1 Developing a Risk Profile (1)

8/13/2019 1 Developing a Risk Profile (1)

1/15

Risk Insight Series

Developing a Risk Profile


2/15

Developing A Risk Prof ile

Front Cover taken from the VMIA Corporate objectives

THEMES OBJECTIVES

Alert Deliver timely advice to Government.

Prevent Implement quality risk management advice and support to clients.

Protect Tailored and Appropriate Insurance Products and Services.

Enable Ensure that client needs are understood and addressed.

Establish and retain an internal capability.

Disclaimer

This Risk Insight communication provides general information, current at the time of production. Theinformation contained in this communication does not constitute advice and should not be relied on assuch. Professional advice should be sought prior to actions being taken on any of the information.

VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by anyparty in reliance, whether wholly or partially, on any of the information. Any party that relies on theinformation does so at its own risk.

Acknowledgments

VMIA would like to acknowledge the contribution of Australian Risk Services Pty Ltd in thedevelopment of this document.

Version

SPO RI-1 1107


3/15


1

Introduction

During the 2006 Risk Framework Quality Review it was identified that many organisations were

unclear on the concept of what their risk profile was or how to accurately define one. This edition of

Risk Insights seeks to clarify the role, function and development of a Risk Profile.

Risk Management Background

The Australian and New Zealand Risk Management Standard,

AS/NZS 4360:2004, defines risk as: ...the chance of somethinghappening that will have an impact on objectives.

Corporate governance can be defined as the system by which

organisations are directed and controlled. It is concerned with improving

the performance of companies for the benefit of stakeholders. Risk

management contributes to good corporate governance by providing

reasonable assurance to boards and senior managers that the

organisational objectives will be achieved within a tolerable degree of

residual risk (defined by AS4306 as risk remaining after implementation ofrisk treatment).

Risk management is a comprehensive process, supported by appropriate strategies and frameworks

that are designed to identify, analyse, evaluate, treat, monitor and communicate those risks that could

prevent a department or agency from achieving its objectives. It covers strategic as well as

operational, financial and compliance risks. The Victorian public sector and the private sector use the

term enterprise-wide risk management to describe this comprehensive approach.

This document is intended to provide an overview of the key elements of establishing a risk profile. It

is not a how to guide. For more information on how the Australian New Zealand Risk Management

Standard AS:NZS:4360 can be applied to the risk management needs of a Victorian public sector

agency please contact your VMIA Risk Management Advisor.

Risk Management Process

The first step is ensuring that you have a sound risk management framework, consistent with the

Australian and New Zealand Risk Management Standard, AS/NZS 4360:2004. The key elements of

which are noted below:


4/15


2

Establish the context

Risk identification

Risk analysis

Risk evaluation

Risk treatment

Monitor and review

Communication

The risk management strategy describes the principles

that underpin an organisations approach to risk and

should be supported by risk management policies and

procedures that describe the processes that will

establish identification, analysis, evaluation, treatment

and reporting framework for risk. The purpose of the St

how risk management will evolve.

rategy is to define

Management of risk is an integral part of good business practice and quality management. Learning

how to manage risk effectively enables managers to improve outcomes by identifying and analysing

the wider range of issues and providing a systematic way to make informed decisions. A structured

risk management approach also enhances and encourages the identification of greater opportunities

for continuous improvement through innovation. This will assist to identify the risks you face and

prioritise them according to the likelihood of them occurring and the resulting impact on the business.

It must be emphasised that effective risk management involves more than merely creating a

risk profile, all the stages of the process described in Australian New Zealand Risk

Management Standard AS:NZS:4360 are equally impor tant.

For a risk management program to be effective it needs to demonstrate a number of key

principles:

It is systematic, structured and evidence based where practicable.

It explicitly addresses uncertainty and the causes of uncertainty.

It is a core organisation process and an integral part of decision making.

It leads to the optimisation of control and maximisation of net benefit.

It is specific to the organisation, applied enterprise wide and tailored to its external and internal

context.

It forms part of the organisational culture, is transparent and understood by all interested

parties through their inclusion and involvement in the process.

It is dynamic, iterative and responsive to change.


5/15


3

It involves continuous communications and highly visible comprehensive and frequent

reporting of risk

This document will however allow you to begin your risk management journey.

Establishing a Risk Profile for your Organisation

The risk profile is a snapshot of the organisation's operating environment and its capacity to deal with

key high-level risks and opportunities linked to the achievement of corporate objectives and results.

There are three outcomes as a result of developing the risk profile:

Threats and Opportunities are identified.

Current status of risk management within the organisation is assessed and recognised inorder to plan risk management strategies.

The organisations risk profile is defined key risk areas, risk tolerance, ability and capacity to

mitigate as well as learning needs.

Organisations take stock of their operating environment, identify key risks, and review the

organisation's capacity to deal with these risks. The Australian Standard in Risk Management AS4360

best represents this process. The stages of Risk Identification, Risk Analysis, Risk Evaluation and

Treatment of that standard describe the processes that lead to describing the Risk Profile of an

organisation.

Develop risk cri teria (Likelihood & Consequence)

Decide the criteria against which risk is to be evaluated. Decisions concerning whether risk treatment

is required may be based on operational, technical, financial, legal, social, environmental,

humanitarian or other criteria. The criteria should reflect the context initially established.

Criteria may be affected by the perceptions of stakeholders and by legal or regulatory requirements. It

is important that appropriate criteria be determined at the outset.

Although the broad criteria for making decisions are initially developed as part of establishing the risk

management context, they may be further developed and refined subsequently as particular risks are

identified and risk analysis techniques are chosen. The risk criteria must correspond to the type of

risks and the way in which risk levels are expressed.


6/15

4

Sample risk cri teria and matrix

Consequence

E Extreme risk detailed action plan

required

H - High risk needs senior management

attention

M Medium risk specify management

responsibility

L Low risk manage by routine

procedures

High or Extreme risks must be reported to

Senior Management and require detailedtreatment plans to reduce the risk to Low or

Medium.

PeopleInjuries or ailments

not requiringmedical treatment.

Minor injury or FirstAid Treatment Case.

Serious injurycausing

hospitalisation ormultiple medical

treatment cases.

Life threateninjury or mulserious injur

causing

hospitalisati

Reputation Internal ReviewScrutiny required byinternal committeesor internal audit toprevent escalation.

Scrutiny required byexternal committees

or ACT AuditorGenerals Office, or

inquest, etc.

Intense pubpolitical and mscrutiny. Eg:

page headlinesetc.

Business

Process &

Systems

Minor errors insystems or

processes requiringcorrective action, orminor delay without

impact on overallschedule.

Policy proceduralrule occasionally notmet or services do

not fully meet

needs.

One or more keyaccountability

requirements notmet. Inconvenient

but not client welfarethreatening.

Strategies nconsistent wGovernmen

agenda. Treshow service

degraded

Financial 1% of Budgetor


7/15


5

Each topic is somewhat narrower than the

activity as a whole, allowing those performing

the identification to focus their thoughts and go

into more depth than they would if they tried to

deal with everything at once. A well-designed

set of key elements will stimulate creative

thought, and ensure that all-important issues

are put before those responsible for identifying

risks.

Risk identification will generally be unproductive if an attempt is made to consider the organisation or

activity as a whole. It is much more effective to disaggregate the activity into categories or key

elements. This concept is sometimes referred

to as the risk universe.

This involves subdividing the activity, process, project or change into a set of elements or steps in

order to provide a logical framework that helps ensure significant risks are not overlooked. The

structure chosen depends on the nature of the risks and the scope of the project, process or activity

being assessed.

Define the structure for the rest of the process

Risk tolerance and performance expectations should be linked directly at the corporate level.

Organisations should understand the correlation between the degree and duration of unfavourable

variances from established performance expectations or targets and the level of risk exposure

An organisation's tolerance for risk varies with its culture and with evolving conditions in its internal

and external environments. An organisation's risk tolerance and that of its key stakeholders must be

understood, because both will influence and guide decision-making. Management must determine

which risks the organisation should accept at which levels, then re-evaluate these choices as

circumstances change.

Risk Tolerance/Appetite

Risk Universe: Ernst & Young


8/15


6

Identify risks

PropertyThe Australian Standard refers to risk categories to prompt risk

identification. Prompt lists include (but are not limited to): Operational

Compliance

Public Liability

Where resources available for risk identification and analysis

are constrained, the structure and approach may have to be

adapted to achieve efficient outcomes within resource

limitations. For example, where less time is available, a smaller

number of key elements may be considered at a higher level, or

a checklist may be used. Building upon this over time will allow

you to further develop the framework into a more

comprehensive enterprise wide profile.

Business Continuity / Disasters

Legal

Occupational Health & Safety

Environmental

Technology

Transaction Processing

Human Resources

Fraud

Security

Analyse the risks

The process of analysis will often commence with a simple qualitative approach that gives a general

understanding. Where greater detail or understanding is required, more focused and robust

investigation may be needed as well. It is inappropriate to assume that quantitative is superior toqualitative analysis. It is more appropriate to ensure the best approach to fit the situation at hand.

The analysis can be conducted at various points, such as at the outset of a new project, as part of

ongoing management, or as a study of what may occur after risks have been treated. Usually the

analysis looks at the consequences of the event, should it occur and the likelihood of the event and its

associated consequences are assessed in the context of the effectiveness of the existing controls /

strategies. During the risk identification step, many risks have been identified and it is often not

possible to try to address all those identified.

The risk analysis step will assist in determining which risks have a greater consequence or impact

than others. This will assist in providing a better understanding of the possible impact of a risk, or the

likelihood of it occurring, in order to make a decision about committing resources to control the risk.

Risk analysis involves combining the possible consequences, or impact, of an event, with the

likelihood of that event occurring. The result is a level of risk. The risk criteria and matrix shown

above describes how this is done for qualitatively rated risks. When accurate quantified risk measures

are available, the level of risk may be calculated: e.g.

Level of Risk = consequence x likelihood


9/15


7

For each risk, you are required to define its Level of Risk using likelihood and consequences criteria.

Methods of analysis

There are two primary types of analysis. Qualitative methods include, evaluation using multi-

disciplinary groups; specialist and expert judgment; and structured interviews and questionnaires.

Quantitative methods of risk analysis include, statistical analysis of historical data; simulation and

computer modelling; and statistical and numerical analysis.

Risk Evaluation

The purpose of risk evaluation is to enable more informed decision-making, based upon an analysis of

risk, treatments and priorities. Risk evaluation involves comparing the level of risk found during the

analysis process with risk criteria established when the context was considered.

Risk treatment

Knowing the risks of an organisation will not of itself reduce the risk exposure. Improvement in the risk

environment stems only from the implementation of effective risk controls or treatments. Risk

evaluation provides a list of risks requiring treatment, often with associated ratings or priorities. Risktreatment involves identifying a range of options for treating these risks, evaluating those options,

preparing treatment plans and implementing them.

Before appropriate treatment actions can be determined, the analysis of each risk may need to be

revisited and extended to draw out the information needed to identify and explore different treatment

options.

The design of risk treatment measures should be based on a comprehensive understanding of the

risks concerned; this understanding comes from an appropriate level of risk analysis. It is particularly

important to identify the causes of the risks, control effectiveness and gaps so that preventative risk

treatments can be applied as well as mitigating treatments that will reduce the consequences,

likelihood or the symptoms of risk events.

The treatment plan should include:

Proposed action

Resource requirements

Responsibilities

Timing Performance measures and

Reporting and monitoring requirements


10/15


8

It will usually not be cost-effective or even desirable to implement all possible risk treatments. It is,

however, necessary to choose, prioritise and implement the most appropriate combination of risktreatments. Treatment options, or more usually combinations of options, are selected by considering

factors such as costs and benefits, effectiveness and other criteria of relevance to the organisation.

Factors such as legal, social, political and economic considerations may need to be taken into

account.

Treatment of individual risks will seldom occur in isolation and should be part of an overall treatment

strategy. Having a clear understanding of a complete treatment strategy is important to ensure that

critical dependencies and linkages are not compromised. For this reason development of an overall

treatment strategy should be a top-down process, driven jointly by the need to achieve business

objectives while controlling uncertainty to the extent that is desirable.

It is prudent to be flexible and consult broadly about risk treatment with stakeholders and perhaps the

wider community as well as peers and specialists. Many treatments need to be acceptable to

stakeholders or those who are involved in implementation if they are to be effective and sustainable. If

after treatment there is residual risk, a decision should be taken about whether to retain this risk or

repeat the risk process.

The Risk Register

A key step is to produce a document depicting the organisational risk profile. This usually flows from

the risk register. The objective of the risk register is To capture, rank and report on risk. Therefore

you:

Need a database/spreadsheet/specialist system to capture & report

Scoring mechanism for risks & controls to enable ranking of risk usually the Level of Risk

described above is used for this purpose

The register captures the results of the environmental scans, risk assessment, and analysis and

identifies areas requiring corporate decisions or direction regarding risk management strategies.

Organisations have developed various ways to present results, including matrices, risk maps, and

reports with summaries by risk area.


11/15


9

Use of a Risk Profile

The corporate risk profile is also intended to inform staff and stakeholders about the following:

(Sample of risk profile)

risks emerging from the changing operating environment;

priority risks and how such risks are to be mitigated and managed;

risk tolerances and how they are to be communicated;

current capacity of the department to manage and mitigate significant risks; and

learning and support needs, structures, and actions to sustain integrated management of risk

within the organisation.

The corporate risk profile is updated annually and approved by senior management.

A risk profile may be represented in the form below which is known as a heat map.


12/15


10

Monitoring and review

Ongoing review is essential to ensure that the risk management plan remains relevant. Factors that

may affect the likelihood and consequences of an outcome may change, as may the factors that affect

the suitability or cost of the treatment options. It is therefore necessary to repeat the risk management

cycle regularly. Periodic reviews of risks and treatment strategies are particularly useful when they are

associated with business and strategic plan development and change management.

Actual progress against risk treatment plans provide an important performance measure and should

be incorporated into the organisations performance management, measurement and reporting system

along with the Key Risk Indicators. Monitoring and review also involves learning lessons from the risk

management process, by reviewing events, the treatment plans and their outcomes.

e.g. Treatment Report


13/15


11

How VMIA can assist

Who We Are / What We Do

The Victorian Managed Insurance Authority (VMIA) is a statutory body established to provide riskmanagement services to Victorian State Government departments and agencies.

The VMIA provides risk management advisory services, insurance products and support and site risksurveys. These services are benchmarked against commercial equivalent practices andorganisations. Insurance products provide coverage at levels equivalent to best market coverage withthe value added risk management services costed within market competitive premiums.

Our Focus

In order to enhance the service we offer, VMIA have introduced a new client centric business model.Corporate wide we have established three centres of excellence in the areas of client service,insurance/ risk management products and services and corporate governance.

A greater focus and emphasis is being placed on meeting our clients needs through a team ofspecialists focused on providing strategic risk management consulting services in addition toinsurance advice and coverage.

Risk Management Services

The VMIA develop and tailor its Risk Management and Insurance Services to clients needs. If youwould like to know more about our risk services contact your Risk Management Advisor or access theVMIA website at www.vmia.vic.gov.au

Training

The Training Essentials program consists of training sessions, in-house training, seminars andnetworking events throughout the year. The aim of the Risk Management and Insurance trainingprograms is to equip VMIA clients with the knowledge and skills to understand and plan for risk, andhave in place the appropriate insurance policies.

The VMIA launched its new look Risk Leadership In Government seminar in mid July 2007. Theseries, consisting of workshops and seminars, presents the latest topics in Risk Management andInsurance and provide great opportunity for participants to engage with leading professionals in theRisk Management and Insurance field.

For more information visit our website at: www.vmia.vic.gov.au
http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/


14/15

Level 30, 35 Collins StreetMelbourne, Victoria, 3000.

Phone: 03 99116900Fax: 03 92706803

Email: [email protected]

Website: www.vmia.vic.gov.au
http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/


15/15

Documents

1 Developing a Risk Profile (1)