Risk Management Procedure Template

8/16/2019 Risk Management Procedure Template

1/39

APPENDIX D:

Risk Management Procedure – Template


2/39

319305228

Table of Contents

Risk Management Procedure..............................................................................................

Template............................................................................................................................. ..

Table of Contents.................................................................................................................

Introduction........................................................................................................................ ..Definitions............................................................................................................................ ..

Objectives of Risk Management............................................................................................

Benefits of Risk Management................................................................................................

Roles and responsibilities...................................................................................................

Risk Management Governance Structure..............................................................................

Relationship with other processes.....................................................................................

Key Process teps...............................................................................................................

One: Communicate and Consult............................................................................................

To: !stablis" t"e Conte#t..................................................................................................

T"ree: $dentif% Risks


3/39

319305228

!ppendi"# Risk assessment templates and heat map....................................................

Risk 'ssessment Tem(late..................................................................................................Risk 'ssessment Treatment +lan Tem(late.........................................................................

!ppendi"# Risk Reporting – potential risk reports............................................................

Tem(lates ,!#am(les-.........................................................................................................

Risk +rofile..........................................................................................................................

Risk Treatment 'ctions Status Detailed............................................................................

'ssurance Coverage of /e% Risks......................................................................................

Risk Management 'nnual 'ctivit% Sc"edule and $m(rovement $nitiatives...........................

0e and !merging T"reats and O((ortunities....................................................................

Detailed Risk Register.........................................................................................................


4/39

319305228

Introduction

The role of this risk management procedure is to provide staff with guidance in how to

apply consistent and comprehensive risk management This procedure provides information

on how to identify! analyse! evaluate and treat risks

In addition! it identifies other key activities needed for an effective risk management

approach The risk management process contained in this procedure aligns with the

Australian "tandard for #isk $anagement %A"&N'" I"()*+++:,++-.

#isk is the chance of something happening that will have an impact on o/0ectives It is

important that we manage risks in order that the negative impact of risks upon achievement

of our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised

"et out /elow is a diagram illustrating how this procedure interacts with other key risk

management documents:


5/39

319305228

'b(ecti)es of Risk Management

#isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated to

different groups and levels within the organisation It is important to have complete and

current risk information availa/le as this information assists the to make more informed

decisions around /oth strategic direction and operational o/0ectives

#isk management is not a stand3alone discipline /ut re4uires integration with e1isting/usiness processes such as /usiness planning and Internal Audit! in order to provide us with

the greatest /enefits

The o/0ectives of a risk management framework are to:

• Provide a systematic approach to the early identification and management of risks5

• Provide consistent risk assessment criteria5

• $ake availa/le accurate and concise risk information that informs decision making

including /usiness direction5

• Adopt risk treatment strategies that are cost effective and efficient in reducing risk to

an accepta/le level5 and


6/39

319305228

Roles and responsibilities

An organisation2s a/ility to conduct effective risk management is dependent upon having an

appropriate risk governance structure and well3defined roles and responsi/ilities

It is important for everyone to /e aware of his or her individual and collective risk

management responsi/ilities In order for risks to /e effectively managed! it is essential tohave people /ehaving in a way that is consistent with the organisation2s approved approach

This indicates that risk management is not merely a/out having a well3defined process /ut

also a/out effecting the /ehavioural change necessary for risk management to /e em/edded

in all organisational activities

"et out /elow is risk management governance structure This structure illustrates that

risk management is not the sole responsi/ility of one individual /ut rather occurs and is

supported at all organisational levels

Risk Management +o)ernance tructure

9 o a r d


7/39

319305228

Board

• Indicate the detailed responsi/ilities of the 9oard %if applica/le.

Committee

•Indicate the detailed responsi/ilities of the relevant committee %if applica/le.

C"ief !#ecutive Officer

• Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if

applica/le.

Risk Committee

• Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant

group & forum %if applica/le.


8/39

319305228

Relationship with other processes

#isk management is not a stand3alone discipline In

order to ma1imie risk management /enefits and

opportunities! it needs to /e integrated with e1isting

/usiness processes

"ome of the key /usiness processes with which risk alignment is necessary are:

•

Internal !udit 7 Internal Audit reviews the effectiveness of controls

Alignment /etween the Internal Audit function and that of the controls within the #isk

$anagement process is critical! and the role of #isk 8 6ompliance $anager will seek to

align these core processes


9/39

319305228

Key Process teps

#isk management is a continual process that involves the

following key steps:

• 6ommunicate and consult

• Esta/lish the conte1t

• Identify risks

• Analyse risks

• Evaluate risks

• Treat risks

• $onitor and review

It is important to follow this process when conducting risk management as this ensures that

the approach to risk management is /oth comprehensive and consistent


10/39

319305228

Process tep ')er)iew Process

comprehensive picture of the risks we face

"ternal communication and consultation is targeted

at informing e1ternal stakeholders of:

• The organisation2s risk management approach

• The effectiveness of our risk management

approach

• #e4uesting feed/ack where appropriate

#isk management is a key governance and

management function! which e1ternal stakeholders!

including =overnment and industry! are paying!

increased attention to "atisfying these stakeholders

that we use appropriate risk management practices will

influence their perception of the organisation

I t l i ti d lt ti i i d t


11/39

319305228


Conte"t /. The e"ternal conte"t

9uilding an understanding of our e1ternal stakeholders

and hence the e1tent to which this e1ternal environment

will impact on our a/ility to achieve corporate o/0ectives:

• 9usiness! "ocial! #egulatory! 6ultural!

6ompetitive! ?inancial and Political Environmentsin which we operate

• It also involves considering our strengths!

weaknesses! opportunities and threats

0. The internal conte"tThis is aimed at understanding organisational elements

and the way they interact! such as:

• 6ulture! internal stakeholders! structure!

capa/ilities %in terms of resources such as people!

systems! processes and capital.! goals and

o/0ectives and the strategies in place to achieve

th


12/39

319305228


Part of risk identification also involves identifying risks

that may arise ;over the horion


13/39

319305228


• Identifying controls currently in place to

manage the risk /y either reducing the

conse4uence or likelihood of the risk5

• Assessing the effectiveness of current

controls5

• Identifying the likelihood of the risk occurring5and

• Identifying the potential conse4uence or

impact that would result if the risk was to

occur

@hen evaluating the effectiveness of current controls! thefactors to consider include consistency of application!

understanding of control content and documentation of

controls where appropriate 6ontrols are aimed at

/ringing the risk within an accepta/le level The

evaluation of current controls can occur through several

different processes including:

• 6 t l lf t


14/39

319305228



15/39

319305228


Possi/le risk treatment options include:

• Avoid the risk 7 change /usiness process or

o/0ective so as to avoid the risk5

• 6hange the likelihood 7 undertake actions aimed

at reducing the cause of the risk5

• 6hange the conse4uence 7 undertake actions

aimed at reducing the impact of the risk5

• "hare&transfer the risk 7 transfer ownership and

lia/ility to a third party5 and

•#etain the risk 7 accept the impact of the risk

@hen determining the preferred treatment option!

consideration should /e given to the cost of the treatment

as compared to the likely risk reduction that will result

%cost /enefit analysis.

( l ti th f d t t t ti th f ll i


16/39

319305228


entire risk register will /e reviewed! with review

participation /eing /roader than solely #isk (wners and

#isk Treatment (wners

It is also important for the effectiveness of the risk

management framework to monitored and reviewedThis framework drives the e1tent to which risks will /e

ade4uately managed throughout the organisation

$onitoring implementation of the #isk $anagement

"trategy is one availa/le monitoring mechanism

In addition! the risk management framework itself will /e

reviewed annually! with results /eing reported to the A#6and the 9oard As risk management developments are

constantly occurring! this review mechanism will provide

us with information on current risk management

developments! facilitating us making continuous risk

management improvements


17/39

Risk Reporting

6orporatePlan,++B 3,+*+

9usinessPlan,++B 3,++C

#isk Policy

#isk $anagementProcess

#isk Tools

#isk$anagement

#eporting?ramework

#isk"trategy,++B 3,++C

"et out /elow is a diagram illustrating how the risk managementreporting process fits into overall risk management framework

#isk management reporting is a key element of the $onitor and #eview2 phase of the riskmanagement process! and needs to occur at each step of the process This risk managementreporting process supports a formalised! structured and comprehensive approach /y to themonitoring and review of its risks! there/y enhancing its risk management process

Risk Management Reporting Responsibilities

+roup Responsibilities

9oard • #eview reports


18/39

• Identify new and emerging risks

#isk (wners •

$onitor and review the risks which they own

• Prepare reports for the risks which they own

• Provide the #isk and 6ompliance $anager with information on

the risks which they own


=eneral $anager!?inance and

6orporate "ervices

•#eview reports prepared /y the #isk and 6ompliance $anager

• Provide e1ecutive support to the #isk and 6ompliance

$anager! for e1ample! re4uiring timely provision of risk

information from the organisation to the #isk and 6ompliance

$anager


#isk and 6ompliance$anager

• Prepare reports

• =ather risk information from the relevant organisational people!

for e1ample! #isk (wners


$anagement and "taff • Provide risk information to those that re4uest it


19/39

Risk $e)el scalation Recipient Timing

igh

"ignificant

$edium

ow

Risk Reports and Recipients

Report

Type


20/39

!ccess to Risk Management Reporting 3ramework

The #isk $anagement #eporting ?ramework will /e made availa/le to each employee of

The #isk $anagement #eporting ?ramework will /e availa/le as follows:

•

•

References

?or further information on risk management! the following documents provide a comprehensive

and practical overview:

• A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines

• I"( =uide B):,++- 7 #isk management 3 Foca/ulary

• IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues

• 9 ),B:,+*+ 7 6ommunicating and consulting a/out risk

•

A"&N'" G+G+ ,+*+ 9 i ti it $ i di ti l t d i k


21/39

!ppendi"# Risk Control $ikelihood Conse%uence Rating

The following were endorsed /y the in for These will /e su/0ect to review in

Control ffecti)eness Rating Criteria

Rating &efinition Indicators

$ikelihood Rating Criteria

Rating &escriptor 3re%uency &escription

Conse%uence Rating cale

&escriptio

n

Rating

3inancial er)ice

4uality

Reputation People 5

Knowledge

takeholders Compliance6

+o)ernance

5 $egal

ystems 5

Processes

18


22/39

&escriptio

n

Rating

3inancial er)ice

4uality

Reputation People 5

Knowledge

takeholders Compliance6

+o)ernance

5 $egal

ystems 5

Processes

19


23/39

!ppendi"# Risk assessment templates and heat map

RIK 3'R

7 PDATED AND END(#"ED 9J TE

'wner Risk &escription Risk

Category

2o Conse%uence$ikelihood Risk

Rating


24/39

Risk !ssessment Template

Title# Risk !ssessment

Completed *y#

Category# &ate !ssessed#

Identify Risks !nalyse Risks )aluate !ction

Risk –&escription :Impact

Cause "isting Controls Control!ssessment

Risk !ssessment Treat Risk;

Conse%uence Avoid #isk

Accept #isk

#educe #isk

Transfer #isk

Increase #isk

$ikelihood

Risk Rating

Risk !ssessment Treatment Plan Template

Risk 'wner#

Preferred Risk Treatment and 'b(ecti)e

18


25/39

Treat Risks Monitor 5Re)iew

Insurance KRI KCI

Risk Treatment : !ctionPlan

!ccountabilities

Timelines

Risk Rating Re)iew : Monitor Insurancetatus

Measurement andmonitoring

Insura/leK

InsuredK

19


26/39

319305228

!ppendi"# Risk Reporting – potential risk reports

Risk Profile

Purpose

The #isk Profile #eport provides a graphical representation of the placement of key risks on aheat map This report provides a 4uick reference for Directors and E1ecutives as to the

organisation2s risk e1posure It helps to guide the allocation of resources to treat those risks! which

pose the /iggest threat! /oth in terms of likelihood and conse4uence This report is a snapshot of

the organiations current organisational risk profile

In addition! the #isk Profile #eport will document the e1tent of risk rating changes that have

occurred and e1plain the known or likely reasons for the change The types of reasons that might

/e presented include:

• 6hange in operations

• Internal Audit findings indicate that controls are less effective than anticipated

• Implementation of risk treatment actions


27/39


28/39

319305228

Risk treatment actions status - detailed

Purpose

The #isk Treatment Actions #eport contains a status update on progress against approved risk

treatment actions People are more likely to deliver upon what they are measured against

Therefore this report increases accounta/ility for delivery against agreed risk management

actions It also provides comfort to Directors and E1ecutives that risks are /eing treated as

anticipated

Information included

• #isk description

• #isk rating

• Description of the risk treatment action

• Date for completion of risk treatment

• Person%s. responsi/le

• "tatus %eg in progress! completed.

• Additional comments %eg specific detail around the status.


29/39

319305228

• Description of the assurance activities 7 Previous year

•

Description of the assurance activities 7 6urrent year

The key findings of assurance activities! as they influence risk! would /e reflected in the

organisation2s #isk Profile #eport within the reason for change2 column

Risk management annual activity schedule and improvement Initiatives

Purpose

The #isk $anagement Improvement Initiatives #eport tracks progress against the risk

management improvement initiatives approved to /e implemented over the coming year It

provides assurance around the continual improvement of the risk management processes and

practices

Information included

• Description of the initiative5

•


30/39

319305228

This report is a summary risk register that includes the following information:

•

#isk description5• #isk category5

• #isk rating5

• 6auses5

• Impacts5 and

• 6urrent controls

The would then determine whether the risks contained in this report warranted inclusion in

the risk register @here risks are included in the risk register! the Audit and #isk 6ommittee and

the 9oard would have visi/ility of the new risk information in the #isk Profile #eport

Detailed risk register

Purpose

The Detailed #isk #egister #eport contains all information contained in the risk register All

information provided in other risk reports should /e reflected in the risk register This report is only


31/39

319305228

Templates ,"amples-

Risk Profile

!lmost Certain H

$ikely ,!) C

Possible * *G -!G!*+

8nlikely B *) *,!L

Remote *L **

$IK$I9''&:

C'2482CInsignificant Minor Moderate Ma(or "treme

Rank Ref Risk Category Risk &escription Rating Trend Reason for

Change

Impro)ement

Re%uired;

Impro)ement

tatus

/ H 9igh

Mreason for change


32/39

319305228

Rank Ref Risk Category Risk &escription Rating Trend Reason for

Change

Impro)ement

Re%uired;

Impro)ement

tatus

= G ignificant

Mreason for change *+ ignificant

Mreason for change No

? *, ignificant

Mreason for change No

@ L ignificant

Mreason for change


33/39

319305228

P A=E ,+ (? L)


34/39

319305228

/. Risk Treatment !ctions tatus – &etailed

Ref Risk &escription Rating Treatment !ctions &ue &ate Responsible

Person

tatus Comments

H 9igh * Mdate Mperson

responsi/le

In progress -GO complete

%e1ample.

, Mdate Mperson

responsi/le

6ompleted

) Mdate Mperson

responsi/le

In progress

L Mdate Mperson

responsi/le

6ompleted

- ignificant * Mdate Mperson

responsi/le

In progress

, Mdate Mperson

responsi/le

In progress

) Mdate Mperson

responsi/le

6ompleted

L Mdate Mperson

responsi/le

In progress

Completed

In Progress

verdue


35/39

319305228

!ssurance Co)erage of Key Risks

Rank Risk &escription Control :

Treatment

Risk

Rating

Trend !ssurance !cti)ities – Pre)ious


36/39

319305228

Risk Management !nnual !cti)ity chedule and Impro)ement Initiati)es

Impro)ement

Initiati)e

!ction Responsible

Person

&ue date !chie)ed Comments


37/39

319305228

2ew and merging Threats and 'pportunities


Completed *y#



Risk –

&escription :Impact

Cause "isting Controls Control

!ssessment


Conse%uence

Avoid #isk.

Accept #isk

#educe #isk

Transfer #isk

Increase #isk

$ikelihood


38/39

319305228

Risk Rating

&etailed Risk Register


Completed *y#



Risk –&escription :Impact

Cause "isting Controls Control!ssessment


Conse%uence Avoid #isk

Accept #isk

#educe #isk

Transfer #isk

Increase #isk

$ikelihood

Risk Rating


39/39

319305228

Risk 'wner#

Preferred Risk Treatment 5 'b(ecti)e

Treat Risks Monitor 5

Re)iew

Insurance KRI KCI

Risk Treatment : !ctionPlan

!ccountabilities Timelines Risk Rating Re)iew :Monitor

Insurancetatus

Measurement andmonitoring

Insura/leK

InsuredK

Documents

Risk Management Procedure Template