 1.1
01/10/05 Updated A&F Committee feedback
1.2
09/03/09 Updated Internal Audit recommendation
Finance Manager 2.1
10/11/10 Review Alignment with AS/NZS ISO 31000:2009
Executive Director, Corporate Resources
3.0
1/7/2013 Reviewed and Updated
Reflect best practice from Comcover
Manager, Legal and Compliance
4.0
1/6/2014 Review and updated
Alignment with PGPAA 2013
Risk Manager 5.0
| P a g e 2
TABLE OF CONTENTS
CHANGE HISTORY ............................................................................................................... 1
1. INTRODUCTION ............................................................................................................... 3
2. AUSTRALIA COUNCIL RISK MANAGEMENT OBLIGATIONS ......................................... 3
3. POLICY INTENT ............................................................................................................... 3
4. RISK MANAGEMENT FRAMEWORK PRINCIPLES .......................................................... 5
5. RISK MANAGEMENT FRAMEWORK COMPLIANCE ........................................................ 7
| P a g e 3
1 . I n t r o d u c t i o n
The Australian New Zealand Risk Management Standard (AS/NZS ISO 31000:2009) defines risk management as the "coordinated activities to direct and control an organisation with regard to risk”. Risk arises in all aspects of the Australia Council for the Art’s (“the Australia Council”) operations and at all stages within the life cycle of those operations. It offers both opportunity and threat, and must therefore be managed appropriately. Risk management involves establishing an appropriate risk management infrastructure and culture, and applying logical and systematic risk management processes to all stages in the life cycle of any activity, function or operation. By minimising losses and maximising gains, risk management enables the Australia Council to best meet its organisational and strategic objectives. This policy confirms the Australia Council’s commitment to adopting a strategic, consistent and structured enterprise-wide approach to risk management in order to achieve an appropriate balance between realising opportunities for gains and minimising losses. The policy reflects the key principles for managing risk as outlined in the responsibilities under the Public Governance Performance and Accountability Act 2013 (PGPA Act) and the Commonwealth Risk Management Framework – Draft Policy.
2 . A u s t r a l i a C o u n c i l R i s k M a n a g e m e n t O b l i g a t i o n s
The Public Governance, Performance and Accountability Act (PGPAA) 2013 outlines the details of the Australia Council’s risk management obligations. This specifies that the Australia Council must establish and maintain: a) An appropriate system of risk oversight and management for the entity; and
b) An appropriate system of internal controls for the entity;
Including by implementing direct measures directed at ensuring officials of the entity comply with the finance law including PGPAA and associated rules. The Australia Council has additional risk management related obligations under other legislation and guidelines including, but not limited to:
Australia Council Act 2013.
Public Governance, Performance and Accountability Rule – Section 10 Preventing, detecting and dealing
with fraud.
Commonwealth Risk Management Framework – Draft Policy.
Protective Security Policy Framework.
Work Health and Safety (Model )Act.
This policy provides an umbrella framework to enable the consistent and consolidated management of all of the Australia Council’s risk management obligations.
3 . P o l i c y I n t e n t
Risk Management is an integral part of sound management practice and an essential element of good corporate governance, as it improves decision-making and enhances outcomes and accountability. The aim of this policy is to ensure that the Australia Council makes informed decisions with respect to the activities that it undertakes by appropriately considering both risks and opportunities.
| P a g e 4
3.1. Policy Objectives
The application of this policy and related framework will provide the basis for:
more confident and rigorous decision-making and planning;
better identification of opportunities and threats;
pro-active rather than re-active management;
more effective allocation and use of resources;
improved incident management and reduction in loss and the cost of risk, including commercial insurance premiums;
improved stakeholder confidence and trust;
a clear understanding by all staff of their roles, responsibilities and authorities for managing risk;
improved compliance with relevant legislation;
better corporate governance; and
the development of a more risk aware organisational culture through enhanced communication and reporting of risk.
3.2 Risk Appetite
The Australia Council follows a prudent risk-taking approach in managing the organization. It defines prudent risks as those seen to contribute to the organization’s capacity to better deliver its mandate within a range of consequences that are well understood and appropriately mitigated. The Council will manage the organization in a way that will enable it to deliver on its mandate and strategic directions, and ensures that it fulfills its mandate and operates as a high performance organization through effective governance by its Board The Australia Council risk appetite broadly relates to two key areas: 1. Risk Appetite for funding for the arts The Australia Council’s overall risk appetite for funding for the arts is assessed as moderate and incorporates several factors including:
Low appetite for risks that could negatively impact the rigour and transparency of the granting processes;
Low appetite for risks that would hinder its ability to be flexible and responsive to changes in the arts environment and economic conditions specifically relating to how the grants support a more diverse range of artists, artistic practice, organizations, and arts activity;
Moderate appetite for risks that could affect our ability to build and sustain reputational strength with key stakeholders;
Moderate appetite for opportunities that could lead to improved internal structure and services that enable the Australia Council to improve its operating performance; and
High appetite for artistic risk related to the its support of artistic vision, creativity and innovation as this is essential to the development and evolution of a vital and diverse arts sector that enriches the lives of all Australians
| P a g e 5
2. Risk Appetite for Financial matters The Australia Council has a low appetite to undertake financial risks that would negatively impact its cost-effectiveness and investment performance, given the critical importance of appropriately managing financial resources and maximize its ability to provide funding and support for artists and arts organisations. The Council is exposed to a variety of financial risks as a result of its activities. These include:
Liquidity risk - the risk that the Council will not be able to meet its financial obligations as they fall due.
Treasury risk - The Council currently receives most of its revenues by way of parliamentary appropriation. That revenue is invested in a short-term interest fund until it is required. The Council’s parliamentary appropriation is affected by the government’s efficiency dividend with the Council’s activities primarily exposed to price risk, interest rate risk and currency risk.
Public funds risk – the risk that the Council does not ensure that public funds are utilized properly or cost effectively in alignment with its strategic objective.
Fraud risk – the risk of Council resources being used dishonestly to obtain a benefit, or causing a loss by deception or other means.
4 . R i s k M a n a g e m e n t F r a m e w o r k P r i n c i p l e s
4.1. Key Principles for Managing Risk
The key principles incorporated into the Risk Management Framework are focused to ensuring the framework is:
Structured and linked to the strategic objectives;
An integral part of the overarching governance, financial assurance and compliance frameworks;
Tailored to the needs of the entity and proportionate to the risks;
Dynamic with a focus on continual improvement and maintenance of better practice; and
Managed transparently with the relevant management accountable for the management of the risks. Appendix A details diagrammatically how the Risk Management Framework aligns to the strategy and operations of the Australia Council. Risk management will be incorporated into the strategic and operational planning processes at all levels within the Australia Council including all new activities, ventures and projects prior to commencement to ensure alignment with risk appetite and organisational objectives. The risks of the Australia Council will be captured and reported as follows:
1. Risk Management Objectives Profile
This represents a top down summary of the Australia Councils key Risk Categories, objectives, related processes and areas of residual risk identified through strategic planning processes, emerging risks, and detailed risk profile review. It is proposed in the revised Risk Management Framework policy that this will be subject to half yearly review by the Executive team and Audit and Finance Committee to ensure that there is transparent understanding and accountability for the current areas of risk and associated action plans.
2. Detailed Risk Register
The detailed risk register focuses on the specific areas of embedded and control risks associated with the processes which relate to the achievement of the Australia Council’s risk management objectives. It incorporates detailed risk assessment ratings, control effectiveness ratings and action plans. The detailed risk register is reviewed in conjunction with management and forms the basis for assessing residual areas of risks and specific risk control areas where further review, risk management action plans and internal audit may be necessary.
| P a g e 6
3. Project specific risk reviews
Project specific risk reviews and registers will be used to assist manage the specific risks associated with key strategic projects or regulation requirements including, but not limited to:
Venice – Australia Pavilion
New Grants Allocation Process Project
Fraud Control Policy and Plan
Protective Security Policy Framework
Work Health and Safety Model Act 2012
Crisis Management Plan
Co-mingling – external funding
These reviews will includes detailed risk assessment ratings, control effectiveness ratings and action plans and will be incorporated into the Detailed Risk Register where consider significant.
4.2. Risk Management Assessment Process
Risks will be assessed and managed based on the best practice risk management framework in AS/NZS ISO 31000:2009 Risk Management Process (AS/NZS 31000:2009) (Appendix B). The key elements of the Risk Management Process are:
1. Establishing the Context - The Australia Council considers both external and internal factors when identifying and managing risks associated with the achievement of strategic and operational objectives.
2. Risk assessment - The overall process of risk identification, risk analysis and risk evaluation.
3. Risk identification – Identifying risk sources, areas of impacts, events, causes and possible consequences to form a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives.
4. Risk analysis - Considering the range of causes, sources of risk, consequences and likelihood to produce a risk rating. The rating can then be used to determine further management by the Australia Council.
5. Risk evaluation - The level of risk identified during risk analysis can be ranked and prioritised according to a consistent overall ranking and rating system.
6. Communicate and consult - Effective communication, consultation and education in risk management are necessary to achieve a successful integration of the risk processes into the business.
7. Risk treatment – Selecting one or more options for modifying risks including funding and other resource considerations.
8. Monitoring and review - Continual monitoring and reviewing of risk profiles is essential to maintain the effectiveness and appropriateness of the Australia Council’s risk management profiles, including more specifically, risk treatment plans, risk assessments and to identify emerging risks.
The effectiveness of controls on the risk will modify the risk and its rating.
| P a g e 7
4.3 Risk Rating Methodology
Risk will be assessed and rated based on the risk rating methodology as outlined in Appendix C. This considers two elements of risk: 1. Likelihood rating for risk occurring – this is an assessment of the potential frequency of occurrence without
reference to know management controls and mitigating processes; and
2. Consequence rating for risk occurring – this is an assessment of the potential people, financial, reputation, compliance or business process/system impact
The level of inherent risk is assessed based on the level of likelihood and consequence. The mitigating processes and controls associated with the inherent risks are then assessed to determine the control effectiveness rating. The combined inherent risk rating and control effectiveness are assessed to provide the residual risk rating and treatment plan as detailed in Section 4.4
4.4 Residual Risk Assessment and Treatment Plan
The residual risk is the level of risk that remains within the Australia Council after consideration of all existing mitigating practices/controls. The residual risk provides guidance on the required level of management attention and when treatment plans are required to be developed to ensure management of the risk. The Risk Assessment and Treatment Plan table is as outlined in Appendix D.
5 . R i s k M a n a g e m e n t F r a m e w o r k C o m p l i a n c e
5.1. Key Accountabilities and Responsibilities
The Australia Council Audit and Finance committee will “oversee risk management and risk assessment across the Australia Council”, and will advise the Board in relation to its functions.
The Australia Council’s Executive Team are responsible for management of the risks and how the related risk controls are determined assigned and monitored. The Executive team will advise the Executive Director Corporate Resources and the delegated Risk Manager on matters of strategic and operational significance related to the identification and management of risk.
The Executive Team is responsible for ensuring that staff understand their responsibilities with respect to operational risk management; and for developing a risk aware culture within their area of responsibility.
Managers and supervisors will ensure that staff within their areas, understand their responsibilities with respect to operational risk, and will assist in fostering a risk aware culture within their area.
| P a g e 8
A summary of the roles and responsibilities for risk management at all levels of the Australia Council are as follows:
Role Risk Management Framework Policy responsibility Frequency
Australia Council Board
Review and approve Risk Management Summary Reports and Recommendations made by Audit & Finance Committee
Half Yearly (June, December)
Australia Council Audit and Finance committee
Review and approve Risk Management Framework and Policy
Review and approve Risk Management Annual Plan
Review of Risk Management Summary Report
Review of Insurance
Review and approve Risk Management Review reports
Annual (June)
Annual (June)
Half Yearly (June, December)
Annual Review (June)
Per Risk Management Plan 2014/15
Internal Auditor Review Risk Management Framework and Policy
Incorporate Risk Management Plan control audit requirements into the Internal Audit plan
Liaise with Risk Manager on outcomes of internal audits and control reviews
Annual (June)
Annual (June)
Ongoing
Executive Director, Corporate Resources
Executive owner of Risk Manager and Risk Management Framework
Ongoing
Risk Manager (or delegated person)
Prepare and manage Risk Management Annual Plan
Prepare Risk Management Report to Audit and Finance Committee
Review of Detailed Risk Register and Risk Management Objectives Profile
Facilitate Risk Management training program for Australia Council staff
Monitor of Risk Management Treatment Plans
Liaise with Internal Audit on outcomes of internal audits and control reviews
Provide support for any new Risk Management related matters or projects.
Management of Australia Council Fraud Control Policy & Plan
Oversee the implementation of the risk
management obligations under the Protective
Security Policy Framework
Annual (June)
Half Yearly (June, December)
Half Yearly (June, December)
Annual
Ongoing
Ongoing
Ongoing
Ongoing
Ongoing
Executive Team Review of Detailed Risk Register and Risk Management Objectives Profile
Risk Management and Compliance sign off
Integrate Risk management processes into existing business processes
Manage oversight of strategic, financial, operational and governance risk
Notify Risk Manager of any changes in risk levels or new initiatives or projects that may exposure the Australia Council to risk
Half Yearly (June, December)
Half Yearly (June,December))
Ongoing
Ongoing
Ongoing
| P a g e 9
5.2 Risk Management and Compliance Statement
As part of their risk management and compliance responsibilities the members of the Executive Team are required to complete a Risk Management and Compliance Statement on a six monthly basis. The format of the Risk Management an Compliance Statement is per Appendix E of this report.
APPENDIX A – AUSTRALIA COUNCIL RISK MANAGEMENT FRAMEWORK
| P a g e 10
APPENDIX A – AUSTRALIA COUNCIL RISK MANAGEMENT FRAMEWORK
| P a g e 11
Board
Review Risk Management Summary Report (half yearly)
Audit and Finance Committee
Review Risk Management Summary Report (half yearly)
Review Internal Audit / Business Process Review findings
Executive Team
Review/Measure Half Yearly
Report and Profile Half Yearly
Business Process Managers
Detailed review Annually
Incremental review Half Yearly
Risk Management Objectives Profile(Top Down risks)
Detailed Risk Register(Embedded process and
control risks)
Business Process Review (Internal Audit)
Corporate Plan
Emerging Risks / Opportunities / Projects
Regulatory / External Obligations
Risk Management Action Plans
APPENDIX B – AS/NZS ISO 31000:2009 RISK MANAGEMENT PROCESS
| P a g e 12
AS/NZS ISO 31000:2009 Risk Management Process (AS/NZS 31000:2009) The diagram below is reproduced from AS/NZS ISO 31000 depicts the relationship between the underpinning principles of risk management, the risk management framework, and the risk management process. Risk Management Policy Risk Management Framework Risk Management Process
Principles
a) Creates value b) Integral part of organisational
processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available
information g) Tailored h) Takes human and cultural factors into
account i) Transparent and inclusive j) Dynamic, iterative and responsive to
change k) Facilitates continual improvement and
enhancement of the organisation
Framework
Mandate and commitment
Design of framework for managing risk
Implementing risk
management
Continual improvement of the framework
Monitoring and review of the framework
APPENDIX C – RISK RATING METHODOLOGY
| P a g e 13
5. Risk Rating Methodology
Consequence
People Temporary loss of key staff
Minor impact on staff capability
Unavailability of core skills affecting services
Protracted unavailability of critical skills/people
Financial /
governance
Up to 5% impact on targets or <$10k
Minor failure to comply guidelines
Up to 10% impact on targets or <$100k
Major failure to comply with guidelines
Up to 20% impact on targets or <$1m
Breach of Commonwealth law and regulations
>20% impact on targets or >$1m
Significant sustained breach of Commonwealth law and
regulations
Reputation
Adverse comments in Arts press
Adverse article in national press. Question by Minister
Intense public, political and media scrutiny
Parliamentary Inquiry or sustained adverse national
media
Business Process & Systems
Minimal impact on non-core business operations. The
impact can be dealt with by routine operations
Some impact on business areas in terms of delays,
systems quality but able to be dealt with at operational
level
Breakdown of key activities leading to reduction in business
performance, eg service/cost delays, client dissatisfaction,
breaches
Critical business failure, preventing core activities
from being performed
Qualitative Likelihood
Historical / Probability 1.
Negligible 2.
Minor 3.
Moderate 4.
Major 5.
Extreme
Lik
elih
oo
d
5 Almost Certain
Has occurred, in the past or circumstances could cause it to
occur again Moderate High High Extreme Extreme
4 Likely
Has occurred in the last few years or circumstances could cause it to occur again in the
next few years
Low Moderate High High Extreme
3 Possible Has occurred at least once in
the history of the agency Low Moderate Moderate High High
2 Unlikely Has never occurred but has
occurred in other agencies with similar risk profile
Negligible Low Moderate Moderate High
1 Rare Is possible, but has not
occurred to date Negligible Negligible Low Low Moderate
Control Effectiveness Rating
Good (1) Current controls will identify risk occurrence or prevent it, enabling effective management
Fair (2) Current controls have a reasonable chance of preventing or detecting risk occurrence to enable effective management
Poor (3) Minimal chance of current control framework preventing or detecting risk occurrence to enable effective management
APPENDIX D – RESIDUAL RISK ASSESSMENT AND TREATMENT PLAN
| P a g e 14
Residual Risk Assessment and Treatment Plan The residual risk is the level of risk that remains within Council after consideration of all existing mitigating practices and controls. The residual risk provides guidance to the required level of management attention and when treatment plans are required to be developed.
APPENDIX E – RISK MANAGEMENT COMPLIANCE STATEMENT
| P a g e 15
RISK MANAGEMENT AND COMPLIANCE STATEMENT AND SIGN OFF
Executive Director Name
Executive Director Title
Half Year Period Ending 30 June 2014
1. RISK MANAGEMENT
In accordance with Australia Council’s Risk Management Framework Policy I confirm the following:
Yes No If No – Exception details
1.1 The risk management and internal control processes that relate to my area of Executive responsibility are designed and operating effectively to prevent and detect risk and error.
1.2 The staff, consultants, and other external parties working under my direction have been informed of the Australia Council’s Risk Management Framework Policy and are aware of their responsibilities to ensure the risk management and internal control processes are operating effectively to prevent and detect risk and error.
1.3 All known or potential material areas of risk have been reported to the Risk Manager and reported in the Detailed Risk Register including detailed risk assessment and risk treatment plans
1.4 Any changes in risk levels or new initiatives or projects that may expose the Australia Council to risk have been reported to the Risk Manager during the period
2. FRAUD CONTROL
In accordance with Australia Council’s Fraud Control Policy I confirm the following:
Yes No If No – Exception details
2.1 The processes and internal controls that relate to my area of responsibility are designed to prevent and detect any fraud risk and incidences of fraud.
2.2 The staff, consultants, and other external parties working under my direction have been informed of the Australia Council’s Fraud Control Policy and are aware of what constitutes fraud and the commitment and responsibilities of preventing and reporting fraud.
2.3 All know irregularities, fraud or misappropriation relating to my area of Executive responsibility have been reported to the Fraud Control Contact Officer for investigation (please provide detail of any incidences reported)
3. CODE OF CONDUCT
In accordance with Australia Council’s Code Of Conduct Policy I confirm the following:
Yes No If No – Exception details
3.1 The processes and internal controls that relate to my area of Executive responsibility are designed to ensure compliance with the values and conduct standards required under the Policy.
3.2 The staff, consultants, and other external parties working under my direction have been informed of the Australia Code of Conduct Policy and are aware of their obligations.
3.3 All known information about performance of non Australia Council work by staff that relate to my area of Executive responsibility has been disclosed and approved in accordance with the policy (please provide detail of any information reported)
APPENDIX E – RISK MANAGEMENT COMPLIANCE STATEMENT
| P a g e 16
3.4 All known informations about conflicts of interest by staff that relate to my area of Executive responsibility has been disclosed and approved in accordance with the policy (please provide detail of any information reported)
3.5 All known gifts, benefits or payments received by staff that relate to my area of Executive responsibility have been disclosed and approved in accordance with the policy (please provide detail of any information reported)
4. FINANCIAL REPORTING
In respect of the financial reporting requirements of the Australia Council I confirm the following items relating to my areas of Executive responsibility have been referred to the CFO for inclusion in the financial statements:
Yes No If No – Exception details
4.1 All material assets including details of any lost and disposed assets, or assets which may be subject to a valuation adjustment.
4.2 All material liabilities.
4.3 All material Contingent Liabilities, Contingent Gains/Losses and Contingent Assets .
5. LEGISLATIVE COMPLIANCE
In respect of the legislative requirements of the Australia Council I confirm the following:
Yes No If No – Exception details
5.1 The areas that relate to my area of Executive responsibility are compliant with relevant legislative requirements and there have been no known or reported incidences of a breach of compliance including, but not limited to: a. Work Health and Safety Act 2011 b. The Australia Council Act 2013 c. Public Governance, Performance and Accountability
Act 2013 d. The Privacy Act 1988 e. The Public Interest Disclosure Act 2013
5.2 All requests for external legal advice have been sent to the Legal and Governance Manager to facilitate
In preparation of this statement I have discussed the answers and information provided in relation to the statements above with the persons working under my direction, and where considered necessary, have requested or undertaken other follow-up action, as appropriate, to satisfy myself that the answers and information provided represent a fair and reliable assessment. I understand that this Risk Management and Compliance Statement and Sign off will be provided to the Audit and Finance Committee and the Board in accordance with the Australia Council’s Risk Management Framework Policy.
Name: Date signed
APPENDIX F – DEFINITIONS
| P a g e 17
Risk Management Framework Policy definitions The Australia Council will adopt a consistent terminology in relation to risk to ensure effective communication and stakeholder awareness of risk and risk management within the Australia Council. In the context of this policy:
consequence means the outcome of an event;
control means the measure that is modifying risk;
likelihood means the chance of something happening;
monitoring means continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected;
level of risk means the magnitude of a risk or combination of risks, expressed in terms of the combination of consequence and their likelihood;
residual risk means the risk remaining after risk treatment;
review means the activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve the established objectives;
risk means the effect of uncertainty on objectives;
risk analysis means the process to comprehend the nature of risk and to determine the level of risk;
risk appetite means the amount of risk that the Australia Council is prepared to accept or be exposed to at any point in time;
risk assessment means the overall process of risk identification, risk analysis and evaluation;
risk evaluation means the process of comparing risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable;
risk identification means finding, recognising and describing risks;
risk management framework
is the set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation;
risk management means coordinated activities to direct and control an organisation with regard to risk;
risk management plan
means scheme within the risk framework specifying the approach, the management components and resources to be applied to the management of risk;
risk management process
means the systematic application of management policies, framework and practices to the activities of communicating, consulting, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk;
risk owner means the person or entity with the accountability and authority to manage a risk;
risk profile means the description of any set of risks;
risk rating means the rating resulting from the application of the Australia Council’s risk assessment matrix on the likelihood and consequence of a risk occurring; and
risk treatment means the selection and implementation of appropriate options for dealing with risk.
