Risk Framework

Guide
Risk Management
Developing & Implementing a Risk Management Framework
March 2010
Disclaimer
This document provides general information, current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information.
The VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk.
Principal Author Version Date: Reviewed by: Approved by: Distribution: Document Owner
Victorian Managed Insurance Authority (VMIA) 1 March 2010 Stephen Owen Steve Marshall VMIA Public Sector clients Stephen Owen Manager: Strategic Risk (VMIA)
Contents
1 2 Foreword....................................................................................................................... 5 Introduction .................................................................................................................. 6 2.1 2.2 2.3 2.4 2.5 2.6 2.7 3 Purpose ................................................................................................................. 6 How has the guide been developed? .................................................................... 6 Scope of the guide ................................................................................................ 7 Overview of document........................................................................................... 8 Key definitions and terminology ............................................................................ 9 The role of the VMIA ........................................................................................... 10 The need for a risk management guide............................................................... 11
Developing a risk management framework ............................................................. 18 3.1 3.2 3.3 3.4 3.5 3.6 Overview ............................................................................................................. 18 Key considerations when developing a risk management framework................. 27 Documenting a framework .................................................................................. 37 Risk management governance............................................................................ 45 Risk management information systems............................................................... 52 Checklist Developing a risk management framework....................................... 57
Implementing a risk management framework ......................................................... 59 4.1 4.2 4.3 4.4 4.5 Overview of the risk management process ......................................................... 59 Implementing a risk management process.......................................................... 68 Risk and risk management reporting................................................................. 114 Developing desired risk management culture ................................................... 129 Checklist Implementing a risk management framework ................................. 132
Monitoring and enhancing the risk management framework .............................. 135 5.1 5.2 5.3 Monitoring and reviewing a risk management framework ................................. 135 Risk management attestation............................................................................ 159 Continuous improvement .................................................................................. 165
5.4 6
Checklist Monitoring and reviewing a risk management framework............... 167
Risk management toolkit......................................................................................... 168 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 Appendix A: Risk management glossary........................................................... 168 Appendix B: Risk management strategy template ......................................... 168 Appendix C: Risk management policy template ............................................. 168 Appendix D: Risk management procedure template ...................................... 168 Appendix E: Risk rating criteria template ....................................................... 168 Appendix F: Common risk categories for the public sector ............................... 168 Appendix G: Communication and consultation plan template ........................ 168 Appendix H: Risk training slides........................................................................ 168 Appendix I: Common example risks .................................................................. 168
6.10 Appendix J: Risk assessment template.......................................................... 168 6.11 Appendix K: Risk management database MS Access tool............................. 168 6.12 Appendix L: Risk register MS Excel template................................................. 168 6.13 Appendix M: Risk management register worked example ............................. 168 6.14 Appendix N: Risk reporting MS Word templates ............................................ 169 6.15 Appendix O: Risk management checklist.......................................................... 169 6.16 Appendix P: Risk management information system checklist ........................ 169 6.17 Appendix Q: VAGO good practice guide ........................................................... 169
1 Foreword
Managing risk is an increasingly important facet of public sector governance, and one that supports the achievement of public sector objectives. In July 2007, the Government issued the Victorian Government Risk Management Framework. The framework provided clarity around risk management roles and responsibilities across the public sector. Importantly, it also served to engage senior executives in risk management processes through the introduction of an attestation in annual reports of operations. The attestation requires departmental Secretaries and Chief Executive Officers to certify that risk management processes are in place, risks are effectively controlled and managed and that the risk profile of the organisation has been critically reviewed within the last twelve months. The Guide for developing and implementing your risk management framework has been developed in consultation with department and agency representatives to support the implementation of risk management requirements and enhance the practice of risk management throughout the public sector. It is anticipated that the guidelines will assist public sector entities to develop an organisation-wide approach and embed a culture of risk management at all levels of the organisation. This guide is designed to enable individual entities to build upon, and enhance their risk management frameworks, recognising that risk management is a continuous journey of improvement.
Steve Marshall Chief Executive Officer Victorian Managed Insurance Authority
GUIDE-DEVELOPING-RISK-FRAMEWORK
2 Introduction
2.1 Purpose
The guide aims to provide practical guidance to Victorian Public Sector Departments and Agencies (referred to hereafter as organisations) for developing, implementing and enhancing their risk management frameworks. The guide aligns with the Australian/New Zealand Standard: Risk management Principles and guidelines (AS/NZS ISO 31000:2009) which was released 20th November 2009. The guide complements the Victorian Government Risk Management Framework and existing legislation, such as the Financial Management Act 1994 and the Victorian Managed Insurance Authority Act 1996 which prescribe risk management requirements within the Victtorian Pubic Sector. The guide is primarily targeted at risk managers or equivalent and designed to assist them to better embed risk management practices within their respective organisations. The guide may also be used by other stakeholder groups including the board, executive, and employees during the execution of their risk management responsibilities. The guide is primarily developed for large organisations, however the majority of the content is applicable to smaller organisations. Some of the more advanced risk management framework attributes may not be feasible or appropriate for smaller organisations. The guide is developed to support organisations with varying degrees of risk management maturity, recognising that risk management is a continuous journey. The guide includes a number of examples aimed at illustrating how organisations with less mature risk management practices can incrementally enhance and progress their risk management frameworks.
2.2 How has the guide been developed?

This guide was originally developed in 2008 based on the AS/NZS 4360:2004 and the Draft ISO 31000 Risk Standard. This version has been updated to reflect changes to the Risk Standard, notably the adoption of ISO 31000 as the Australian Standard. The original guide was developed in consultation with a broad range of stakeholders, including entities with responsibility for co-ordinating risk management in the Victorian Public Sector and a range of Victorian departments and selected agencies.
2.3 Scope of the guide

The scope of the Guide is focused primarily on providing generic guidance on the management of organisational-level risk. Some guidance is provided on effective management of state-wide and inter-agency risk. The principles and practices described in the Guide follow the Australian/New Zealand Standard: Risk management Principles and guidelines (AS/NZS ISO 31000:2009) and are applicable to all Victorian Public Sector departments and agencies.
Scope Generic Risk Generic Risk Management Guide & Management Guide & Tools Tools Sector Specific Risk Sector Specific Risk Management Guide/s Management Guide/s & Tools & Tools Whole of Whole of Government Risk Government Risk Management Guide Management Guide
Organisation-level risks Organisation-level risks
Organisation-level risks Organisation-level risks
Inter-agency risks Inter-agency risks State-wide risks State-wide risks
2.4 Overview of document

The document is structured into three key sections: Developing a risk management framework (Section 3) Implementing the risk management framework (Section 4) Monitoring and enhancing the risk management framework (Section 5).
Document Structure Developing aaRisk Developing Risk Management Management Framework Framework Implementing the Implementing the Risk Management Risk Management Framework Framework Monitoring and Monitoring and Enhancing the Risk Enhancing the Risk Management Management Framework Framework
Guidelines Guidelines Monitoring and Monitoring and reviewing your reviewing your framework framework Attestation process Attestation process
Guidelines Guidelines Risk management Risk management overview overview Core elements of aarisk Core elements of risk management framework management framework Risk management Risk management information systems information systems
Guidelines Guidelines Practical application of Practical application of AS/NZS 31000 process AS/NZS 31000 process Risk and risk Risk and risk management reporting management reporting Developing and Developing and progressing your risk progressing your risk management culture management culture
Toolkit
Toolkit
Toolkit
Each section provides guidance on specific topics of developing, implementing, and monitoring/enhancing a risk management framework. The guideline document includes references to templates and good practice examples that are included in the toolkit (see Appendices). Toolkit references are marked as follows: Toolkit Reference: Appendix XYZ: Appendix name
Practical examples and quotes from those involved in risk management processes, illustrating the experiences of Victorian Public Sector organisations have been included in the guide. These illustrate how organisations have adapted and customised their risk management systems to meet unique organisational and sector requirements. At the end of each section, a series of questions are asked of the reader relating to the topics covered within the section. These questions serve as a guide to check whether your current risk management framework is in line with key risk management principles, processes and outcomes.
2.5 Key definitions and terminology

The risk management glossary based on the Risk Standard is appended to this document. However, some more common definitions are noted below: Risk Effect of uncertainty on objectives Risk is often characterized by reference to potential events and consequences, or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. Risk management Coordinated activities to direct and conrtrol an organisation with regard to risk. Risk management framework Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. Australian/ New Zealand Risk Management Standard (AS/NZS ISO 31000: 2009) (The Standard) The Standard is a generic and flexible standard that is not specific to any government or industry sector. The Standard identifies elements or steps in the risk management process that can be applied to a wide range of activities at any stage of implementation (from the Victorian Government Risk Management Framework). Organisation The term organisation as used within this guide, includes all Victorian Public Sector departments, agencies and entities required to, or expected to implement sound risk management systems. The term organisation includes the individual business units, subsidiaries or affiliate entities that fall under an agencys direct authority and/or responsibility. Victorian Government Risk Management Framework (VGRMF) Guidance document released by the Department of Treasury and Finance in July 2007, that was developed to support good practice in public sector risk management. Specifically the framework provides for a minimum common risk management standards for public sector entities and attestation by accountable officers that risk management processes are consistent with
that standard in annual reports (Victorian Government Risk Management Framework). Toolkit Reference: Appendix A: Risk management glossary
2.6 The role of the VMIA

Under the Victorian Managed Insurance Authority Act 1996 and as evidenced in the Victorian Government Risk Management Framework the Victorian Managed Insurance Authority (VMIA) has a key role to play as a central advisor and source of support for the Victorian State Government in relation to non-financial, insurable and non-insurable risks. The VMIA provides the following services: advice to Government on whole-of-government downside and upside risks and to be a conduit of risk and risk management information through advice to the Minister for Finance development and maintenance of a statewide risk register ensure clients have a risk management framework in place, identify opportunities for improvement and development of the framework maintain a centre of excellence in risk management for the Victorian State Government and for public sector entities across Victoria including provision of products and services that enable entities to develop and improve their risk management frameworks educate clients to increase the knowledge and capability across government in risk management.
The VMIAs internal structure is based on the delivery of best practice risk management and insurance products and services to our clients. These services will assist in lifting the level of risk management skills and aid the improvement of risk management practice across the public sector. Due to the VMIAs role in developing a centre of excellence in risk management for the Victorian State Government, it is well placed to develop organisation wide risk management guidelines for the public sector.
10
2.7 The need for a risk management guide

The effective management of risks across the Victorian Public Sector (VPS) is critical to ensuring that organisations can deliver on their commitment to the Victorian community. Greater scrutiny over service delivery standards and the expenditure of public funds has required an increased emphasis on the design and implementation of robust risk management practices to enable public agencies to minimise risks in relation to their activities. A number of factors have contributed to increased focus on risk management among Victorian Public Sector organisations. The key factors are: Victorian Auditor-Generals Office (VAGO) Risk Management Audits The Victorian Government Risk Management Framework.
These are described further below.
It is important to emphasise that the Guide is not intended to duplicate or replace the Risk Management Standard or the companion guidelines to the standard, which are excellent documents, endorsed and supported by the VMIA. The guide is intended to reinforce the key elements and principles of risk management with pragmatic advice, tips and guidance, tools and enablers to support the advancement of risk management across the Victorian Public Sector. We recommend those interested in promoting risk management familiarise themselves with the Risk Management Standard and any associated companion guidance documents.
2.7.1 Victorian Auditor-Generals Office risk management audits

An audit Managing Risk Across the Public Sector conducted by the Victorian Auditor-Generals Office (VAGO) in 2003, found that risk management was not yet an established or mature business discipline and that public sector organisations did not rigorously assess risks and evaluate risk controls. The 2003 audit recommended that the public sector be provided with risk management guidelines, processes and procedures. It also recommended that agencies formally identify, assess and manage risks, and that risk criteria link to government policy and organisational objectives. VAGO conducted a follow-up audit in 2007 Managing risk across the public sector: Toward Good Practice to determine whether satisfactory progress
11
had been made by departments and selected agencies in developing appropriate risk management frameworks and in applying risk management principles in their organisation. The key findings of the audit included: central agencies have provided guidance on risk management through legislation, ministerial directions, and portfolio guidelines, but these are not comprehensive departments and agencies have adopted adequate risk management strategies, frameworks and processes that enable them to apply risk management across their organisations most departments and almost all agencies did not align their risk assessments to their corporate goals departments and agencies prepared risk reports, most of which did not contain sufficient details to enable a clear understanding of how risks are being managed all departments and agencies have an audit committee with responsibility to provide oversight of risk management. Almost all of them did not formally endorse the organisations risk management framework and risk profile for currency and appropriateness almost all audited organisations use the standard, but have placed more emphasis on risk assessment (identification, analysis, and evaluation) than on the management of risks (risk treatment, monitoring, review).
VAGO noted in its report that the public sector needs clear guidelines, including minimum standards, about what is expected from them when managing risks. VAGO requested specific guidance on: The content of policy and risk management frameworks The roles of the secretary, board and executive management; the risk coordination unit/branch; the audit committee; and internal audit Applying risk management standards throughout the whole organisation Linking risk assessments to corporate goals Developing risk registers and risk profiles The content of risk reports to executive management and audit committee.
12
2.7.2 Victorian Government Risk Management Framework (VGRMF)

The Department of Treasury and Finance released the Victorian Government Risk Management Framework (VGRMF). The framework has been developed in consultation with a broad range of stakeholders, including government departments, the State Services Authority and the VMIA. A key benefit of the framework is that it brings together information on governance policies, accountabilities and roles and responsibilities for all those involved in risk management. It also provides a central resource with links to a wide range of risk management information sources. Key elements of the framework include the adoption of the Standard across public sector entities. An attestation by the accountable officer that risk management processes are in place, risks are effectively controlled and managed and that the risk profile of the organisation has been critically reviewed within the last 12 months. This framework formalises and builds upon existing processes, as part of the Governments commitment to continuous improvement in public sector governance. The framework also seeks to provide a reference for agencies with regard to the use and application of the standard from an organisation wide perspective. These requirements are documented in Standing Direction 4.5.5 of the Minister for Finance.
2.7.2.1 Key elements The framework seeks to strengthen risk management through the key elements noted below: 1. All risk management frameworks and processes must as a minimum requirement, be consistent with the key principles of the Standard, or designated equivalent. 2. An attestation from agency heads in annual reports that: risk management processes are in place consistent with the Standard an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures the risk profile of the department or agency has been critically reviewed within the last 12 months
13
a responsible body or audit committee verifies that view.
3. The framework also promotes the need to address interagency and statewide risks when developing and implementing risk management processes. It is recommended that all public sector agencies adopt the framework as a part of good governance and corporate planning processes. However, application of the framework is required by those agencies that report in the Annual Financial Report (AFR) for the State of Victoria. This represents approximately 300 public bodies. The majority of these agencies are VMIA clients. The framework also seeks to provide a reference for agencies with regard to the use and application of the standard from an organisation wide perspective. 2.7.2.2 Interagency and statewide risks The VGRMF promotes the need to address interagency and statewide risks when developing and implementing risk management processes. The boundaries between the public and private sectors are becoming more porous requiring a more holistic view of project or service delivery risk. Equally the public sector is operating in an environment of shared accountabilities, which cut across specific agency responsibilities and require a coordinated interagency approach to risk management. In this context it is important that risks with the potential to impact across agencies or at a whole-of-government level are communicated or escalated through to potentially affected agencies to enable a coordinated, effective and timely approach to risk management. 2.7.2.3 Risk definitions Whole-of-government or statewide risks are those risks that will affect the Victorian Community at large. They may be beyond the boundary of one agency to respond to and require a collective, central agency or whole of government response. Example: climate change. Climate change will affect the whole community at almost every conceivable level. It requires strong leadership from government in establishing policy parameters and actions plans for a coordinated response. Interagency risks are those risks affecting the operations of one or more departments or agencies and which may impact the service delivery of other departments or agencies.
14
Example: Department A changes the funding conditions attaching to community service organisation funding models which ultimately result in a loss of funding and thus withdrawal of services provided by community service organisations. Withdrawal of services results in a shift in demand and impacts upon service demands placed upon Department B.
Risks that impact more than one agency and cannot be managed by one agency or at interagency level such as the impact of an ageing population or climate change may require central government coordination of policy initiatives and implementation strategies. Agency risks are those risks specific to the operations of a single department or agency. 2.7.2.4 Existing whole-of-government processes for managing risk Current legislation that defines and assigns risk management responsibilities and accountabilities for monitoring and reporting risk includes the: Victorian Managed Insurance Authority Act 1996 Financial Management Act 1994 Public Administration Act 2004.
Existing whole-of-government processes for managing risk are aligned with legislative requirements, so that oversight of financial, insurable and nonfinancial risks is undertaken at the whole-of-government level by the: Department of Treasury and Finance (DTF) Department of Premier and Cabinet (DPC) Victorian Managed Insurance Authority (VMIA).
Department of Treasury and Finance Whole-of-government economic and financial risk management is supported by the Department of Treasury and Finance in partnership with departments and agencies so that financial matters requiring government decisions are escalated to the Treasurer, the Minister for Finance and/or the Expenditure Review Committee of Cabinet. Committee membership includes the Premier, the Treasurer and the Minister for Finance.
Department of Premier and Cabinet There are a number of ways in which risks unable to be managed at agency level are currently escalated or reviewed at a whole-of-government level. These include regular monitoring and reporting processes and reports and submissions to Cabinet and Cabinet Committees. The Department of Premier and Cabinet plays a role in this process by providing briefings on submissions and secretariat support to Cabinet committees.
15
The Victorian Managed Insurance Authority The role of the VMIA includes the provision of strategic and operational risk management advice, tools and training to support increased awareness of the risk exposure at the agency, interagency and whole-of-government level. The VMIAs risk management functions include: assist departments and agencies establish programs for the identification, quantification and management of risk monitor risk management by departments and agencies provide risk management advice to the State provide risk management advice to departments and agencies.
As noted in the Victorian Government Risk Management Framework the VMIA is also charged with developing and maintaining a statewide risk register.
Inter-agency risks Joined-up government
1.6 That departments and agencies ensure that risk management arrangements are established for all joined-up government initiatives, particularly in the governance arrangements for the initiatives. Statewide risk management framework 1.8 That DTF, DPC and the VMIA, in consultation with other key stakeholders, develop guidelines for identifying, assessing, managing, escalating and reporting statewide risks.
It is widely recognised that the complexity and connectivity of government and the private sector make the management of interagency and statewide risk a significant challenge and one not likely to be achieved through a single systemic solution. In supporting its risk advisory role to the State the VMIA currently captures risk information in a number of ways, including but not limited to: Risk framework quality review process includes identification of top five agency, interagency and statewide risks site risk survey process examines public liability and property exposures identifying national and international research collaboration with interstate peers, industry experts and consultants participation in national and international forums on risk and insurance
16
collaboration/participation with departments and agencies involved with risk initiatives and projects analysis of insurance claims, trends and litigation.
Departments and agencies are encouraged to actively engage in the processes noted above and support the VMIA in efforts to improve risk management across the state and raise interagency and whole-ofgovernment risks to the attention of government. In line with good risk management practice, agencies with responsibility for supporting the government in management of risk at a whole-of-government level will continue to investigate and apply systems to improve the coordination of processes for identifying, assessing, managing, escalating and reporting interagency and multi agency risks.
17
3 Developing a risk management framework

3.1 Overview
D e ve lo pin g a R isk M an ag e m en t F ram ew o rk Im p le m en ting a R is k M a na g em e n t Fra m ew o rk M on ito rin g a n d E n ha nc in g a R is k M an ag e m en t F ra m ew o rk Mon itoring and R evie wing a Risk M gt Fra mew ork Atte station P roces s
Ove rview R isk Man agem ent Framew ork Ke y Co nsid eration s W h en De sign ing a F rame work Do cum enting a Fra mew ork Ris k M anage men t Go vern ance Ris k M anage men t Informa tion S yste ms
Ove rvie w of a Risk Man agem ent P roce ss Risk Man agem ent Proc ess Ris k an d Ris k Man agem ent R eporting Dev elopin g De sired R isk Mana geme nt Cu lture
Con tinuou s Imp rove ment
A risk management framework aims to assist an organisation to manage its risks effectively through the application of the risk management process at varying levels and within specific contexts of the organisation. Such a framework should ensure that risk information derived from these processes is adequately reported and used as a basis for decision making at all levels.
3.1.1 What is a risk management framework?

A risk management framework is defined by the Australian Standard as: Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. The Standard notes that the framework can include: The policy, objectives, mandate and commitment to manage risk. The organisational arrangements include plans, relationships, accountabilities, resources, procesess and activities And should be embedded within the organisations overall strategic and operational policies and practices.
18
3.1.1.1 Purpose of a risk management framework The purpose of establishing an organisational risk management framework is to ensure that key risks are effectively identified and responded to in a manner that is appropriate to:
the nature of the risks faced by the organisation the organisations ability to accept and/or manage risk/s the resources available to manage risks within the organisation the organisations culture.
Ultimately risk needs to be managed so that the organisation maximises its ability to meet its strategic objectives as well as associated operational targets and goals. 3.1.1.2 Hard versus soft aspects of risk management For a risk management framework to be effective, there must be an appropriate balance in focus on both the hard aspects of risk management (i.e. processes and structures) and the soft aspects (i.e. culture and people). For example, an organisation may have highly sophisticated processes and structures established to manage risks. However, unless these structures and processes are supported by management and staff with the appropriate competencies, attitudes and behaviours, the framework will most likely be ineffective. The Standard defines risk management as the culture, processes, and structures that are directed towards realising potential opportunities whilst managing adverse effects. This is illustrated in the following figure.
19
The Soft and Hard aspects of risk management

This guide encapsulates both hard and soft risk management aspects: Section 3 (Developing a risk management framework) focuses primarily Culture on designing the hard aspects of a framework (structures and (people) processes) Section 4 (Implementing a risk management framework) focuses on developing tailored risk management processes in accordance with The Structures Standard and Processes on developing an appropriate risk reporting regime (both from a procedural and structural perspective). Section 5.4, which focuses on the soft aspects of risk management, provides guidance on how organisations can develop and enhance a risk management culture. focuses on review, monitoring and continuous improvement of risk management structures and processes, as well as risk management culture and capabilities.
Risk Management: (Monitoring and enhancing a risk management framework) Section 5 Coordinated activities to direct and control an organisation with regard to risk. (AS/NZS 31000:2009)
3.1.2 What are the minimum requirements?

In accordance with the Victorian Government Risk Management Framework, an organisations risk management framework and processes must at a minimum be consistent with the key elements of The Standard.
20
The key elements of the risk management standard are: Communicate and consult communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole Establish the context establish the external, internal, and risk management context in which the rest of the process will take place. Criteria against which risk will be assessed should be established and the structure of the analysis defined
establish context
Communicate and Consult
analyse risks
evaluate risks
Assess Risk
treat risks
Identify risks identify where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of organisational objectives Analyse risks identify and evaluate existing controls. Determine consequences and likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur Evaluate risks compare estimated level of risk against the preestablished criteria and consider the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities Treat risks develop and implement specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs Monitor and review monitor the effectiveness of all steps of the risk management process. This is important for continuous improvement. Risks and the effectiveness of controls and risk treatments need to be monitored to ensure changing circumstances do not alter priorities.
Section 4 provides further guidance on how the key principles and elements of The Standard and can be practically applied for various areas/levels within an organisation.
21
Monitor and Review
identify risks
Client Comment: What benefits can now be seen from establishing a Risk Management Framework? The benefits are manifold:
At a simplistic level, we are now compliant with the Whole of Victorian Government risk management framework and are aligned to the Risk Standard 4360, so can fulfill the requirements of the risk attestation.
It has made explicit the management of risk and therefore resources can be diverted towards management and monitoring. It has provided objective support for making risk a priority and for aligning it more closely with the audit function. Risk Manager Department of Justice
3.1.3 Linking risk management with other processes

Risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with existing business processes. The following lists some of the key business processes with which risk alignment is necessary. Internal audit Internal audit reviews the effectiveness of controls. Alignment between the internal audit function and that of the controls within the risk management process is critical, and the role/s of risk and compliance/ internal audit manager will seek to align these core processes. The requirement to follow a risk-based approach to internal audit planning, means that risk management outputs, particularly risk assessment outcomes and risk profiles need to be available as an input to the internal audit function. Similarly, internal audit plays a critical role in the risk management process, specifically in identifying and assessing operational risks, as well as providing assurance that specific risk controls are well designed and are operating effectively. Business planning (including budgeting) Identifying risk during the business planning process allows realistic delivery timelines to be set for strategies/ activities or the choice of removing a strategy/ activity if the associated risks are too high or unmanageable. The impact of changing risk levels over the year can then be mapped to the
22
relevant objective, enabling us to conduct more timely expectation management with key stakeholders. Performance management Individual performance plans should include all risk responsibilities, whether a general responsibility to use the risk management process or specific responsibilities such as risk ownership or implementation of risk treatments.
3.1.4 Linking strategic planning and risk

Risk management is a process that aims to enhance an organisations ability to meet its strategic and operational objectives. Equally, risk management outputs provide boards, executive and management with valuable insights and information that support improved decision making and planning. To maximise the benefits of risk management, it is important that risk management processes be integrated as closely as possible into existing strategic planning and operational processes. Strategic and operational planning is about the formulation, implementation and evaluation of cross-functional decisions that will enable the organisation to achieve its objectives. Risk management is designed to identify, analyse, evaluate, treat and monitor those risk that have been identified from strategic and operational planning process that could prevent the achievement of its objectives. The diagram below shows how the strategic and operational planning process should be integrated and linked to the risk management process. Integrating both strategic planning and risk management improves performance and helps organisations implement strategies and achieving objectives.
Establish Context
Identify Risks
Analyse Risks
Evaluate Risk
Treat Risk
Monitor Control & Execution Gap
Identify Objectives
Strategy Formulation
Strategy Implementation
Feedback
Update Strategy
Risk Management Process
Strategic & Operational Planning Process
Linking strategic planning and risk
23
Client Comment: Our hospital produces a strategic plan every three years that guides the organisations future direction, and reflects the governments broad healthcare objectives and vision. In addition a business plan is produced annually, which is translated into annual business unit targets, budgets and performance scorecards. Before finalising the strategic and operational plans, the Executive and Board jointly discuss and score the big-ticket risks that could hinder our ability to deliver on the strategy, operational plans and budgets. This is usually done in a formal risk workshop that is facilitated by an external facilitator. Based on these debates we may decide to: revise the strategy or operational plans, or to implement additional controls or monitoring mechanisms for high risk areas/ processes. When brainstorming and rating the organisations strategic risks the Board and Executive prefer to start with a blank page rather than work through all of the risks in the risk register. Our risk officer subsequently updates the risk register to incorporate any new risks identified and adjustments to risk information already in the register. Since involving the Board in annual risk workshops, I have noticed that they are more supportive of risk reporting initiatives and take a specific interest in progress on managing risks that they have identified during the planning workshops.
Executive Management Team Member Regional Hospital
24
3.1.5 Incorporating risk management within projects
Many public sector agencies, particularly in the infrastructure cluster, use projects and project management approaches to delivering on their mandates. Projects can be distinguished from normal business processes by the fact that projects have a: Defined start and end date Clearly documented set of deliverables or outputs that need to be delivered on time, within an agreed budget and in accordance with predefined quality criteria for the project to succeed. Project success criteria and budgets and accountabilities are defined and agreed before the project commences.
Many of the principles of project management are now being applied to ongoing business processes to improve accountability, monitoring and business performance. Organisations that regularly undertake significant projects should already have project management methodologies in place. Common methodologies include: The Victorian Public Sectors Gateway standard, PRINCE and PMBOK. Such methodologies commonly stipulate the requirement and approach to managing risk within the project (project risk). When establishing your organisational risk framework, consider: Including project management risk as a category of risk against which you report. Whether all project risks are reported in the organisational risk register or whether the project/ programme manager should maintain a separate risk register per project, with only strategic or extreme risks being incorporated into the main risk register, and project risk profiles being reported to the project steering committee. The VMIA recommends the latter option. Establishing customised Likelihood and Consequence scales for major projects a cost over-run of 100% of a project budget may be Extreme within the context of the project, but only Moderate or Low within the broader organisational context. Similarly, many organisations use projectspecific Consequence descriptors, for example: Time/ Timeframes exceeded Cost (budget over-runs) Quality (project does not deliver pre-defined quality/ functionality criteria Reputation (adverse publicity, laws breached etc.)
25
Frequency of reporting on project risk typically more frequent than organisational risk updates and reporting. It is common for risk updates to be provided to the steering committee whenever they meet.
Client/ VMIA Perspective: Is project risk well managed in departments and agencies?
In my experience, many organisations do not dedicate adequate priority and resources to managing risks on major infrastructure or IT projects, or do not have the capacity to implement and adhere to project risk management systems. A common mistake is to perform project risk assessments and risk monitoring/ treatment techniques too late in the project lifecycle for example by performing risk assessments after project implementation has started, or even after the project is completed (i.e. a post-implementation review). Experience has shown that the best time to initiate a project risk process is during the project planning/ scoping phase. This prevents risk or mistakes being designed into the project plan, budget or deliverables. Another area where clients could improve project risk management is by clearly defining both the risk governance and escalation criteria for major projects. An organisation can deliver successful projects by defining thresholds or triggers that help identify an unacceptable or potentially severe risk, as well as identifying the project/ organisational management that need to be informed of these risks. For example, a particular project risk management plan might specify tolerance and escalation thresholds for project risk that meet the following criteria are escalated to appropriate authorities/ stakeholders:

Budget over run in excess of 30% of project/ program budget Completion date exceeded by more than 2 months Core project outcomes at risk Risk of significant damage to organisations reputation or breach of legislative requirements.
The VMIA will, in future, be working with Public Sector stakeholders, on developing a more comprehensive approach to managing project risk.
26
3.2 Key considerations when developing a risk management framework

Developing a Risk Management Framework Implementing a Risk Management Framework Monitoring and Enhancing a Risk Management Framework Monitoring and Reviewing a Risk Mgt. Framework Attestation Process
Overview Risk Management Framework Key Considerations When Designing a Framework Documenting a Framework Risk Management Governance Risk Management Information Systems
Overview of a Risk Management Process Risk Management Process Risk and Risk Management Reporting Developing Desired Risk Management Culture
Continuous Improvement
Most Victorian departments and agencies have already adopted risk management practices and frameworks, which, to a greater or lesser extent, are consistent with the Risk Standard. Before developing or revising a risk management framework, the organisation should critically review and assess those elements of the risk management process that are already in place. Some of the key questions that need to be answered are: How advanced should the risk management framework be? How effective are current risk management practices? What is the most effective and efficient way of closing the gap?
These questions are explored in further detail in the following sections.
3.2.1 How advanced should a risk management framework be?

An organisations risk management framework should ensure that key risks are effectively identified and responded to in a manner that is appropriate to the organisation. No single risk framework will be appropriate for all organisations. Every organisations board and executive should decide on the appropriate level of risk management sophistication that they aspire to achieve. The desired level of risk maturity may change over time to reflect changes in the organisations complexity, size and risk appetite.
27
A number of external and internal factors would need to be considered to determine the appropriate level of risk management maturity. Some of the most important factors are discussed in the following sections.
Figure 2.2: Context for Risk Management
External Environment Cultural Cultural Political Political Regulatory Regulatory Financial Financial Economic Economic
Internal Environment Strategies Strategies Objectives Objectives Capabilities Capabilities Processes Processes Structure Structure Systems Systems Culture Culture
Understanding the Understanding the Context for Context for Risk Management Risk Management
3.2.2 How effective are current risk management practices?

When reviewing the effectiveness of current risk management practices, it is necessary to consider both the hard and the soft aspects of risk management. The two key questions that need to be answered are: Are the current risk management practices and framework fit-for-purpose given the organisational context (e.g. objectives, size, complexity, structure, culture, risk appetite etc.)? Are they operating as anticipated (i.e. do people do what they are expected to do)? There are many approaches that an organisation can adopt when assessing the appropriateness of its current risk management practices. For example: VMIAs self assessment questionnaire used during the Risk Framework Quality Review (RFQR) VAGOs Good Practice Guide HB158 Providing Assurance on 4360 Risk Management. HB158 Providing Assurance on 4360 Risk Management can be purchased from Standards Australia at www.standardsaustralia.com.au.
Toolkit reference: Appendix Q: VAGO Good Practice Guide
28
3.2.3 Towards organisation wide risk management
There are many names to describe the approach used when looking at all risk across a company, organisation or entity. Such an approach can be referred to as enterprise wide, whole of entity, organisation-wide, holistic, integrated etc. For the purposes of this guide, and to reflect common practice within the Victorian Public Sector, the term organisation-wide has been used to describe this approach.
In general, organisation-wide risk management is the risk management practices that aim to look at all risk across a company, organisation or entity. There are many competing definitions and several frameworks that attempt to define organisation-wide risk management, but no universally accepted definition or standard. This is probably because organisation-wide risk management, in practice, is different depending on the background of the practitioner, the size and nature of the company and the time at which organisation-wide risk management was adopted. Organisation-wide risk management. is a holistic approach to managing and prioritising responses to critical risks across the organisation in a manner that will support business strategy and plans. Effective risk assessment fundamentally consists of risk identification and evaluation across all areas of the organisation, followed by a process to ensure that critical risks are treated and managed in accordance with the organisations risk appetite. Organisation-wide risk management seeks to provide a consolidated view of risk across the organisation. The scope of organisation-wide risk management therefore encompasses the use of common risk language, risk assessment techniques and response strategies across all functional and risk/assurance functions within the organisation, for example: occupational health and safety risk loss control and internal audit legal and regulatory compliance risk IT and information security healthcare clinical risk strategic risk.
Whilst physical hazards and financial management represent significant sources of risk for most organisations, other risk areas such as operational and strategic are often neglected. For many organisations, strategic and operational risks may be the greatest threat to achieving strategic objectives and meeting stakeholder expectations.
29
For example, misaligned products, supplier problems and cost overruns all relate equally to the public sector and indicates that organisations need to pay increased attention to identifying and managing our strategic and operational risks. This will assist in achieving objectives and delivering on stakeholder expectations. Public and private sector organisations are increasingly adopting Organisation-wide risk management frameworks that provide a holistic approach to identifying, assessing, managing, and monitoring and prioritising responses to all critical risks across the organisation in a manner that supports business strategies and plans. The chart below illustrates the key attributes of an Organisation-wide risk management framework.
Risk Management Maturity

Basic Basic Mature Mature Advanced Advanced
Traditional Traditional Risk Management Risk Management

Emphasis on protecting Emphasis on protecting assets assets Focus on physical and Focus on physical and financial assets financial assets Risks managed within Risks managed within functional silos functional silos Inconsistent approaches Inconsistent approaches
Organisation Wide Enterprise Wide Risk Management Risk Management

Board/executive support of risk management Board/executive support of risk management Clear accountabilities Clear accountabilities Appropriate risk oversight structures Appropriate risk oversight structures Dedicated risk management coordinator Dedicated risk management coordinator Explicit consideration of both operational and strategic risks Explicit consideration of both operational and strategic risks Risk management integrated with operational and general Risk management integrated with operational and general management processes management processes Clear accountability and timeframes for treatment of risks Clear accountability and timeframes for treatment of risks Differentiated risk reporting tailored to specific stakeholders Differentiated risk reporting tailored to specific stakeholders Regular reviews of risks and risk management processes Regular reviews of risks and risk management processes
3.2.3.1 Optimising risk management maturity When determining an organisations desired risk management maturity, the objective should be to maximise the value created through the risk management framework and practices. The value of risk management can be defined as follows: Value = Benefits Costs The cost side of the equation is normally relatively easy to quantify, and would include: direct costs associated with increasing the maturity of the organisations risk management framework, as well as the direct costs associated with maintaining the desired level of risk management maturity indirect costs associated with increased focus on risk management activities. This will effectively be the opportunity costs associated with
30
the additional time spent on risk management activities by management and staff. The benefits of risk management are often harder to quantify. Some of the benefits typically achieved by organisations with advanced risk management practices include: appropriate balance between realising opportunities for gains while minimising losses better corporate governance, including risk oversight improved decision-making and facilitating continuous improvement in performance organisations that manage risk effectively and efficiently are more likely to achieve their objectives and do so at lower overall cost.
The chart below illustrates the value associated with increasing risk management maturity.
Optimising Your Risk Management Maturity
$
High
Risk Management Value (Benefits Costs)
Optimal Risk Management Maturity
Low
Basic Basic Mature Mature Advanced Advanced
Risk Management Maturity
31
Key observations: target risk management maturity will differ for each organisation depending on a range of internal and external considerations as outlined above. the value of increasing an organisations risk management maturity will increase as long as the benefits exceed the costs. However, the increase in value is not linear. For example, the value of shifting an organisations maturity from basic to mature is normally higher than from shifting from mature to advanced. This is because most organisations can move from basic to mature without spending significant resources while the benefits are likely to be significant. Moving from mature to advanced is more expensive, as it typically requires significant investments in software and other infrastructure, as well as significant time commitments by management and staff. improving risk management maturity requires time and resources. Time can to some extent be substituted by increased focus/effort. Accordingly: an organisation with limited resources and low risk management commitment would take very long to reach the desired level of risk management maturity organisations with extensive resources and strong commitment to rapidly enhancing its risk practices may be able to shorten the time required to reach its desired level of risk management maturity.
improving risk management maturity requires balanced enhancement developing a proactive risk management culture and embedding/integrating risk management practices in business processes always takes time.
3.2.4 What is the most effective and efficient way of closing the gap?
Once the organisation has taken a critical look at the effectiveness of the current risk management practices and determined an appropriate level of risk management maturity, it needs to figure out how to get there.
32
Client Comment: What aspects of risk management did your organisation struggle with? How did you overcome them? We initially struggled with a negative perception of risk management as the previous incumbent had assiduously followed all elements of 4360 thus making the risk process very complex and hard to engage with. As a result, the risk function had been devolved to those who could become experts or who had the time to devote to it - generally not those in management. This was overcome by stripping the risk process back to its functional elements and focusing on using risk as a tool. Risk also had to be re-presented in a manner that engaged the target audience - for example the executive, looking at the overall context of risk and then drilling down to the state, private sector and departmental level. Trust in the risk process and benefits associated with participation in updating the risk register also had to be developed and built upon. By making explicit the benefits and the associations of risk as a tool (for example, being used to develop the audit workplan), trust was slowly gained. This is an evolutionary process. Having some aspects of risk management as mandatory (Victorian Government risk management framework and risk attestation) has supported this process. Risk Manager General Government
3.2.4.1 Developing a plan The likelihood of successfully enhancing the maturity of your risk management framework to the desired level increases dramatically if you plan it well. The best way to do this would often be through the development of a formal risk management strategy or plan, and associated risk policy and procedure documents this will outline how the organisation intends to achieve its targeted level of risk management maturity while clarifying the responsibility and processes for achieving risk management goals.
Toolkit reference: Appendix B: Risk management strategy - template Appendix C: Risk management policy - template Appendix D: Risk management procedure template Appendix Q: VAGO good practice guide
33
The above templates are examples of information commonly contained within risk documentation. However, the content and level of detail should always reflect the specific context of the organisation and its preferences, size and overall business strategy. 3.2.4.2 Avoiding the common pitfalls Common areas where organisations struggle with embedding risk management include: ensuring business planning is integrated with risk management better defining risk descriptions improved identification of inter agency risk management aligning risk committee and boards with what's happening on the ground linking internal audit and risk management improving the quality and content of risk registers embedding operational risk management identifying controls and their effectiveness allocating accountability for risk improving risk reporting and measurement project risk management.
The following thoughts reflect one organisations view on the essential elements that need to be in place to ensure the success of a risk management initiative:
34
Client Comment: What lessons have you learned about the requirements for successfully implementing and improving your risk management framework? Success relies on... Demonstrating how risk management can be used in everyday decision making to add value. Writing risk management documents using 'non-threatening' almost conversational language. Ensuring risk management expectations are achievable - don't put stuff in policy docs that you've got no hope of achieving. Busy people want to know that you've got empathy for the challenges they face everyday - this must be reflected in the framework. Having the executive group demonstrating commitment to the risk framework, not just verbally endorsing it!! Dont push to implement at a pace the organisation can't keep up with - this will turn Risk Management into a compliance exercise rather than a cultural change. Risk Manager Austin Health
3.2.4.3 Characteristics of high achievers The VMIA has identified through the Risk Framework Quality Review program that those organisations with well developed and embedded risk frameworks exhibit the following characteristics: commitment from the executive and board integration of risk and corporate planning processes well defined governance framework strong reporting processes risk support systems, processes and infrastructure for managing risk clearly defined roles and responsibilities strong risk culture
35
3.2.4.4 Public Sector challenges There are many challenges in implementing a successful organisation wide risk framework. Some of the more compelling are: competing objectives of delivering more with less risk compliance often competes with risk culture public sector risk management expertise the public and private sector are becoming more connected requiring a whole-of-government approach to risk management attaining risk maturity is a long road.
To those that overcome the challenges, some of the benefits to be reaped include: strengthened corporate governance processes improved controls assurance more informed decisions aligned to delivery of objectives a source of competitive advantage, and improved shareholder/stakeholder value
3.2.4.5 Key messages in developing your framework In the VMIAs experience, delivering risk management within government is complex, but the benefits are tangible. To be successful an organisational risk management framework must be driven from a strategic position down and across the organisation and be supported by a strong risk management culture.
You are best to start with the basics and implement progressively over time. Identify the value drivers of risk management as a key to success and build upon these quick wins. Developing an organisational risk management framework is as much a cultural journey, as it is about systems and procedures. Dont forget to focus on people and principles when progressing your framework. Manager, Strategic Risk The VMIA
36
3.3 Documenting a framework

Developing a Risk Management Framework Implementing a Risk Management Framework Monitoring and Enhancing a Risk Management Framework Monitoring and Reviewing a Risk Mgt Framework Attestation Process
3.3.1 Why is risk management documentation important?

Documenting an organisations risk management framework and recording each step of the risk management process is critical for a number of reasons, including: demonstrating to stakeholders that the process has been conducted properly providing evidence of a systematic approach to risk identification and analysis enabling decisions or processes to be reviewed providing a record of risks and to develop the organisations knowledge database providing decision makers with a risk management plan for approval and subsequent implementation providing an accountability mechanism and tool facilitating ongoing monitoring, review and continuous improvement providing an audit trail sharing and communicating information.
3.3.2 What are the attestation requirements?

The Victorian Government Risk Management Framework does not prescribe the type and extent of documentation required to satisfy the attestation
37
requirements. However, departments and agencies must have sufficient documentation to demonstrate that: a risk management processes is in place consistent with the Standard (or equivalent designated standard) monitoring and review activities have been conducted and they confirm the effectiveness of the risk management process in controlling the risks to a satisfactory level a responsible body or audit committee verifies that view.
3.3.3 What needs to be documented

The following areas of your organisations risk management framework need to be documented: objectives and rationale for managing risk accountabilities and responsibilities for managing and overseeing risks processes and methods to be used for managing risks i.e. how the AS/NZS4360 Risk Management process will be applied in the organisation commitment to the periodic review and verification of the risk management framework and its continual improvement rhe way in which risk management performance will be measured and reported resources available to assist those accountable or responsible for managing risks organisations risk appetite translated into risk rating criteria links between risk management and the organisations objectives links between risk management and other processes and activities scope and application of risk management within the organisation requirements for recording and documentation of the risk management process (e.g. communication plan, stakeholder analysis, risk register, risk profile, and risk reporting).
3.3.4 Is there a preferred way to structure your documentation?

The Standard does not prescribe how organisations should structure their risk management framework documentation but proposes the following be included in a risk framework: Objectives Mandate and commitment to manage
38
Operational policies Procedures and practices Risk management plan/s and allocation of responsibilities.
Some organisations may include all of the above components into a single plan, or may create separate policy, procedure and plan plan documents. As long as the required areas of the framework have been documented (as outlined in Section 4.3.3), it is up to the organisation to select an appropriate document structure. An example of how key framework elements could be documented is shown below:
Risk Management Framework Documentation
Risk Management Plan
Risk Management Policy
Risk Management Procedure
Intentions and direction Risk management purpose/objectives Key roles & responsibilities Risk management governance arrangements Procedures
Scope of risk management Strategy and Approach Resources Procedures Responsibilities Sequence and timing of activities Roadmap for enhancement of risk management practices
Detailed roles and responsibilities Detailed description of process steps Risk rating scales Risk reporting templates Risk management activities
The above framework documents typically include, or are accompanied by, detailed documentation such as: charters for the board, board audit committee, board risk committee, executive committee, internal audit function etc position descriptions describing risk responsibilities risk management tools, templates and guidelines risk management training schedule/s risk register/s operational plans for risk treatment risk management reports.
39
Indicative content of core risk management framework documentation is included in the following sections.
3.3.5 Risk management strategy

A risk management strategy typically documents factors such as: objectives and rationale for managing risk the organisations overall appetite/tolerance for risks the organisations strategic objectives and the strategies deployed to achieve these objectives key risks associated with these strategies within a one to three year time frame the organisations high level approach to managing these risks a plan for progressive enhancement of the organisation's risk management practices and competencies, including key risk management initiatives.
The following key questions would need to be answered in the process of formulating a risk management strategy: what are the organisations key objectives and strategies? what are the risks associated with these? how is the organisation assessing, managing and monitoring these risks? are the risk management processes working effectively?
There is no prescribed format for how a risk management strategy should be documented. Some organisations disclose their risk management strategy in their annual reports organisations chose to have a separate document, in addition to a risk management policy and procedure document organisations incorporate their risk management strategy within their Business Plan, outlining how risks associated with business plan objectives will be managed.
A risk management strategy template is appended to this guide, but it is important to recognise that this is only one way of documenting your organisations risk management strategy.
40
Toolkit reference: Appendix B: Risk management strategy - template
3.3.6 Risk management policy

The risk management policy should clearly articulate the organisation's objectives for and commitment to risk management. The policy typically specifies: accountabilities and responsibilities for managing risk commitment to the periodic review and verification of the risk management policy and framework, and its continual improvement links between this policy and the organisations objectives the organisations risk appetite (refer to section 4.2.3.4 for further detail) the organisation's rationale for managing risk processes and methods to be used for managing risk resources available to assist those accountable or responsible for managing risk the way in which risk management performance will be measured and reported.
Toolkit reference: Appendix C: Risk management policy template Appendix D: risk Management Procedure template
3.3.7 Risk management procedures

The risk management policy is typically supported by a more comprehensive risk management procedure document outlining the organisations detailed approach to managing risk. Typical content of the risk management procedure include: Risk management definitions/language a common risk language will promote consistent understanding of risk management concepts and provide clarify of communication and action. Risk management roles and responsibilities an organisations ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and
41
responsibilities. Risk management roles and responsibilities are discussed in detail in section 3.3.4. Relationship and integration with other initiatives risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with existing business processes. The integration between risk management and other processes is discussed further in section 3.1.3. Description of how each step of the risk management process will be applied within the organisation in accordance with the Victorian Government Risk Management Framework, an organisations risk management framework and processes must as a minimum requirement be consistent with the key principles of the Standard. Overview of the organisations risk reporting framework content, format, frequency and recipients of risk reports. Risk Management reporting is discussed in further detail in section 4.3. Risk assessment criteria agreed criteria for assessment of risk likelihood, consequence, and overall risk rating. Risk rating criteria are discussed in further detail in 4.2.3
Is it OK to combine risk management policy, strategy, and procedures into a single risk management plan or manual? Yes. Many organisations have successfully combined these into one document. As long as the right areas are documented, it is fine to have them as one document. Toolkit reference: Appendix D: Risk management procedure template
3.3.8 Risk register

A risk register is a comprehensive record of all risks across an organisation, business unit or project depending on the purpose/context of the register (Victorian Auditor Generals Office). 3.3.8.1 Risk register content At a minimum, the risk register records: the risk how and why the risk can happen the existing internal controls that may minimise the likelihood of the risk occurring the likelihood and consequences of the risk to the organisation, business unit or project
42
a risk level rating based on pre-established criteria framework, including an assessment of whether the risk is acceptable or whether it needs to be treated a clear prioritisation of risks (risk profile) accountability for risk treatment (may be part of the risk treatment plan) timeframe for risk treatment.
3.3.8.2 Risk register format Risk registers may take various forms, including: i) ii) Excel/Word based risk management software/system. Internally developed Externally developed (standardised vs. proprietary)
Section 3.5 provides guidance on factors to consider when developing a risk management information system. Sections 4.2 and 4.3 provide guidance on how each element of the risk management process should be recorded and reported on. Toolkit reference: Appendix K: Risk management database MS Access tool Appendix L: Risk register MS Excel template Appendix M: Risk management register worked example
3.3.8.3 Risk treatment plans Risk treatment plans identify responsibilities, schedules, the expected outcome of treatments, budgets, performance measures and the review process to be set in place. The risk treatment plan usually provides detail on: actions to be taken and the risks they address who has responsibility for implementing the plan what resources are to be utilised the budget allocation the timetable for implementation details of the mechanism and frequency of review of the status of the treatment plan.
43
Section 4.2.7 provides further guidance on risk treatment plans. Toolkit reference: Appendix J: Risk assessment template
3.3.8.4 Risk and risk management reports Regular reports made available to executive management, boards and audit committees that inform how key risks (statewide risks, strategic risks and emerging risks) are being managed [Victorian Auditor Generals Office]. Some of the basic questions that risk reports should answer include: what are the risks? what is the level of each risk? what has been done about them? who is responsible for managing the risk? has the level of risks changed as a result of implementing risk treatments? what are the risks that need to be escalated to strategic risks? what are the risks that are no longer regarded as strategic risks and why?
Section 4.3 provides guidance on risk and risk management reporting. Toolkit reference: Appendix G: Risk reporting MS Word templates
44
3.4 Risk management governance

An organisations ability to conduct effective risk management is dependent upon having an appropriate risk management governance structure and well-defined roles and responsibilities. It is important for everyone to be aware of individual and collective risk management responsibilities. In order for risks to be effectively managed, it is essential to have people behaving in a way that is consistent with the organisations approved approach. This indicates that risk management is not merely about having a welldefined process but also about facilitating the behavioural change necessary for risk management to be embedded in all organisational activities.
3.4.1 Mandate and commitment

Any major organisational initiative needs appropriate sponsorship to be successfully implemented and sustained. Given its importance and strategic nature, risk management requires strong and sustained commitment by the organisations board, audit/risk committee, and the CEO / Secretary. Management should: articulate and endorse the risk management policy communicate the benefits of risk management to all stakeholders define risk management performance indicators that align with organisational performance ensure alignment of risk management objectives with the objectives and strategies of the organisation ensure legal and regulatory compliance; and
45
ensure that the necessary resources are allocated to risk management.
The board, risk committee and executive can all play a lead role in setting the tone for effective risk management throughout the organisation. This can be demonstrated in a number of ways but is often achieved through the authorisation and sponsorship of key risk management documentation that outlines both the why and the how behind effective risk management. The board, risk committee and executive can also help to drive effective risk management by incorporating risk management and reporting into the corporate and strategic planning processes, thereby setting an example on how it can be incorporated into normal operations.
3.4.2 Accountability
The organisation should ensure that there is accountability and authority for: managing risks adequacy and effectiveness of risk controls implementing and sustaining the risk management framework/process.
This may be facilitated by: ensuring appropriate levels of recognition, reward, approval, and sanction establishing performance measurement and internal and/or external reporting and escalation processes specifying risk owners for implementing risk treatments, maintenance of risk controls and internal reporting of relevant risk information specifying who is accountable for the development, implementation and maintenance of the framework for the management of risk.
3.4.3 What are the key factors to consider when developing a risk management governance structure?
A number of factors should be considered when determining an organisations risk management governance structure, including: current organisational structure and authorities current level of understanding, appreciation, and commitment to risk management by key individuals current level of change readiness within the organisation (often evolutionary change works better than revolutionary change) key types of risks faced by the organisation and functions currently managing the key risks the existence of logical risk champions within the organisation.
46
Client Comment: How did you link or integrate your governance and risk frameworks? Quite simply, form followed function. In order to best manage risk across the department, a framework was developed and then a governance structure was created to complement and support the risk operations of the department. Risk Manager General Government
3.4.4 Indicative roles and responsibilities for risk management

Proactive communication and dialogue with the board and audit/risk committee is a critical element of effective risk management governance. The board and its committees retain an obligation to remain informed not only of the risks to the organisation, but also to the effectiveness of risk management efforts. The board and the audit/risk committee have responsibility to the stakeholders of the organisation to ensure that the risk management framework of the organisation is appropriate to the nature of the organisation and the risks the organisation faces. A key component of effective risk management governance is to establish clear lines of risk and risk management accountability. The specific roles of the various parties such as the board, audit/risk committee, the CEO/Secretary, executive management, and staff would vary according to the organisational structure, complexity, size and maturity. A sample risk governance structure is illustrated as follows:
47
RISK GOVERNANCE STRUCTURE

Board Risk Committee
Can be combined
Audit Committee
CEO
Executive & Management
Risk Owners
Staff & Contractors

A description of roles and accountabilities of each of the key parties to whom risk management duties have been delegated is as follows: 3.4.4.1 Board The board provides direction and oversight of risk management across the organisation. The boards key risk management responsibilities may include: approving the organisations risk management documentation including the strategic risk profile, risk appetite and tolerance, risk management policy and risk management procedure setting the standards and expectations of the organisation with respect to conduct and behaviour, and ensuring that effective risk management is enforced through an effective performance management system monitoring the management of high and significant risks, and the effectiveness of associated controls through the review and discussion of six monthly risk management reports satisfying itself that risks with lower ratings are effectively managed, with appropriate controls in place and effective reporting structures approving major decisions affecting the organisations risk profile or exposure.
3.4.4.2 Chief Executive Officer (and Secretary) The CEOs / Secretarys key risk management responsibilities may include: participating in the review and update of the strategic risk profile
48
reviewing key risk information, identifying key risk trends and assessing the impact for the organisation as a whole monitoring the management of high and significant risks and the effectiveness of associated controls through the review and discussion of regular risk management reports ensuring that adequate processes are being followed in relation to lower level risks setting the tone and promoting a strong risk management culture by providing firm and visible support for risk management.
3.4.4.3 Audit / risk committee The audit / risk committee is accountable to the board, and meets and reports to the Board advising of its activities, findings and recommendations, including risk management policies. The primary objective of the audit / risk committee is to assist the board in discharging its responsibilities to exercise due care, diligence and skill in relation to business operations and to advice on any matters of financial or regulatory significance which may be referred to it from time to time. In addition, the committee is to assist the board in fulfilling its responsibilities relating to compliance by the organisation with legal and contractual obligations. The organisation may also choose to have an executive risk management committee to promote the coordination and oversight of risk management activities. 3.4.4.4 Executive and management The executive and management are responsible for the oversight of the risk management framework, including the consideration and review of risk management policies and procedures on an annual basis. The executive and management are also responsible for establishing policies and reviewing the effectiveness of the organisations approach to risk management including the status of major business risks. The typical composition of an executive risk management committee would be: Core Members: CEO Risk Manager Chief Financial Officer Operations Manager Internal Auditor
49
Occupational Health and Safety Officer Core service (e.g. within Healthcare sector may include: Allied Health, Nursing, Aged Care etc.)
Optional Members: Human Resources Manager IT Manager Legal Counsel Other functional specialists
3.4.4.5 Chief risk officer / risk manager
It is important to note that most risk managers act primarily as advisors and co-ordinators for risk and do not typically have a direct operational responsibility for specific categories of risk. Operational responsibility for specific types of risk generally rests with functional area line management. For example an IT and Systems Manager would take responsibility for managing IT-related risk/s. Some organisations create a risk management job role that incorporates operational responsibility for a particular risk area. For example the Risk Manager may also act as the organisations OH&S Officer.
Chief risk officers, risk managers (or equivalent) are typically employed to: develop, enhance and implement appropriate risk management policies, procedures and systems co-ordinate and monitor the implementation of risk management initiatives within an organisation work with risk owners to ensure that the risk management processes are implemented in accordance with agreed risk management policy and strategy collate and review all risk registers for consistency and completeness provide advice and tools to staff, management, the Executive and Board on risk management issues within the organisation, including facilitating workshops in risk identification promote understanding of and support for risk management, including delivery of risk management training
50
oversee and update organisational-wide risk profiles, with input from risk owners ensure that relevant risk information is reported and escalated or cascaded, as the case may be, in a timely manner that supports organisational requirements attendance at risk committee or audit committees where risk management issues are discussed.
Regardless of the job title or function it is critical that there be clarity around roles and responsibilities in order to progress risk management throughout the organisation. 3.4.4.6 Risk owners Risk owners are typically line managers, or functional specialists who assume responsibility for designing, implementing, and/or monitoring risk treatments. Risk owners may be responsible for the following: manage the risk they have accountability for review the risk on a regular basis identify where current control deficiencies may exist; update risk information pertaining to the risk escalate the risk where the risk is increasing in likelihood or consequence provide information about the risk when it is requested.
3.4.4.7 Staff and contractors It is the responsibility of all personnel, stakeholders and contractors to apply the risk management process to their respective roles. Their focus should be upon identifying risks and reporting these to the relevant risk owner. Where possible and appropriate, they should also manage these risks.
51
Client Comment: What does your organisational structure for risk management look like? A twofold structure exists. The first is the reporting lines. The audit and risk committee is the committee that monitors and manages the risk register and gives final approval to the risk attestation. This committee reports findings by exception to the Justice Executive Committee and the Secretary. Operationally, the departmental risk register is completely reviewed by the Justice Executive Committee on an annual basis. The audit and risk committee then monitor the treatment of risks outlined in the register - this occurs on a monthly basis, or by exception. The divisional registers are completely reviewed on an annual basis and a desktop review is conducted every six months. Business unit risk registers are a component part of the business planning process and the departmentally endorsed business plan template. Risk Manager Department of Justice
3.5 Risk management information systems

Developing a risk management framework involves identifying the appropriate tools and technology that will help your organisation capture, analyse and communicate risk related information.
52
The objective is to provide the right information to the right people at the right time to make appropriate decisions with regards to risks. In general, risk management information systems should possess the capability to: record details of risks, controls and priorities and show any changes therein record risk treatments and associated resource requirements record details of incidents and loss events and the lessons learned track accountability for risks, controls and treatments track progress and record the completion of risk treatment actions allow progress against the risk management plan/strategy to be measured trigger monitoring and assurance activity.
This section provides guidelines in identifying suitable tools and technology to enable your risk management framework.
Risk Information Management Planning Identify your risk Identify your risk management management information information requirements requirements
Risk data you need to Risk data you need to capture capture Who you will capture itit Who you will capture from from How you capture risk How you capture risk data data Users and their needs Users and their needs
Develop appropriate Develop appropriate tools and technology tools and technology
Select appropriate Select appropriate risk management risk management software software
Capturing risk data and Capturing risk data and information information Monitoring and Monitoring and recording recording Analysis and reporting Analysis and reporting Communicating Communicating
Cost Cost Functionality Functionality Scalability Scalability Accessibility Accessibility
3.5.1 Identifying your requirements

The first step in the process of managing risk information is to identify your requirements. The key questions to ask are: What risk information or data do you need to capture? How do you capture these risk information? Who are your end-users and what do they need?
53
Your requirements will generally involve capturing risk data, monitoring and recording risk information, developing capability to analyse and report risk performance, and communicating relevant and timely risk management information to the right stakeholders.
3.5.2 Developing appropriate tools and technology

Developing the appropriate tools and technology according to your requirements would generally depend on the scale and scope of your risk management framework as well as the stakeholders involved. For instance, who are your users for the tools and technology? Which parts of the business will the tools and technology be applied to? Choose the appropriate tools that provide comprehensive, relevant, timely and accurate risk information. This will facilitate better, and more informed decision-making. An organisation may find that the costs associated with acquiring and maintaining software exceeds the benefits. In such circumstances, it is probably preferable to invest these resources in improving other areas of risk management e.g. to fund critical risk treatments/controls, or to train staff. 3.5.2.1 Capturing risk information To effectively identify risks, it will be useful to have tools that capture risk information from various sources across the organisation, including: leadership team business unit managers selected staff other stakeholders.
Your tools and technology should be able to capture typical risk management information, including: actual losses, potential losses, and near miss events business risk profile, including new and changed exposure to key risks significant control weaknesses, (which affect significant risks) progress on action plans to deal with significant risk or control weaknesses.
3.5.2.2 Monitoring and recording risk information Many organisations use tools and technology with functionality to generate risk reports with information about: extreme risks total risk profile
54
reasons for risk rating movements risk treatment actions assurance coverage of key risks risk management strategy new and emerging risk issues detailed risk register.
Details of these types of information are discussed in Section 4.3 of this guide. 3.5.2.3 Capability to analyse and report risk performance To effectively analyse and report risk performance, you will need tools and technology that: analyse risks based on quantitative or qualitative parameters qualitative risk analysis will require tools that have the capability to classify risks according to categories, impact and likelihood. quantitative risk analysis will require tools that have the capability to calculate and/or simulate value of risk.
facilitate ranking or prioritisation of risks facilitate trend analysis aggregate risk information at various levels as required by different levels of staff/management.
Section 4.3 further describes how to analyse and report risk performance. 3.5.2.4 Communicating risk management information Effective communication facilitates awareness, understanding, adoption of and commitment to the risk management framework. The communication tools you will require would ideally have the capability to: provide easy reporting and access of risk information for all relevant stakeholders archive lessons learned from implementing the risk management framework store risk management policies, procedures and other documents trace user access to determine reach utilisation provide audit trail to ensure integrity of information enable escalation of risk-related issues and incidents.
55
3.5.3 Selecting your risk management software

Depending on factors such as size and complexity of an organisation and the nature of the risks it manages, it may be feasible to acquire or develop risk management software to facilitate the recording, analysis, and reporting of risk management information. The key areas to consider when assessing an organisations need for risk management software are: costs functionality accessibility scalability.
There are various risk management softwares available in the market that meets different requirements. As a guide, consider the following in choosing the most suitable option. Costs Determine the costs associated with the software. How much does the license cost? Ensure that you understand what the licensing conditions are for the software. Functionality What are the functions that the software provides? Does it meet all your requirements? Could the software be integrated with other existing tools, technology and systems that your organisation currently has? If no, how much transition effort is required? Accessibility Does the software allow users to access it easily, anytime, anywhere, as and when required? Does it provide control of access to ensure the integrity of risk management information? Scalability Does the software allow expanding the user/s and functions without significant additional costs? If you expand the scope of your risk management framework, will the software still be applicable?
Toolkit reference: Appendix P: Risk management information systems checklist
56
3.6 Checklist Developing a risk management framework

The following check list provides a number of questions relating to the development of your organisations risk management framework. Considering the answer to these questions will help you check your progress in implementing a robust and flexible risk management framework. The checklist distinguishes between those elements essential to ensure an effective risk framework, and those typically associated with relatively mature or sophisticated frameworks typically found in large organisations. Toolkit reference: Appendix O: Risk management checklist
Section
Requirement
Essential (E)/ In place Advanced (A) (Yes/No)
Developing a risk management framework 1 Communicate Has the board and executive expressed their support and consult for a Risk Management programme? 2 Establish the context 3 Establish the context 4 Establish the context 5 Establish the context 6 Establish the context 7 Establish the context 8 Establish the context 9 Establish the context 10 Establish the Context Have you identified a person who will be responsible for implementing risk management? Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation? Have you defined categories of risk relevant to your organisation and industry? Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories? Is there a clear organisational strategy (or objectives) articulated for the organisation? Have you defined and agreed a Likelihood scale to assess the potential for the risk to occur throughout the organisation? Have you defined and agreed a Consequence scale to help assess risk impacts across the organisation? Does your Consequence scale describe both financial and non-financial impacts? Does your Risk management framework consider the effectiveness of controls or risk treatments? E
E E
E E
A E
E E
57
Section
Requirement
Essential (E)/ In place Advanced (A) (Yes/No) E
11 Establish the context 12 Establish the context 13 Establish the context
Is there an agreed template or format for recording risk (a risk register)? Has a risk policy been defined? Does the organisation have a documented risk management strategy?
E A
14 Communicate Has the Risk Committee (or equivalent) and the Board and consult reviewed and approved the Risk Policy/ Strategy? 15 Establish the context 16 Establish the context 17 Establish the context 18 Establish the context 19 Establish the context 20 Establish the context Do job descriptions of key stakeholders include responsibilities for risk management? Is a formal project management methodology used to manage projects? Is a mechanism in place to identify, assess, record and monitor risks on projects? Has the organisation agreed what types and levels of risk are unacceptable? Is there an agreed format/ template for reporting on risk? Is there a process and/or template where staff and the Executive can record new risks?
E A
A E
58
4 Implementing a risk management framework

This section provides an overview of how a risk management process consistent with that outlined in the Standard can be implemented across an organisation. It also provides guidance on the process and content for risk and risk management reporting and outlines a practical approach for developing a proactive risk management culture.
4.1 Overview of the risk management process

According to the Victorian Government Risk Management Framework, departments and agencies should, at a minimum, establish risk management frameworks and processes consistent with the key principles of the Standard. The key steps in implementing a risk management process consistent with the Standard are illustrated in the following figure:
59
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
As depicted in the figure above, Communicate and Consult and Monitor and Review are ongoing activities that occur at each stage in the risk management process. Accordingly, these activities are discussed both as separate risk management process steps (refer to sections 5.2.1 and 5.2.7, respectively) and as sub-activities of each of the other risk management process steps (i.e. establish context, identify risks, analyse risks, evaluate risks, and treat risks). The subsequent sections will describe each of the steps in the risk management process in detail.
The sections aim to answer the following questions: 1. what is the purpose of each step in the process? 2. why is it important? 3. how you implement it? 4. how do you communicate/consult and monitor/review? 5. what tools and techniques are used to implement?
The following table summarises the key risk management processes, the input, output tools and techniques.
60
Establish Context Identify Risks

External Context - external environment information Internal Context - organisational information Risk Criteria Risk Tolerance Risk Management Policy Risk Management Framework Stakeholder consultation Organisational records
Analyse Risks
Risk rating criteria - likelihood rating - consequence rating
Evaluate Risks
Risk tolerance
Treat Risks
INPUT
Treatment Options Risk Ownership
OUTPUT
Risks that matter Risk Register
Likelihood of risks Consequence of risks Current controls around risks
Overall risk rating Risk profile Risk priorities Inter-relationship among the risks
Treatment plan: - to reduce likelihood - to reduce consequence - to maximise upside risks Resources and timeframe Risk transfer, i.e. insurance, outsourcing Risk mitigation Risk avoidance Cost-benefit analysis
TOOLS & TECHNIQUES
Stakeholder consultation plan Communication plan
Risk Universe Brainstorming what-if and scenario analysis Process mapping & flowcharting Systems analysis Operational modelling Expert opinion
Qualitative analysis Semi-quantitative analysis Quantitative analysis
Heat map Numerical ranking of risks Decision trees
61
The Establish the Context section describes how each organisation should adjust and customise its approach to risk management to reflect the: sector it operates in, and the unique challenges and risk faced within the sector size of the organisation and resources it has to manage risk culture of the organisation, and its willingness and ability to take calculated risks appropriate and desired level of sophistication of its risk management capability.
To demonstrate how different organisations may tailor their approach to risk framework development and implementation, we will share the experiences of two fictitious organisations throughout the guide, namely Hamishtown Regional Health (HRH), and Melbourne Education Services (MES)
Hamishtown Regional Health (HRH):
Hamishtown Regional Health (HRH) is a smaller public healthcare provider based in country Victoria. It operates 40 hospital beds; an emergency ward and an aged care facility on an annual budget of $20 million per annum. Meeting budgetary targets is a constant challenge, in part due to the increasing cost of, and demand for complex medical procedures, needed by the ageing population within the region.
Its staff establishment provides for the equivalent of 50 full time medical staff members and 30 support staff. Currently, 25% of specialist positions are vacant, as many specialists and new graduates prefer to further their careers in larger metropolitan hospitals or in private practice.
The hospital operates at over 90% of capacity throughout the year. However, its aged care facilities are not fully utilised, with occupancy in the last financial year running at 60%.
Although the hospital has recently passed its accreditation review, concerns were raised about HRHs patient admissions systems, which did not adequately capture information on a patients medical history, including current treatment regimes being followed.
There is a private hospital 20 km. from HRH and 3 similar public healthcare
62
providers in the region. Hamishtown Regional Health has established co-operative relationships with other regional hospitals/ health services, where many of its patients travel to receive specialist medical services not offered by HRH.
The CEO, Bob Brown heads up an executive management team made up as follows: Director of Medical Services Director of Nursing Director of Finance Director of Corporate Services (HR, IT and Facilities) Manager, Aged Care Services Health and Safety Officer Quality of Care Officer
The organisation does not have a dedicated risk manager or internal auditor. However, periodic reviews have been performed by external consultants and accreditation bodies in areas such as: Financial management processes (billing, supplier payments and payroll) WorkSafe Occupational Health & Safety standards Quality of Care performance indicators, such as the number of patient falls, medication errors and sentinel events, were reviewed as part of the recent accreditation process, and continue to be recorded and reported on, as required by the Department of Human Services
HRH has recently completed a three year Strategic Plan that has identified the following Strategic Objectives: 1. 2. 3. 4. 5. 6. Ensure high standards of patient care Optimise the use of resources within HRH to ensure future sustainability of service Implement and maintain processes to reduce patient harm or adverse events Ensure that HRH is staffed by appropriately skilled and experienced professionals Promote the sharing of information and research between regional healthcare providers Provide a safe and modern infrastructure to the benefit of staff and patients
63
MELBOURNE EDUCATION SERVICES (MES): Melbourne Education Services (MES) is a large regional education provider of both higher education and TAFE in the greater Melbourne Metropolitan area. Its 25,000+ Australian and International students receive academic and practical education in a full range of academic disciplines at an under-graduate band postgraduate level. MES also runs a range of short-term community education and vocational skills training courses. The organisation's academic and support staff of over 1800 support curriculum development and delivery across nine campuses dispersed across the Melbourne CBD and its surrounding suburbs. In addition to its core academic services, MES supports other student and community services, including:

Student and Staff Accommodation Sports Clubs and Facilities Food and Catering Services Privately-funded Science and Technology Research Laboratories Catering and Laundry Services Inter-campus Transportation Student Counselling Community Outreach Programmes
Although MES is a state-funded public institution, which derives the majority of its revenue from the state and student fees, it has managed to expand its funding model to include significant income from its Grants, sponsorships and endowments programme that targets private sector institutions and other benefactors. Vice-Chancellor and President of MES, Sally White, is supported by the MES Council, an Executive Team of 25, as well as a number of Policy, Planning and Operational Committees. It has been able to deliver an operating surplus for the last 3 years, which it has reinvested in an infrastructure maintenance fund. MES has identified the following as key priorities during its annual strategic planning process: 1. 2. 3. 4. 5. 6. 7. Use of modern ICT technology to support effective learning techniques Promote MES as a trusted skills provider to the commercial and public sector Effectively utilise financial and other resources to meet demand for services Enhance ability of MES to attract and integrate foreign students Expand capacity of MES to meet growing demand for quality TAFE/ higher education, particularly in Technology and Business Sciences. Ensure quality and relevance of curriculum development, delivery and examinations processes Attract top students and researchers to MES
64
HRH GOVERNANCE: The organisational chart below illustrates the Governance structure for HRH:
BOARD OF MANAGEMENT CHIEF EXECUTIVE OFFICER
QUALITY & PATIENT CARE COMMITTEE
AUDIT (& RISK) COMMITTEE
DIRECTOR: FINANCE
DIRECTOR: CORPORATE SERVICES
DIRECTOR: COMMUNITY SERVICES
DIRECTOR: MEDICAL SERVICES
RISK & QUALITY OFFICER
FACILITIES MANAGER
Indirect Reporting Line:
HRH has two executive committees, Audit and Quality of Patient Care. The Audit Committee is comprised of the:

Chairman of the Board of Management CEO Director of Finance Legal Counsel External Audit firm representative
The Quality of Patient Care Committee is comprised of:

CEO All Directors Deputy Directors of Nursing and Medicine Quality Officer Facilities Manager
Due to budgetary constraints and the size of the organisation, it was decided to expand the role of the Quality of Care Officer, who currently has a responsibility for Clinical Risk, to include co-ordinating corporate risk efforts.
65
HRH has also decided to expand the responsibilities of the current Audit Committee to include Risk oversight. To ensure that the expanded Risk and Audit Committee is able to address all aspects of risk, the Directors of Nursing and Medicine have been co-opted onto the Committee. It has been agreed that the Risk and Audit Committee will focus specifically on reviewing and reporting to the Board on risk every quarter. This decision was taken in conjunction with the Board of Management. The Risk and Quality Officer will have a recurring invite to attend Committee meetings and will be tasked with:

Co-ordinating the organisations risk identification processes Working with functional area management to develop risk response strategies Reporting on clinical and corporate risks and response strategies Training all staff and managers in risk management Overseeing the clinical incident reporting process.
MES GOVERNANCE: The Following structure illustrates the MES Governance structure for Risk.
66
MES has appointed a dedicated Chief Risk Officer (CRO) for the organisation, responsible for overseeing all aspects of risk management. Although the CROs responsibilities are similar to those of HRHs Risk & Quality Officer, there are some important distinctions: The Chief Risk Officer, who reports directly to the MES Vice Chancellor, and the Risk Committee has a team of 5 risk specialists she supervises, namely: An Occupational Health & Safety Manager A Risk Manager 2 Internal Audit and Compliance Officers 1 IT Security specialist While these staff also report into operational line managers, the CRO is able to draw on their skills to identify and assess risks and controls, as well as to aid in the design and implementation of risk treatment plans. The CRO is a member of the Executive Team and is also represented on the following Committees:

Risk Management Audit Finance Facilities and Infrastructure Policy and Planning Occupational Health & Safety Information Technology and Systems.
Discussions between the MES Vice Chancellor, Council, Audit Committee and Risk Committee, chaired by the Chief Risk Officer has resulted in the following being agreed:

That the CRO will present monthly status reports on risk management issues, plans and progress to the Risk Committee and the Executive Team The Audit Committee will receive a quarterly Risk Progress Report as well as ad hoc reports as requested Risk Owners will receive monthly status reports on all risks allocated to them for risk treatment or monitoring The CRO will work with the Project Management Committee to formally identify and track risk on all projects with a capital values in excess of $1,000,000, or those classed as Strategic or High Risk by the Project Committee.
Functional area and operational management will continue to be accountable for the management of risk within their areas of competence. The CRO and her team will provide advisory, co-ordinating and risk reporting services to these managers.
67
4.2 Implementing a risk management process

4.2.1 Communicate and consult Communicate and Consult
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.1.1 What is it? Risk communication is generally defined as an interactive process of exchange of information and opinion, involving multiple messages about the nature of risk and risk management. This applies to internal communication in the organisation, and to communication to external stakeholders. Consultation can be described as a process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on a particular issue. Consultation is a process not an outcome, it impacts on a decision making through influence rather than power, and it is about inputs to decision making not necessarily joint decision making.
68
4.2.1.2 Why do it? Communication and consultation with internal and external stakeholders are fundamental to effective risk management and should take place at each step of the risk management process as far as necessary. Effective internal and external communication is important to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and why particular actions are required. Stakeholders are likely to make judgements about risk based on their perceptions. These can vary due to differences in values, needs, assumptions, concepts, and concerns as they relate to the risks or the issues under discussion. Since the views of stakeholders can have a significant impact on the decisions made, it is important that their perceptions of risk be identified, recorded and integrated into the decision making process. 4.2.1.3 How to communicate and consult The key steps to communication and consultation are: establish communication and consultation objectives analyse stakeholders or recipients of message develop key messages and purpose identify communication owners and senders identify appropriate channels determine timing of communication deliver key messages.
4.2.1.4 Objectives of communication and consultation Objectives of communication may include:
Building awareness and understanding about a particular issue Learning from stakeholders Influencing the target audience Obtaining a better understanding of the context, the risk criteria, the risk, or the effect of risk treatments Achieving an attitudinal or behavioural shift in relation to a particular matter Any combination of the above.
69
Developing a communication plan is essential to ensure that key messages are delivered effectively to the right people at the right time using the most appropriate channels at every step of the risk management process. The following diagram illustrates the key elements of a communication plan.
Communication Plan
Stakeholders CEO Communicators RM Consultants Responsibility for Preparation RM Consultants Purpose Kick-off the RM project Agree on team/resources, scope, deliverables Strategically introduce and position the Purpose sets out the corporate development Purpose sets out the the projects as part of objective of the objectivechange risk culture of the communication journey communication Generate awareness on the risk governance and process development/ project implementation Generate support Content/Message Method/ Delivery Timing 30 April Frequency One-off Proposed scope, Workshop Content/Message deliverables and Content/Message templates indicates the key
Stakeholders are the Stakeholders are the audience for the audience for the communication of risk All staff CEO communication of risk and risk management and risk management
CEO
indicates the key messages to be messages to be delivered Anticipated impact, Email or Staff delivered meeting (if involvement,
changes arising from the project Intent of project applicable)
One week before kick-off (week of 23 April)
One-off
Management Team
CEO
GM- Corporate Services and RM consultants
Communicators send the Communicators send the message, and should be message, and should be carefully selected as carefully selected as perception of the sender perception of the sender influences how people influences how people receive the message receive the message
All stakeholders (see stakeholder plan for detail) RM Project Team Consultants Consultants Gather input for the development of the corporate plan, annual plan and business improvement plan and process development
Expected Email involvement in the project - who would be Method/delivery is interviewed and Method/delivery is when how the message will how the message will - who would be be delivered through be in participating delivered through what channel/s, i.e. workshops and channel/s, i.e. what workshop, internet, ewhen workshop, internet, e- who would likely mail, newsletter, etc. be in themail, newsletter, etc. project team Views on desired state, challenges, risks and opportunities Expectations on the agency Progress on implementation Issues/risks that need to be addressed Workshops and interviews Customer survey
howOne-off the often One week how often the before messages will be kick-off messages will be delivered, i.e. one(week of delivered, i.e. oneoff, 23 April) weekly, annually,
Frequency indicates Frequency indicates
off, weekly, annually, etc. etc.
April 30May 5
One-off for each stakeholder
Consultants
Responsibility for preparation Responsibility for preparation Consultants who is the personand is Update on progress of is RM Project Co-who is project the person knowledgeable on the topic knowledgeable on the topic ordinator and prepares the content Address any project of issues and prepares the content of the messages of the messages of communication to be communication to be delivered delivered
CEO
Meeting with 30 April to Weekly when the message risk Timing isis when the message Timing 30 July will be consultants delivered; it is important will be delivered; it is important and project to have the right timing to team to have the right timing to ensure people pay attention to (faceensure people pay attention to to face/ the message and are not by the message and are not teleconference) by other information distracted
All staff
CEO
Keep staff informed on the progress to sustain support for the business excellence journey
Update on plans and process developments framed within larger context of business excellence journey
distracted by other information

Whole duration of project
Email, staff meetings, team meetings
Fortnightly or monthly for brief updates
A stakeholder consultation plan helps to ensure that all bases are covered when it comes to understanding perceptions around risk and risk management, identifying, analysing and evaluating risks, as well as developing treatment options. The plan is also useful in ensuring the consultation is as inclusive as appropriate. When implemented effectively, a stakeholder consultation plan should: appropriately define an organisations context (refer to section 4.2.3)
70
ensure that the interests of stakeholders are understood and considered help ensure risks are adequately identified bring different areas of expertise together in analysing risks ensure that different views are appropriately considered in evaluating risks ensure appropriate change management techniques during the risk management process (refer to section 4.4) promote ownership of risk by managers engage stakeholders to allow them to appreciate the benefits of particular controls and the need to endorse and support a risk treatment plan.
The following diagram illustrates the basic components of a stakeholder plan:
Stakeholder Consultation Plan

Internal Stakeholders
Board
Purpose
Clarify their roles and expectations as part of formalising Risk corporate governance charter Communicate intended directions for Risk Management Clarify Risk Management implementation structure including Purpose sets out the intent Purpose sets teamthe intent the management out and non-executive board charter or agenda for the Identify Chief Executivethe (if any) or agenda for KRIs consultation Establish intended scope for the Risk Management consultation View on Risk Universe
Method
Workshop
Timing
1.5 hrs (anytime week of 30 April) 1 hr (anytime week of 30 April)
Owner/Facilitator
John Smith
Chief Executive
Interview
John Smith
GM- Corporate Services)
1 hr (anytime Revisit risks, issues and next steps (FN and procurement) Interview week of 30 Gather views on desired state, opportunities, risksMethod is the approach in and Method is the approachApril) in challenges for h next 3 yrs consultation, i.e. interviews,
Head of Human Resources
surveys, workshops, focused 1 hr (anytime Revisit risks, issues and next steps (HR) Interview group discussions Gather views on desired state, opportunities, risks and group discussions week of 30 April) challenges for h next 3 yrs
Gather views on desired state, opportunities, risks and challenges for h next 3 yrs Interview 1 hr (anytime week of 30 April) 1 hr
consultation, i.e. interviews, surveys, workshops, focused
Owner/Facilitator is the Owner/Facilitator is the person who will person who will Mark Anthony administer the administer the consultation process. It is consultation process. It is important to choose the important to choose the Heatherfacilitator to make right Andrews right facilitator to make sure appropriate level of sure appropriate level of response is generated response is generated
Heather Andrews/Mark Anthony CEO
Head of Information Management
Generate understanding and commitment to the Management Team Stakeholdersare consulted to Stakeholderscorporate governance implementation project are consulted to provide inputCommunicate strategic intent and vision into the risk provide input into the risk
Workshop
Staff
management process; includes Agree on includes management process;risk management policy/objectives both internal Establish consensus on risk management processes and external both internal and external stakeholders. It Articulate/translate risks and issues around strategic is important to stakeholders. It is important to purpose and vision have a good representation of have a good representation of stakeholdersDefine operational level KRIs that support strategic level to generate stakeholders to generate KRIs comprehensive perspectives on comprehensive perspectives on risk and risk management. desired state, opportunities, risks and Gather views on risk and riskchallenges for h next 3 yrs management.
input into individual and team KRIs
Workshop
1-2 days
RM Consultants
Workshop
1 day
RM Consultants
Survey Timing indicates the time 2 days (week Timing indicates theHoward Gardner time required of April 30) (for budgeting and
External Stakeholders
Minister
Purpose
Identify expectations from Agency within the next 3-5 years qnd to what extent current/intended corporate plan meets expectations Identify expectations from Agency within the next 3-5 years Identify expected interdependencies for service delivery Expectations for whole-of-government approach
the consultation; where known, the dates for consultation are also 1 day John Interview indicated in this section Smith also indicated in this section
(including organising) 1 day 5 days (including coordination) 5 days (including coordination) Interview Interviews
resourcing purposes ) to conduct Workshops 2 days (week Team leaders resourcing purposes ) to conduct of 1 June) the consultation; where known, the dates for consultation Owner/Facilitator are Method Timing
required (for budgeting and
Parliamentary Secretary Relevant agencies (state and/or commonwealth)
Mary Antoinette Mark Anthony
Industry/Experts (Companies)
Determine expectations from Agency Identify any risks and issues with regards toe expectation
Interviews Surveys
Heather Andrews
71
Key considerations for effective communication and consultation throughout the risk management process are outlined at the conclusion of each of the following process steps (i.e. Establish the Context, Risk Identification, Analyse Risks, Evaluate Risks, and Treat Risks).
Client Comment: I have worked as a risk manager in different organisations and have found that it is very difficult to obtain support for risk management unless I have the backing of the CEO or other senior executives. A simple email or statement by the CEO to staff that stresses the importance of risk management helps to improve staff awareness and participation. In the past we required staff to complete a 2 page form to report a risk. The form required that information was recorded about the risk, its causes, examples of previous risk events, risk scores, accountabilities, proposed treatment approach and who would monitor the risk. Most staff were intimidated by this process and did not feel comfortable rating risk or proposing risk plans. We have simplified the reporting form, which now requires staff to describe the risk and how it impacts on the organisation or their jobs, together with any other comments or suggestions they wish to make. This process can also be done informally through a phone call or email. Functional area specialists, with input from the risk manager now take responsibility for assessing and evaluating risks and developing response strategies. Also, many staff felt that nothing happened with risks or incidents they reported, which resulted in many staff not reporting risks they were aware of. We now use internal communication channels to show staff what has been done to address their particular concerns. We expect this approach to increase participation in risk identification and solution. Risk Officer General Government
4.2.1.5 References and links: Toolkit reference: Appendix G: Communication and consultation plan - template
72
4.2.2 Establish the context Communicate and Consult
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.2.1 What is it? Establishing the context is concerned with understanding the background of the organisation and its risks, scoping the risk management activities being undertaken, and developing a structure for the risk management tasks to follow. Many of the internal and external parameters that constitute an organisations context are similar to those considered when developing the risk management framework (refer to section 4). However, when applied to the risk management process, they need to be considered in greater detail and particularly how they relate to each step of the risk management process. 4.2.2.2 Why do it? The objective of this step is to provide a comprehensive appreciation of all the factors that may have an influence on the ability of an organisation to achieve its intended outcomes. The outcome is a concise statement of the organisational objectives and specific criteria for success, the objectives and scope for risk management, and a set of key elements for structuring the risk identification activity in the next stage. 4.2.2.3 How to establish the context This process requires the following key steps: understand your external context understand your internal context develop your risk management context.
73
Establishing Context External Context

Cultural, political, legal, regulatory, financial, economic and competiti ve environment, whether international, national or regional Key dri vers and trends having impact on the objecti ves of the organisation Perceptions and values of external stakeholders.It is particularly important to take into account the perceptions and values of external stakeholders and establish policies for communication with these parties.
Internal Context
Capabilities (e.g. capital, people, competencies, processes, systems and technologies) Information flows and decision making processes Internal stakeholders Objecti ves, and the strategies that are in place to achieve them Perceptions, values and culture Policies and processes Standards and reference models adopted by the organisation Structures (e.g. governance, roles and accountabilities).
Risk Management Context

Definition of responsibilities Depth and breadth of the risk management activities to be carried out, i ncluding specific inclusions and exclusions Extent of the project, process, function, or activity in terms of time or location Project, process, function, or activity and its goals and objectives Relationship between a particular project or acti vity and other projects or activities of the organisation Definition of risk assessment methodologies How performance is evaluated in the management of risks What decisions have to be made Scoping or framing studies needed, their extent, objectives, and the resources required for such studies
Risk Management Framework Risk Management Policy
Risk Assessment Criteria Risk Tolerance
i) Understand external context According to the Standard, the external context defines the external environment in which the organisation operates. It also defines the relationship between the organisation and its external environment as illustrated by the diagram above. Understanding the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are captured during the risk identification step.
74
ii) Understand internal context Understanding the organisation is required before commencing any risk management activity, at any level. According to the Standard, understanding the internal context is important because: risk management takes place in the context of the goals and objectives of the organisation the major risk for most organisations is that they fail to achieve their strategic, business or project objectives, or are perceived to have failed by stakeholders organisational objectives, policies, and processes help define the organisations risk management policy, specific objectives and criteria of a project.
In order for risk management systems and processes to reflect each organisations specific needs the following steps were taken prior to conducting formal risk identification exercises.

Identifying key stakeholders who would need to be involved in risk management communication Definition of risk categories to reflect the types of risk faced by the organisation Definition and approval of risk criteria (risk rating scales) to be used when assessing and prioritising risks.
Hamishtown Regional Health (HRH) and Melbourne Education Services (MES) Stakeholders: The identification of stakeholders will assist to identify stakeholders who may need to be included in risk communication plans, as well as identify those stakeholders who may either be a source of risk for the organisation or that it may work together with, to define or implement risk treatment strategies and plans. HRH and MES, as public sector organisations, share common stakeholder groups, such as DTF, VAGO and the Press. However, each organisation will have unique stakeholders that reflect its specific industry or sector focus, such as the Curriculum and Assessment Authority that provides services to educational institutions. The following stakeholders were identified during the definition of HRH and MESs initial risk planning processes.
75
STAKECOMMON HRHHOLDERS: STAKEHOLDERS SPECIFIC Internal Staff Management Executive Board of Management Management Committees Patients Doctors Nurses
MES-SPECIFIC Academic Staff Support Staff Executive Team MES Council and Senate Compliance Committees Operational Committees Australian Students Students Student Societies
External
Local Community State Government Community Organisations Charities Press Suppliers VAGO DTF Trade Unions Other Departments Education Institutions WorkSafe
DHS Health Services Minister of Health ACHS
DEECD Australian Universities Quality Agency (AUQA) Higher Learning Institutions Feeder Schools Minister of Education Staff Unions (VTA, AEU) Examination Bodies Victorian Curriculum & Assessment Authority (VCAA)
76
iii) Develop risk management context After understanding the internal and external context, the next step is to develop the risk management context for your organisation. The Risk Standard recommends taking into consideration the following when developing your risk management context: objectives and strategies for risk management scope, i.e. parts of the organisation where you apply the risk management processes parameters for risk management activities resources required records to be established.
The outcome of this process is to ensure that the risk management approach adopted is appropriate and proportionate to the situation of the organisation and to the risks affecting the achievement of its objectives. Risk management context application: risk tolerance Once the risk management context is understood and established, a key output of the process is risk tolerance. Risk tolerance is defined as an organisations readiness to bear the risk, after treatments in order to achieve its objectives
Organisations are prepared to tolerate some risks under certain circumstances in return for specified benefits. Tolerance levels may vary by context and are influenced by the: ability and willingness of the board and executive to take and manage risks size and type of organisation maturity and sophistication of risk management processes and control environments financial strength of the organisation and its ability to withstand shocks
sector in which the organisation operates. How do you establish your risk tolerance? The typical steps involved in establishing and implementing risk tolerance are: 1. Complete an analysis of the organisations ability to physically and financially recover from a significant event (e.g. risk such as human
77
influenza pandemic, loss of major plant or facility, inability to supply or manufacture product, loss of major business partner, credit crunch etc) 2. The above analysis will highlight the need and importance of contingency plans, financial, physical and human resources and the importance of controls. From the analysis determine the tolerance the orgnanisation can bear or accept 3. Management determines the level of tolerance which should then be endorsed by the board
The risk tolerance levels set by the organisation will be reflected in the risk rating scales used to assess organisational risks.
How do you define risk tolerance levels? Risk tolerance levels can be defined by dividing risks into a number of bands as appropriate for the organisation (three in this example): An upper band where adverse risks are intolerable, whatever benefits the activity may bring, and risk reduction measures are essential whatever their cost. A middle band (or grey area) where costs and benefits are taken into account and opportunities balanced against potential adverse consequences. A lower band where positive or negative risks are negligible, or the costs associated with implementing treatment actions outweigh the costs of the impact of the risk should it occur. These levels of risk tolerance will help determine the type and extent of actions required to treat risks, and the level of management/board attention required in managing and monitoring the risks. Risk tolerance levels can be practically defined through colour coding of a risk likelihood/consequence matrix. This is illustrated in the following sample risk matrix (or heat map):
78
Sample Risk Heat Map

Almost certain
Likelihood
Likely
Possible
Unlikely
Rare
Insignificant
Minor
Moderate
Major
Extreme
Consequence
Risk Rating
High
Escalation
Immediate escalation of risk to senior management for prioritised risk and treatment plan response Weekly reviews of progress by senior management to be undertaken Escalation of risk to line management for discussion on appropriate treatment plan response Monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings Bi-monthly monitoring of risk and progress of risk response or treatment plans to be undertaken as part of existing local meetings No immediate need to develop further treatment plans or response strategies
Medium
Low
Risk management context application: risk criteria Having established its risk tolerance, the organisation can now develop its risk criteria. The risk criteria take into consideration the risk management context. It is the basis on which risks are analysed and evaluated. Risk criteria express the organisations values, objectives and resources. Some criteria may be imposed by, or derived from, legal and regulatory requirements. Risk criteria should be consistent with the organisations risk management policy.
When defining risk criteria, factors to be considered should include the following:

How likelihood will be defined How the level of risk is to be determined Nature and types of consequences that may occur and how they will be measured The level at which risk becomes acceptable The timeframe of the likelihood and/or consequence What level of risk may require treatment Whether combinations of multiple risks should be taken into account.
79
The following diagrams illustrate what risk criteria may look like and the key elements included.
Risk Criteria: Consequence

Description Rating
Catastrophic 5
Financial
Loss of over $5M Budget reduced by 30%
Legal
Severe failure in statutory duty Extreme failure to comply with legislation and regulations Partial failure in statutory duty Major failure to comply with legislation and regulations Serious failure to comply with legislation and regulations Moderate failure in statutory duty
Environmental
Irreversible environmental harm and or environmental harm that is reversible within 10 years Environmental harm that is reversible within 5 years
Service Delivery
Outage of non-critical service for more than 2 weeks Outage of critical service for one day or more
Safety
Single fatality or significant irreversible disability to greater than 2 persons
Major 4
Loss of between $1M $5M Budget reduced by 20% Loss of between $200,000 - $1M Budget reduced by 10%
Moderate 3
depend on the nature of the depend on the nature of the agency and its Outage of non-critical Environmental harm that is its agency and organisationalyears service reversible within 2 purpose and organisational purpose and for 3-7 days strategies. In this example strategies. In this example there 5 different criteria. there 5 different criteria.
Minor, transient environmental harm Outage of non-critical service for 1 - 3 days
Outage of non-critical service for 1 - 2 weeks Outage of critical service Consequence criteria will less than one day for Consequence criteria will
Significant irreversible disability to less than 2 persons or significant reversible disability to greater than 2 persons Significant reversible disability to less than 2 persons
Minor 2
Loss of between Minor legal issues, non$50,000 $200,000 compliances and/or Budget reduced by 5% Description rating is defined breaches Description rating is defined - 10%
Minor medical attention required
Insignificant 1
based on the different levels based on the different levels Loss of ratings could of impact. Theunder $50,000 Minor legal issues that of impact. The ratings could could be easily resolved be fromBudgetor 1-5 or less 1-3 reduced by any than 5% be from 1-3 or 1-5 or any other variations that is other variations that is appropriate to the context of appropriate to the context of the agency the agency
Single incident resulting in no material environmental harm
Outage of non-critical service for less than 1 day
First aid treatment only
Customised consequence rating scale for Hamishtown Regional Health (HRH) Hamishtown Regional Health has customised its Consequence scales to reflect its organisational context. Specifically its Financial criteria, where a loss of greater than $100,000 reflects its relatively small size and budget. Similarly, its impact descriptions include reference to patient safety and harm, reflectings its core operational focus.
SCORE DESCRIPTION
FINANCIAL LOSS < $5,000 $5,000 to $25,000
REPUTATION
LEGAL
OPERATIONAL/
1 2
INSIGNIFICANT MINOR
Little or no impact Sporadic localised unfavourable publicity; No impact on staff morale
Little or no impact Minor delays in meeting legal requirement s/ fulfilling SLAs etc.
Little or no impact Inefficiencies and/or delays in delivery of support services and noncritical functions. No impact on patient care standards.
80
SCORE DESCRIPTION
FINANCIAL LOSS $25,000 to $50,000
REPUTATION
LEGAL
OPERATIONAL/
MODERATE
Localised negative publicity; Shortterm impact on staff morale managed by appropriate response by institutions Communication function.
Breach of material terms of key contracts/ SLAs. Threat of legal action against institution, but able to be resolved through negotiation/ remedial action. Noticeable increase in claims and legal liability; Most exposures covered by existing insurance cover Significant increase in legal exposures/ claims; Critical services impacted by cancellation of supplier contracts; Significant exposures not insured.
Inability to provide key support services according to minimal expected service levels (billing, security; payroll, canteen; staff training etc.). No notable impact on patient care standards. Low probability of patient harm. Delays and inefficiencies in core processes and systems impacting significantly on quality of patient care standards. Increased risk of serious patient injury, disability or sentinel event. Critical processes/ systems not available for extended period. Inability to perform core patient care functions. Prolonged inability to provide basic medical services. High probability of multiple preventable deaths due to interruptions to basic services or staff negligence or malice.
MAJOR
$50,000 to $100,000
Significant/ continued negative publicity in local/ regional press; Low staff morale; Intervention of institutions CEO to answer public concerns.
CATASTROPHIC >$100,000
Significant/ continued negative publicity in national press; Loss of key staff; Permanent loss of public trust; Withdrawal of funding/ key grants; Intervention of Minister.
In addition to the above categories, MES also uses the following consequence categories: reputation, health and safety, and business interruption. MES has also set its financial thresholds considerably higher to reflect its larger size: (catastrophic: > $5,000,000; and insignificant <$50,000).
81
Risk Criteria: Likelihood

Rating
5 4 3 2 1
Descriptor
Almost certain Likely 50/50 Unlikely Rare
Description
Multiple incidents have been recorded Several incidents have been recorded Some incidents have been recorded
Frequency
Expected to occur once a year or more frequently Expected to occur once every three years Expected to occur once every ten years Expected to occur once every thirty years Expected to occur once every 100 years
Frequency indicates Frequency indicates the timeframe within the timeframe within which the event is which the event is likely to occur for a likely to occur for a given rating. given rating.
Descriptor defines Descriptor defines what each Few recorded or known incidents of the scale what each of the scale in the likelihood rating in the likelihood rating mean.recorded or known incidents No mean.
Rating of likelihood is Rating of likelihood is typically from 1-5. In typically from 1-5. In some cases, its from some cases, its from 1-3. 1-3.
Description defines in Description defines in further detail what the further detail what the rating scale means in rating scale means in the context of the the context of the agency. agency.
The following example illustrates an example of an organisational likelihood scale:
Customised likelihood rating scale for HRH

LIKELIHOOD
SCORE
1
DESCRIPTION
RARE
Highly unlikely to occur in next 5 years. No history of adverse event in organisation. Event not likely to occur in next 12 months, but there is a slight possibility of occurrence. 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not. There is a strong likelihood that the event will occur at least once in the next 6-12 months. History of event/s in institution or similar organisations. The adverse event will definitely occur, probably multiple times in a year.
UNLIKELY
POSSIBLE
LIKELY
ALMOST CERTAIN
82
Control effectiveness criteria: When analysing a risk, it is important to understand the effectiveness of current controls that are in place. Controls are systems, processes, policies etc. that are implemented to reduce risk levels, either by reducing the consequence of a risk if it does occur and/or to reduce the likelihood of the risk occurring. For example: having fire extinguishers and other fire suppression systems in place are controls that can reduce the consequences (injury and damage) following a fire. Similarly, the risks associated with unauthorised access to confidential records can be reduced by the use of secure document storage systems, including document safes and password-protected databases.
Where controls are operating effectively and as intended, they will reduce the level of risk. Conversely, where a control is not effective, is not working as designed, or there are no controls in place, control effectiveness will be low and the risk level will not be reduced. In the first instance, managers should be able to make a subjective assessment as to the effectiveness of the control using a control effectiveness rating scale using a scale such as the one shown below:
Sample Risk Criteria: Control Effectiveness
Rating
Good Good
Descriptor
Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, address the root causes and Management believes that they are effective and reliable at all times. Most controls are designed correctly ad are in place and effective. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability. While the design of the controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective. Or Some of the controls do not seem correctly designed in that they do not operate at al effectively. Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively. Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/ or very limited operational effectiveness.
Satisfactory Satisfactory
Poor Poor
Very Poor Poor Uncontrolled Uncontrolled
Rating defines what each scale in the Rating defines what each scale in the control effectiveness rating means. control effectiveness rating means. The ratings could be from 1-5 or 1-3 The ratings could be from 1-5 or 1-3 or any other variation that is or any other variation that is appropriate in the context of the appropriate in the context of the agency agency
Source: HB 158-2006
Descriptor defines in further detail Descriptor defines in further detail what the rating scale means in the what the rating scale means in the context of the agency. ItIt takes into context of the agency. takes into account the effectiveness of the account the effectiveness of the design and operation of the controls. design and operation of the controls.
83
Periodic independent assurance is also needed to provide an objective view based on testing of controls of the adequacy and effectiveness of the controls. Independent verification of control effectiveness can be sought from external and internal auditors. 4.2.2.4 Communication and consultation and monitoring and review activities The following table describes the steps to follow in establishing and subsequently monitoring and reviewing the organisations risk context:
Establish the context: Monitoring and Review
Monitor any strategic changes as identified in the strategic planning cycle. Review the current risk management context to ensure it remains aligned to the strategic intent of the organisation. Monitor significant changes to business operations. This merits a review of the risk management context in view of potential changes to the internal context. Monitor any changes in the external environment. Review the current risk management context to ensure that it remains relevant considering the changes. Workshops once or twice a year with key stakeholders may help to ensure the context for risk management remains relevant.
Establish the context: Communication and Consultation
Identify which stakeholders need to be consulted or taken into consideration in establishing the risk management context. Using the stakeholder consultation plan template, establish how the organisation will consult these stakeholders. Examples of consultation process that maybe applicable to this stage includes interviews and workshops with key executives. Articulate the risk management context in the risk management framework and policy which then is signed-off by the board. Communicate this by presenting to the executive team meeting
4.2.2.5 Toolkit references: Toolkit reference: Appendix F: Common risk categories for the public sector Appendix G: Stakeholder communication and consultation plan - template Appendix J: Risk rating criteria - template
84
4.2.3 Risk identification

Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.3.1 What is it? The Standard defines risk identification as the process of determining what, where, when, why, and how something could happen. 4.2.3.2 Why do it? The objective of risk identification is to generate a comprehensive list of risks based on those events and circumstances that might enhance, prevent, degrade or delay the achievement of the objectives. This list of risks is then used to guide the analysis, evaluation, treatment and monitoring of key risks. Comprehensive identification and recording is critical, because a risk that is not identified at this stage may be excluded from further analysis. The risk identification process should include all risks, whether or not they are under the control of the organisation. In identifying risks, it is also important to consider the risks associated with not pursuing an opportunity, e.g. loss of market share. 4.2.3.3 How to identify risks This section will cover the key steps necessary to effectively identify risks from across the organisation. These steps are: i) understand what to consider when identifying risks
ii) gather information from different sources to identify risks iii) apply risk identification tools and techniques iv) use risk categories for comprehensiveness v) document the risks vi) document the risk identification process vii) assess the effectiveness of the risk identification process.
85
i) Understand what to consider The Standard recommends that in order to develop a comprehensive list of risks, a systematic process should be used that starts with the statement of context. To demonstrate that risks have been identified effectively, it is useful to step through the process, project or activity in a structured way using the key elements defined while establishing the context. This can help provide confidence that the process of risk identification is complete and major issues have not been missed. The process then asks the following questions about each of the key elements:
Risk Identification
What might happen that could: What might happen that could: Increase or decrease the effective achievement of objectives Increase or decrease the effective achievement of objectives Make the achievement of the objectives more or less efficient Make the achievement of the objectives more or less efficient (e.g. financial, people, time) (e.g. financial, people, time) Cause stakeholders to take action that may influence the Cause stakeholders to take action that may influence the achievement of objectives achievement of objectives Produce additional benefits Produce additional benefits
What is the source What is the source of each risk? of each risk?
Other considerations: Other considerations: What would the effect on objectives be? What would the effect on objectives be? When, where, why, how are these risks (both positive and negative) likely to occur? When, where, why, how are these risks (both positive and negative) likely to occur? Who might be involved or impacted? Who might be involved or impacted? What controls currently exist to treat this risk (maximise positive risks or minimise negative risks)? What controls currently exist to treat this risk (maximise positive risks or minimise negative risks)? What could cause the control not to have the desired affect on the risk? What could cause the control not to have the desired affect on the risk?
ii) Gather information to identify risks Good quality information is important in identifying risks. The starting point for risk identification may be historical information about this or similar organisations and then discussions with a wide range of stakeholders about historical, current and evolving issues, some examples are listed below.
86
Risk Identification: Tools & Techniques Structures Interviews Strategic and Business Plans (something happens) leading to Post-event Reports (outcomes expressed in terms of impact on Objectives) Surveys and Questionnaires Focus Groups Checklists Audit Reports
Local and Overseas Experience
iii) Apply risk identification tools and techniques The Standard recommends that organisations apply a set of risk identification tools and techniques that are suited to its objectives and capabilities, and to the risk the organisation faces. Relevant and up-to-date information is important in identifying risks. This should include suitable background information where possible. People with appropriate knowledge should be involved in identifying risks. Approaches used to identify risks could include the use of checklists, judgments based on experience and records, flow charts, brainstorming, systems analysis, scenario analysis, and system engineering techniques. The approach used will depend on the nature of the activities under review, types of risks, the organisational context, and the purpose of the risk management exercise. Team-based brainstorming for example, where facilitated workshops is a preferred approach as it encourages commitment, considers different perspectives and incorporates differing experiences. Structured techniques such as flow charting, system design review, systems analysis, Hazard and Operability (HAZOP) studies and operational modelling should be used where the potential consequences are catastrophic and the use of such intensive techniques are cost effective. For less clearly defined situations, such as the identification of strategic risks, processes with a more general structure, such as what-if and scenario analysis could be used. Where resources available for risk identification and analysis are constrained, the structure and approach may have to be adapted to achieve efficient outcomes within budget limitations. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used.
87
iv) Use relevant risk categories for comprehensiveness The risk profiles of public sector organisations may differ from that of commercial organisations, given the difference in organisational objectives and stakeholder groups. A possible public sector risk categorisation model is illustrated below:
EXAMPLE
VAGO VAGO Public Public Business Partner Business Partner Financial Financial Institutions Institutions Public entities Public entities Other Other Departments/ Departments/ Agencies Agencies Trade Unions Trade Unions Minister Minister DTF DTF National National Government Government Victorian Cabinet Victorian Cabinet Service Provider Service Provider Strategic Strategic Planning Planning Resource Resource Allocation Allocation Authority & Authority & Responsibility Responsibility Monitoring Monitoring Reputation Reputation Environment Environment Principles Principles Elements Elements Economic Economic Change Management Change Management Regulatory Regulatory Framework Framework Fiscal Fiscal Growth Strategy Growth Strategy & Development & Development Competitor Competitor Market Dynamics Market Dynamics Logistics Logistics Ethics Ethics Internal Audit Internal Audit PPP & PPP & Procurement Procurement Support Support Processes Processes Transfer Transfer Payments Payments Supply Chain Supply Chain Management Management Service Delivery Service Delivery New Service Development Budget Budget Implementation Implementation Other Tangibles Other Tangibles Fleet Fleet Equipment Equipment Plant, Estate Plant, Estate & Property & Property Skills Development Skills Development Human Resources Human Resources Occupational Health Occupational Health & Safety & Safety Compliance & Compliance & Reporting Reporting Accounting Accounting Norms & Norms & Standards Standards Fraud Fraud Legislative & Legislative & Regulatory Regulatory Contract Contract Liability Liability
Process Process Market Market Structure Structure
Physical Asset Physical Asset
People & People & Culture Culture
Legal Legal
Stakeholder Stakeholder
Governance Governance
Strategic Strategic
Operations Operations
Public Sector Risk Categories

Information Information
Capital Capital Structure Structure
Equity Equity Debt Debt
Financial Financial
Liquidity & Liquidity & Credit Credit
Collectability Collectability Cash Management Cash Management & Treasury & Treasury Funding Funding
Market Market
Interest Rate Interest Rate Foreign Exchange Foreign Exchange Economic Indicators Economic Indicators Capital Markets Capital Markets CPIX CPIX
Reporting Reporting
IT Systems IT Systems
IT Strategy, Planning IT Strategy, Planning
Information Information Management Management

Database Planning Database Planning & Development & Development Organisation & Organisation & Monitoring Monitoring Operations Operations Business Business Continuity Continuity
Intellectual Intellectual Property Property

Intangible Capital/ Intangible Capital/ Assets Assets Knowledge Knowledge Management Management Intangible Assets Intangible Assets
Accounting Accounting Regulatory & Regulatory & Compliance Compliance
Hardware Hardware Software Software Networks Networks Policies & Policies & Procedures Procedures Change Man, Control Change Man, Control Security Security Archiving Archiving
88
Risk Categorisation Model HRH: HRH has agreed on the following risk categories against which to measure risk. It is anticipated that a significant number of risks will fall in the clinical category as this represents the core service delivery area for the health service.
89
MES Risk Categories The MES Risk Committee has developed and approved the following risk categories. In addition to standard risk categories, curriculum-related risk and student support services has been defined as a core operational risk area for the education institution. The Risk and Audit Committee defined a draft risk categorisation model, which was modified to reflect additional risk categories identified after an initial risk brainstorming session was held with the Executive Team.
RISK CATEGORIES
STRATEGIC
STRATEGIC PLANNING GOVERNANCE STAKEHOLDER RELATIONS LEGISLATION & COMPLIANCE REPUTATION BUSINESS CONTINUITY MARKET CONDITIONS NATURAL RESOURCES QUALITY OF STUDENT OUTCOMES INNOVATION & RESEARCH FUNDING & SUSTAINABILITY
OPERATIONAL
CURRICULUM DEVELOPMENT CURRICULUM DELIVERY EXAMINATIONS HR & TRAINING OCC. HEALTH & SAFETY SUPPLY CHAIN LEGAL & CONTRACTS OTHER ASSET MANAGEMENT FACILITIES MANAGEMENT STUDENT SUPPORT SERVICES
FINANCIAL
BUDGETING LIQUIDITY AND CREDIT REPORTING CAPITAL DEBTORS FRAUD & THEFT GRANTS & BURSARIES
IT AND INFORMATION
SYSTEM DESIGN INFORMATION SECURITY QUALITY OF INFORMATION INTELLECTUAL PROPERTY
Toolkit reference: Appendix F: Common risk categories for the public sector
v) Document the risks identified The risks identified during the risk identification are typically documented in a risk register that, at this stage in the risk assessment process, includes: risk description how and why the risk can happen (i.e. causes and consequences) the existing internal controls that that may reduce the likelihood or consequences of the risks.
It is critically important at this stage to understand the cause-effect relationships between a risk, its causes, and the potential consequences should the risk occur. If the wrong risk is identified at this stage (e.g. causes or consequences, rather than the actual risk itself), it will reduce the value of the rest of the risk management process.
90
The VMIA has found that one of the weakest elements of an organisations risk framework can be the capturing and defining of risks. It is essential when describing a risk to consider the following three elements:

description/event an occurrence or a particular set of circumstances causes - the factors that may contribute to a risk occurring or increase the likelihood of a risk occurring consequences the outcome(s) or impact(s) of an event.
It is the combination of these elements that make up a risk and this level of detail will enable an organisation to more completely understand the risk
One can see from the following examples that failure to correctly define your risks will result in flow on effects to the your control identification, mitigation plans and ultimately reporting. Its the old garbage in garbage out analogy. Below, we have provided some examples of good and bad risk descriptions:
Example 1: Good Risk Descriptions
91
Example 2: Poor Risk Descriptions
Explanation
Lack of succession planning is a lack of a control.
Fines are really the impact to the organisation. Also, the reason for identifying the cause is so that you can identify the right controls. This description is so wide that a control is difficult to define, other than put in place a full compliance program.
System not backed up is a control failure. Also an IT failure is not the cause of the system not being backed up, poor work practices are.
vi) Document your risk identification process In addition to documenting the risks identified, it is also necessary to document the risk identification to help guide future risk identification exercises and to ensure good practices are maintained by drawing on lessons learned through previous exercises. Documentation of this step should include: the approach or method used for identifying risks the scope covered by the identification the participants in the risk identification and the information sources consulted.
92
4.2.3.4 Communication and consultation and monitoring and review activities Risk identification: Monitoring and Review
Monitor the reliability / currency of the sources of information used to identify risks. Monitor any changes / enhancements to the risk identification process over the period. Monitor the impact these changes may have on future risk identification exercises.
Risk identification: Communication and Consultation
Identify the key stakeholders who need to be informed of the risk identification process and how it will be implemented across the organisation. Communicate / articulate the risk identification process to ensure all stakeholders are aware of and understand the process. Consultation may include:
o
Risk identification consultation plan.
4.2.3.5 References and links: Toolkit reference: Appendix I: Common example risks Appendix F: Common risk categories for the public sector
93
4.2.4 Analyse risks

Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.4.1 What is it? The Standard defines risk analysis as a systematic process to understand the nature of risk and determine the level of risk. The risk analysis step aims to develop an understanding of the risk. It provides an input to decisions on whether risks need to be treated and the most appropriate and cost-effective risk treatment strategies.
4.2.4.2 Why do it? Risk analysis is a fundamental component of the risk management process. It helps to guide the evaluation of risks by defining the key parameters of the risk and how these may impact on the achievement of organisational
94
objectives. One of the key outcomes of the risk analysis process is determining levels of risk exposure for the organisation. In addition, the data and related information collected during the risk analysis process can be used to assist in guiding risk treatment decisions. 4.2.4.3 How to analyse risks Risk analysis involves the following key steps: 1) identify and evaluate existing control effectiveness 2) determine risk likelihood (probability or frequency of risk occurrence) 3) determine risk consequence (outcome or impact of an event) 4) determine risk level.
The following section on how to analyse risks is structured as follows: i) identify and evaluate existing controls
ii) determine risk consequence and likelihood iii) determine overall risk level iv) document your risk analysis process. i) Identify and evaluate existing controls When assessing a risk, it is important to identify what controls are in place to mitigate the risk. Many controls are built-into existing business operations and systems.
95
Examples of controls:

Controlled physical access (e.g. security codes, access cards, security personnel) Employee code of conduct Media and public relations strategies/protocols Specified training (e.g. software, hazardous substances) Automated software controls (e.g. temperature control) Policies and procedures Standardised business processes Insurance Quality control management Budget management Outsourcing functions to specialists Formalised contracts and Service Level Agreements Audits (internal and external).
Controls should be considered on the basis of: design effectiveness is the control fit for purpose in theory i.e. is the control designed appropriately for the function for which it is intended operational effectiveness does the control work as practically intended.
In order to understand the level of residual risk remaining after controls have been taken into account, it is essential as part of the risk analysis process to be able to estimate the effectiveness of existing controls
In the first instance, management should be able to make a subjective assessment as to the effectiveness of the controls using a rating scale such as that contained in section 4.2.2.3. Periodic independent assurance is also needed to provide an objective view - based on testing - of the adequacy and effectiveness of the controls e.g. internal and external audit. It is useful to involve staff with an understanding of the controls when rating them. Internal audit, business analysts and operational/ financial management can all provide input into control identification and assessment. A well-designed and implemented control can often mitigate or reduce more than one risk or type of risk.
96
ii) Determine risk consequence and likelihood The Standard recommends that the magnitude of the consequences of an event, should it occur, and the likelihood of the event and its associated consequences, should be assessed in the context of the effectiveness of the existing strategies and controls. Consequences and likelihood may be estimated using statistical analysis and calculations. Where no reliable or relevant past data is available, subjective estimates may be made which reflect an individuals or groups degree of belief that a particular event or outcome will occur. The most relevant sources of information and techniques should be used when analysing consequences and likelihood.
Sources of information:

Techniques:

Past records Practice and relevant experience Relevant published literature Market research The results of public consultation Experiments and prototypes Economic, engineering or other models Specialist and expert judgements.
Structured interviews with experts in the area of interest Use of multi-disciplinary groups of experts Individual evaluations using questionnaires Use of models and simulations.
97
Types of Analysis
Risk analysis may be undertaken to varying degrees of detail depending upon the risk, the purpose of the analysis, and the information, data and resources available. Analysis may be qualitative, semi-quantitative or quantitative or a combination of these, depending on the circumstances. The order of complexity and costs of these analyses, in ascending order, is qualitative, semi quantitative and quantitative. In practice, qualitative analysis is often used first to obtain a general indication of the level of risk and to reveal the major risk issues. Later it may be necessary to undertake more specific or quantitative analysis on the major risk issues. The form of analysis should be consistent with the risk evaluation criteria developed as part of establishing the risk management context (see section ABC) Qualitative Analysis
Use of words to describe the magnitude of potential consequences and the likelihood that those consequences will occur Scales can be adjusted to suit the circumstances, and different descriptions may be used for different risks Typically used in presenting overall risk profile i.e. heat map
Semi- quantitative Analysis

Use of nominal ranking scales, i.e. values are assigned to likelihood and consequence scales Numbers should only be combined using a formula that recognizes the limitations of the kinds of scales used Scales are context-specific Typically used in prioritising risks based on numerical ranking
Quantitative Analysis
Use of numerical values for both consequences and likelihood Quality of analysis depends on accuracy and completeness of numerical values used Consequences may be determined by modelling the outcomes of an event or set of events, or by extrapolation from experimental studies or past data Typically used in deriving financial risk reserves
Almost Certain
LIKELIHOOD: 50% (Within 1 Year) - Possible

4 1 2 5 10 8 7
Likely
Unlikely
12 9 15
13
CONSEQUENCE: 4 (out of 5) Major LIKELIHOOD: 2 (out of 5) Unlikely OVERALL RISK = 4 * 2 = 8 (out of 25)
14
Likelihood
Moderate
CONSEQUENCE: $120,000 - Significant
Rare
11 6
OVERALL RISK EXPOURE: 50% * $120,000 = $60,000
Illustration to be updated
Low
Minor
Moderate
High
Extreme
Consequence
98
Before you determine the overall risk rating you will need to determine the level of likelihood and consequence for each risk. Each organisation will need to establish its own likelihood and consequence tables. An example risk consequence scale is shown below:
The categories below are potential categories only from the review of the risk universe of the organization consider those risks most applicable for the particular organization. Description Financial Rating Service Quality Reputation People & Knowledge Stakeholders Compliance, Governance & Legal Systems & Processes
Fundamental
Major
Moderate
Minor
Insignificant
99
It is also necessary to establish your likelihood table. A generic sample is noted below.
Rating 5 4 3 2 1
Descriptor Almost Certain Likely Possible Unlikely Remote
Frequency
Description/s
iii) Determine the overall risk rating Once you have rated the likelihood and consequence, combine the two to determine the overall risk rating. Based on the risk analysis, risks are classified by level to determine the appropriate level of response to those risks. Specific responses are defined in the Treat Risks phase.
Risk Analysis: Sample Risk Severity Rating Scale

QUALITATIVE RATING 1-4 QUALITATIVE RATING LOW

LIKELY RESPONSE
No immediate response required. Risk ownership may not be allocated. Could be excluded from risk monitoring activities. Infrequent re-evaluation of risk. Regular monitoring and re-evaluation of potential risk and any factors that may increase consequence or likelihood occurrence. Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s as resources/ circumstances permit. Develop risk response strategies as part of risk management and operational processes. Ongoing monitoring of risk and progress of risk response or treatment plans. Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s. Immediate escalation of risk to senior management/ Executive for prioritised response and treatment plan development. Incorporate management of risk into established strategic governance and operational processes. Allocate accountability for responding to risk to individual responsible for overseeing risk treatment/s.
5-9
MODERATE
10-14
HIGH
15-25
SEVERE/ EXTREME
100
iv) Document your risk analysis process Documentation of the risk analysis process provides a record of how risks were analysed in previous periods, thereby informing future risk analysis exercises. A key outcome of documenting the risk analysis process is enabling accurate tracking of risks over time using historical reference data. Documentation should include: key assumptions and limitations sources of information used explanation of the analysis method, and the definitions of the terms used to specify the likelihood and consequences of each risk existing controls and their effectiveness description and severity of consequences the likelihood of these specific occurrences resulting level of risk
Detailed documentation may not be required for very low risks; however a record should be kept of the rationale for initial screening of very low risks. Toolkit reference: Appendix E: Risk rating criteria (likelihood and consequence) - template Appendix D: Risk management procedure - template
4.2.4.4 Communication and consultation and monitoring and review activities Analyse risks: Monitoring and Review Monitor the implementation of each step of the risk analysis process to test for currency and appropriateness for the organisational context.
Analyse risks: Communication and Consultation
Identify the key stakeholders who need to be informed of the results of the risk analysis process. Communicate the results. Ensure those with risk ownership / reporting responsibilities are informed of the results of the risk analysis. Communicate any necessary/proposed changes in the risk analysis approach. Consultation may include: Meetings / focus groups Strategic Planning Internal Memorandum
Monitor the effectiveness and relevance of controls. Is the assessment of control effectiveness being done in a consistent way? Monitor the approach used to determine likelihood and consequence for each risk. Is the approach still relevant / effective?
101
4.2.5 Evaluate risks

Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.5.1 What is it? Risk evaluation involves comparing a risks overall exposure against the organisations risk tolerance. This allows the determination of whether further controls are required to bring the risk within a level acceptable to the organisation. The output of the risk evaluation phase is a prioritised list of risks. 4.2.5.2 Why do it? Consistent with the Risk Management Standard, the purpose of risk evaluation is to make decisions, based on the outcomes of risk analysis, about which risks need treatment and to prioritise treatments. The output of a risk evaluation generally consists of a prioritised list of risks that require further action. 4.2.5.3 How to evaluate risks? The following key steps are involved in evaluating risks: i) ii) Rank the risks based on the outcome of the risk analysis process Consider the overall risk profile
iii) Develop a list of priority risks. i) Rank the risks Risks can be ranked either qualitatively or quantitatively. Applying qualitative analysis, you can rank the risks using a heat map. The heat map is a colour-coded matrix with each colour indicating the level of risk. This heat map represents the tolerance level of your organisation. This would have been developed in the earlier phase of Establish Context, as it is a part of the organisations risk management context.
102
Based on the control effectiveness rating, likelihood of the risk occurring and potential consequences identified in the earlier phase, plot the risks against the matrix. The completed matrix is your risk profile. Applying semi-quantitative analysis, the organisation can also rank the risks based on their numerical value. The numerical value is a combination of the values assigned by the organisation to control effectiveness, likelihood and consequence. The most common approach to visually recording risk is using a 5 by 5 heat map as illustrated below. A risk heat map is sometimes referred to as a risk matrix.
Risk Ranking: Heat Map Example
R i sk P r o f i l e
6 5
A l mos t Cer t ai n
Hi g h R i sk
5 4
9 4 17 15 13 5 10 8 11 12 7 21 16 3 18 20 2 19 1
S i g ni f i cant R i sk M o d er at e R i sk Lo w R i sk
Li k e l y
Likelihood
4
M ode r a t e
3 3
U nl i k e l y
2 2
Rar e
1 1
Low M i nor M ode r a te H i gh E xt r em
5e
Consequence
Some organisations use the following matrices to create a heat map:

3 by 3 4 by 4 4 by 3 4 by 5
The matrices you select will reflect your organisations risk rating scales. For example: If your risk consequence and likelihood used 3 point scales, such as those shown below, a 3 by 3 heat map would be appropriate:
103
SCORE 1 2 3
LIKELIHOOD Unlikely Possible Likely
CONSEQUENCE Low Moderate Severe
Example Risk Profile for HRH
RISK NO. 1 2 3 4 5 6 7 8 9 10
RISK DESCRIPTION Failure to maintain ACHS accreditation Patient harm suffered as a result of slips, trips and falls Inability to attract suitably qualified nursing staff Declining demand for maternity services as a result of aging population in the area Severe damage to HHS facilities as a result of a natural disaster (flood, fire etc.) Billing errors as a result of staff mistakes, resulting in inaccurate patient bills or revenue not being collected. Unauthorised disclosure of patient confidentiality resulting in potential legal liabilities Damage to medical equipment as a result of improper use Inability to meet increasing demand for aged care services Incorrect diagnosis or medication errors resulting in patient harm
Almost Certain L I K E L I H O O D Likely
2 6 4, 8 7 10
3 9
1
Possible Unlikely Rare Insignificant Minor Moderate CONSEQUENCE Major
2 5
Catastrophic
104
ii) Consider the overall risk profile Once the initial risk profile has been developed, the organisation may need to consider how each risk ranks in relation to the other risks. This step allows the organisation to conduct a sanity check of the risks that have been placed on the heat map to ensure that risks are rated correctly when compared to each other (e.g. Risk manager may be off sick with flu is not rated the same as Project objectives may not be met). Possible outcomes of this step include: The organisation may reassess the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of reality The organisation may recognise that some risks are similar to the other risks, or are contributing factors to other risks. Hence they may be incorporated into the risk description of other risks within the risk register The organisation may consider the interdependencies between the risks and consider the consequence on the organisation if more than one risk occurred at the same time. This may result in changes to the overall risk ratings.
iii) Develop priority list of risks The primary objective of evaluation is to prioritise risks. This helps to inform the allocation of resources to manage risks, both non-financial and financial. The priority list can be categorised by a number of different criteria dependent on what is most relevant for the organisation e.g. risk rating, functional area or by type of impact (i.e. strategic or operational). This will further refine the focus for risk treatment. 4.2.5.4 Communication and consultation and monitoring and review activities Evaluate risks: Monitoring and Review
Evaluate risks: Communication and Consultation

Monitor consistent application
Identify the stakeholders who need to be informed of the risk treatment process. Communicate the outcomes of the risk evaluation process (e.g. the prioritisation of risks) Methods of communication may include: Minutes from relevant risk evaluation meetings / focus groups Focus groups involving risk owners and those with risk reporting responsibility
Consultation may include:
105
4.2.6 Treat risks Communicate and Consult
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.6.1 What is risk treatment? Risk treatment involves identifying the range of options for treating risks, assessing these options and the preparation and implementation of treatment plans. Risk treatment may involve a cyclical process of assessing a risk treatment, deciding that current risk levels are not tolerable, generating new risk treatment/s, and assessing the effect of that treatment until a level of risk is reached which is one which the organisation can tolerate based on the agreed risk criteria. 4.2.6.2 Why treat risks? A key outcome of the risk evaluation process is a list of those risks requiring further treatment, as determined by the overall level of the risk against the organisations risk tolerance levels. However, not all risks will require treatment as some may be accepted by the organisation and only require occasional monitoring throughout the period. The risks that fall outside of the organisations risk tolerance levels are those which pose a significant potential impact on the ability of the organisation to achieve set objectives. The purpose of treating risks is to minimise or eliminate the potential impact the risk may pose to the achievement of set objectives. 4.2.6.3 How to treat risks Treating risks involves the following key steps, each of which are covered in detail in this section: identify risk treatment options select risk treatment options assign risk ownership prepare risk treatment plans
106
identify risk treatment options.
i) Identify risk treatment options Risk treatment design should be based on a comprehensive understanding of how risks arise. This includes understanding not only the immediate causes of an event but also the underlying factors that influence whether the proposed treatment will be effective. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Risk Treatment Options
Avoid the risk Change the likelihood Change the consequence Share/ transfer the risk Retain the risk
Change business processes or objectives so as to avoid the risk Undertake actions aimed at reducing the probability of the risk occurring Undertake actions aimed at reducing the impact of the risk Transfer ownership and liability to a Third party (e.g. Insurance) Accept the impact of the risk
ii) Select options for treatment The Standard recommends that consideration be given to the cost of the treatment as compared to the likely risk reduction that will result. For example, if the only available treatment option would cost in excess of $10M to implement and the cost impact of the risk is only $5M, it may not be advisable.
107
In order to understand the costs and benefits associated with each risk treatment option, it is necessary to conduct a cost-benefit analysis.
Basic cost benefit analysis:

Define, or breakdown the risk into its elements by drawing up a flowchart or list of inputs, outputs, activities and events. Calculate, research or estimate the cost and benefit associated with each element. (Include if possible direct, indirect, financial and social costs and benefits). Compare the sum of the costs with the sum of the benefits.
Cost Benefit Analysis Example: An HR manager has a risk of Ineffective records management leads to loss of employee data. As a treatment strategy she is deciding whether to implement a new personnel management and payroll system. The HR department has only a few computers and are not highly computer literate. She is aware that computerised information will allow more accurate analysis of data and give a higher quality of reliability and service to internal customers. Her financial cost/benefit analysis is shown below: Costs: New computer equipment: 10 PCs with supporting software @ $2,450 each 1 server @ $3,500 3 printers @ $1,200 each Cabling & Installation @ $4,600 Payroll Software @ $15,000 Training costs: Computer introduction - 8 people @ $400 each Keyboard skills - 8 people @ $400 each Payroll System - 4 people @ $700 each Other costs: Lost time: 40 man days @ $200 / day Total cost: $68,400 Benefits: Doubling of payroll capacity: estimate: $40,000 / year Improved efficiency and reliability of client service: estimate: $50,000 / year Improved accuracy of customer information: estimate: $10,000 / year Reduction of payroll and processing effort: $30,000 / year
108
ii) Assign risk ownership The CEO and/or the Executive Management Committee typically allocate responsibility for risk to an operational or functional area line manager.
Assigning Risk Ownership: Example
Risk Type Strategic Human Resources Finance/Budgeting Health and Safety Business Continuity Reputational IT and Systems
Risk Owner Chief Executive Officer Human Resources Manager Finance Manager / Chief Financial Officer Facilities Manager or Human Resources Manager Risk Officer or Facilities Manager Chief Executive Officer / Communications Manager IT Manager
Risk owners nominated by executive management should assume responsibility for developing effective risk treatment plans. The risk owner should be a senior staff member or manager with sufficient technical knowledge about the risk and/or risk area for which a treatment is required. The risk owner will often delegate responsibility (but not accountability) to his/her direct reports or consultants for detailed plan development and implementation. iv) Prepare treatment plans Once treatment options for individual risks have been selected, all treatment options should be consolidated into risk action plans and/or strategies. As one risk treatment may impact on multiple risks, treatment actions for different risks need to be combined and compared so as to identify and resolve conflicts between plans and to reduce duplication of effort. Treatment plans should: identify responsibilities, schedules, the expected outcome of treatments, budgets, performance measures and the review process to be set in place
109
include mechanisms for assessing and monitoring treatment effectiveness, within the context of individual responsibilities and organisational objectives, and processes for monitoring treatment plan progress against critical implementation milestones. This information should all arise from the treatment design process document how, practically, the chosen options will be implemented.
The successful implementation of the risk treatment plan requires an effective management system that specifies the methods chosen, assigns responsibilities and individual accountabilities for actions, and monitors them against specified criteria. Communication is a very important part of treatment plan implementation.
4.2.6.4 Communication and consultation and monitoring and review activities Treat risks: Monitoring and Review
Treat risks: Communication and Consultation
Monitor / test the effectiveness of risk treatment plans: Does the risk require further treatment Y/N? Monitor the utilisation of resources for the treatment of risks. Is the need for resources greater for treating other risks? Continually monitor changes in risk levels (reflected in changes to risk ratings) over time.
Identify the stakeholders who need to be informed of the risk treatment process. Communicate the risk treatment plan to relevant stakeholders. This should specify who is responsible for risk treatments, timeframe for completion and resources available. Communicate changes to risk ratings (risk levels) levels over time to inform further risk treatment decisions and identify successes in managing risk. Communicate any urgent changes required to further reduce risk levels. Consultation may include: Focus group discussions Internal Audit findings
Toolkit Reference: Appendix J: Risk assessment - template
110
4.2.7 Monitor and review Communicate and Consult
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor and Review
4.2.7.1 What is monitoring and review? Monitoring and reviewing risk management involves: analysing and learning lessons from events, changes and trends detecting changes in the external and internal context including changes to the risk itself which may require revision of risk treatments and priorities ensuring that the risk control and treatment measures are effective in both design and operation.
Monitoring and review is an essential and integral part of managing risk, and is one of the most important steps of the risk management process. It is necessary to monitor risks, the effectiveness and appropriateness of the strategies and management systems set up to implement risk treatments and the risk management plan and system as a whole. 4.2.7.2 Why do it? Regular monitoring throughout the risk management process is necessary to: ensure currency of risk information - the environment in which the organisation is operating is constantly changing and so therefore are its risks. If risk information is inaccurate, it may cause the organisation to make poor decisions it could otherwise have avoided ensure effectiveness and adequacy of risk management processes continuously evolve to desired levels of risk management maturity continuously improve, adopting better practices and developments in risk management.
4.2.7.3 How to monitor and review The key steps to Monitor and Review are:
111
i) ii)
understand the different types and levels of monitoring and review establish your monitoring and review cycle
iii) measure risk management performance. i) Understand different levels and types of monitoring and review Different types of monitoring and review will be dependent on the type of decisions made around risks and risk management. This also implies varying levels of frequency and aggregation of risk information depending on the purpose of the review: At the task level, routine measurement or checking of particular parameters (for example pollution levels, or cash flows) is often required through continuous (or at least frequent) monitoring. At the functional or operational level, line management reviews risks and their treatments on a regular basis. Risks are reviewed within a predefined scope and prioritised according to agreed criteria. At an organisational level, a risk function, manager or committee reviews enterprise-level risks. At this level of monitoring, relevance and alignment to organisational strategies are reviewed. The risk management framework is also reviewed at this level.
Monitoring and review of risk management framework
The context of risk management needs to be reviewed at enterprise level. This may include ensuring the currency of the organisations risk criteria, risk tolerance, risk categories. The maturity of the risk management framework in terms of design and implementation could be monitored through tools such as surveys and benchmarking, comparing against latest risk management better practices. Maturity of risk management can be monitored comparing the current level of maturity and the desired level of maturity at regular intervals (i.e. annually).
ii) Establish your monitoring and review cycle The monitoring and review cycle will vary depending on the context of risk management and an organisations risk management strategy. Typically, On an annual basis, the entire risk profile will be reviewed by the Risk & Compliance Committee (or equivalent); however this may be more frequent if major business changes are occurring. Every three years the risk management framework and associated documentation will be reviewed either as part of the internal audit process, or by an independent third party.
112
4.2.7.4 Measuring risk management performance Performance Indicators (PIs) are quantitative measures of the level of performance of a given item or activity. They need to be measurable and appropriate to individual business units and hold individuals accountable while forming the basis for continuing improvement. Organisations should use their normal organisational planning processes to generate performance measures for the risk management system and processes. The performance indicators should reflect the range of key organisational objectives defined when the context was established at the start of the process. Performance indicators may monitor outcomes (for example, specific losses or gains) or processes (for example, consistent performance of risk treatment procedures). Normally a blend of indicators is used, however outcome performance indicators usually significantly lag the changes that give rise to them, so in a dynamic environment operational process indicators are likely to be more useful. In choosing performance indicators, it is important to check that: they are reasonably able to be measured they are efficient in terms of demands on time, effort and resources the measuring process/surveillance encourages or facilitates desirable behaviours and does not motivate undesirable behaviours (such as fabrication of data) those involved understand the process and expected benefits and have the opportunity to input to the procedure the results are captured and reported in a form that will facilitate learning and improvement.
Performance indicators should reflect the relative importance of risk management actions, with the greatest effort and focus applied to: the highest risks the most critical treatments or other processes treatments or processes with the greatest potential for improvements in efficiency.
Risk management performance indicators may be included in risk management reports to senior management and the Board. Risk management monitoring and review should also include an attestation process. Attestation is a formal reporting and sign-off in the Annual Report on the organisations risk management implementation. The attestation process is described in further detail in section 5.2.
113
4.3 Risk and risk management reporting

Risk reporting is the regular provision of appropriate risk-related information to stakeholders and decision-makers within an organisation in order to support understanding of risk management issues and to assist stakeholders in performing their duties within the organisation.
4.3.1 The need for risk reporting

Successful risk management requires frequent and open communication with a broad group of internal and external stakeholders. This makes risk reporting and the definition of a risk communications and reporting plan a key component of an organisational risk management (or ERM) programme. Effective risk reporting also contributes to good corporate governance by providing reliable and current information to Boards, senior managers and other stakeholders regarding the risks faced by the organisation as well as the treatment plans in place to manage these risks. The Board of a public entity is also required to inform the Minister and department head of known major risks. The availability of this information can be used to support management decision-making during strategic planning and operational management processes.
4.3.2 Foundations of good reporting

The following principles should be remembered when developing a risk reporting solution: The quality of risk reporting is dependent on a fully functioning risk management system. Incomplete or unreliable risk identification,
114
assessment, prioritisation and treatment outputs will reflect in poor reporting outputs. There is no single risk report that meets the needs of all stakeholders. Reports should be developed and customised to reflect the needs and preferences of the target audience and its purpose. Seek input from stakeholders before implementing a risk reporting solution, as this should be part of existing reports and reporting frameworks. Although all organisations need to report on risk to various stakeholder groups, organisations with more mature and sophisticated risk management frameworks will typically produce a number of customised risk reports to meet the needs of different stakeholder groups throughout the year. Avoid providing too much or too little information in risk reports. Senior Management and the Board will typically prefer a summary of risks and risk trends, focusing on high risk and strategic issues across the organisation, while those involved in managing specific risks will require detailed information covering their areas of responsibility.
4.3.3 The audience for risk reporting

Risk reports should be delivered to a broad spectrum of organisational stakeholders. Typical recipients of regular formal risk reports should include: CEO and Board of Directors. Business unit heads of all major business functions. Compliance committees (notably Internal Audit and Risk Management). Staff directly responsible for designing and implementing risk management treatments. Employees who need to assist in the identification of risk and the implementation of risk plans. Government ministries and agencies. The public (through access to Annual Reports and press releases)
A single person, typically the risk manager, should be responsible for co-ordinating and drafting risk reports to ensure consistency in standards and format Risk reporting can be automated using risk management software such as the VMIAs Risk Register, Cura, Riskman etc. However, it is still
115
important to ensure that reporting formats meet stakeholder requirements. The risk process should ensure that risks are linked to strategic objectives. This helps to report on risk within a strategic organisational context.
4.3.4 Frequency of risk reporting

At a minimum, an organisation should update and report on its risk profile on an annual basis. While an annual reporting and update cycle may meet statutory requirements, effective risk management typically requires more frequent reporting on risk. The frequency of risk reporting should reflect the cycle of the organisations regular internal reporting. Where the Executive receives monthly or quarterly progress reports on Financial, Operational, Health and Safety or IT matters, they may wish to receive similar risk reports. Typical reporting frequency for various risk report types is outlined in the following table:
STRATEGIC/ OPERATIONAL STRATEGIC TYPE OF REPORT RECIPIENT/S SUGGESTED FREQUENCY
Risk Management Statement in Annual Report Risk Report to Audit/ Compliance Committee/s Board Risk Reports
External Parties Public Audit Committee Internal Audit Executive Management Board of Directors CEO Compliance Committees Risk Committee CEO Internal Audit Functional Area Manager/s Project Managers Staff responsible for implementing risk solutions Risk Manager Line Management Employees Key Suppliers
Annually Based on required Audit Committee frequency Quarterly or bi-annually
Risk Committee Reports
Monthly or Quarterly
OPERATIONAL
Operational Risk Reports (including Clinical Risk)
Based on organisational type: Monthly or Quarterly
Risk Events/Adverse Events Summary
Monthly or Quarterly All adverse events recorded immediately following event Ad hoc basis, as required
Staff Communications (on risk initiatives; following adverse event/s)
116
4.3.5 Types and content of risk reports

The information within risk reports is drawn from the risk register of the organisation. By filtering the information within the risk register, it is possible to draft a number of reports tailored to suit the needs of the various recipients. The following table illustrates the different types of reporting:
REPORT TYPE STRATEGIC Annual Report Attestation
COMMENT Boards/CEOs and Secretaries that are accountable for the risks of their org anisations are required to attest in the annual report that: organisations have risk management processes in place consistent with the [4360] Standard, and that: These processes are effective in controlling risks to a satisfactory level A responsible body or audit committee verifies that view. This attestation is often accompanied by information for external stakeholders about key risks within the organisation and approaches to addressing these risks. These reports contain a prioritised list of the top 10 to 20 risks based on co nsequence and likelihood scores. Typically they include details about the risk, information on key controls and their effectiveness and additional treatments needed with timeframes. When risks are regularly reassessed, it is possible to: Define target risk levels for key risks; Identify which risks are getting worse or where treatments are reducing risk exposures; Identify risk areas that need additional attention; and Demonstrate the success of treatment plans. By sorting risks according to when they were identified, it is possible to easily report on new risks that may still need to be fully considered and understood. From an emerging risks perspective, types or categories of risks that may begin to emerge over the next 2-3 years or longer should be identified and captured. Details at this stage may only include information regarding what research is being undertaken into the risk, and who is responsible. By identifying significant/ extreme risks with ineffective controls, the Board and Executive are able to identify potential points of business failure that need urgent interventions or resource support. In order to identify the main areas of exposure, it is helpful for Boards to understand where the majority of risk exposures originate. For example, what proportion of risks are Financial, Operational, Strategic, or Compliance related. This information is typically incorporated into the report types listed above. The detail behind these summary reports can also be provided to functional area management and specialists responsible for managing specific types of risk. By grouping all risks that have not been allocated to a responsible person for follow-up and response, management can identify key risks that are not being effectively monitored and managed. By filtering the report by the risk owner, it allows those responsible to view risk treatments that they need to oversee or develop. By sorting risks according to due dates for treatment plans/ responses, Risk Managers, Project Mangers and others can identify critical timeframes for responding to key risks as well as identify and manage potential delays and/or non-performance in responding to risk.
Top Risks/ Strategic Risks
Risk Trends
New and/or Emerging Risks
Risks with Ineffective Controls Risk Categories/ Risk Types
OPERATIONAL Unallocated Risks
Risk Owner/Person Responsible Risk Treatments Due or Overdue
117
It should be noted that for all the risk report types outlined above, organisations may choose to report predominantly on an exception basis. This means to either: only report on the changes from the last report rather than producing risk reports that contain data that is largely unchanged from the last reporting cycle only report on risks at the Executive/ Senior Manager level that fulfil predefined characteristics (e.g. significant risks with poor control effectiveness).
This approach prevents the situation where the same risk may justifiably appear on the report time after time as it is rated high, but no further action can be taken to mitigate the risk at that time (i.e. the risk has been accepted as high). In this instance, report recipients may fail to pay attention to the risk report as they become used to seeing the same risk information and therefore begin to regard the risk reporting process as non-value adding. It is important however that there is complete oversight of all risks on at least an annual basis to ensure that there have been no changes to the overall risk profile, and that the executives/senior managers are fulfilling their oversight duties.
Client Comment:
As the Metropolitan Fire and Emergency Services Boards (MFESB) risk framework and processes developed, the volume of risk data available significantly increased. The MFESB decided to review industry benchmarks to determine typical board reporting models and standards. This resulted in a model that differentiates between long-term, short term and emerging risks. Long term risks are reported by exception (that is, only when key control effectiveness falls to a pre-determined level). The effect is to prevent Board reports being continually populated by the same slow changing long term risks. These are now reported on a six monthly basis irrespective of control effectiveness. MFESB Risk Reporting Project Co-funded by VMIA
4.3.6 Format of risk reports

The way that risk information is presented can make a huge difference in the value it adds. It is often useful to graphically represent risk information in order to make the information easily understood, and to show a large volume of information in a compact manner.
118
The following section provides examples of three types of risk reports: i) ii) Strategic risk reports Operational risk reports
iii) Key risk indicator reports. i) Strategic risk report formats Heat maps are commonly used to report on the top risks faced by the organisation, and are well received by most boards. They are useful as they graphically illustrate the relative severity of risks in relation to each other.
Sample Risk Reporting: Heatmap
Risk Profile
The green areas represent the least severe risks, and as the risk moves upward and right towards the red shaded area, the level of risk exposure increases. Heat maps are less useful (difficult to read) when there is a need to illustrate a large number of risks, or where risk scores are very similar for all risks.
119
The ability to effectively link an organisations key risks to its strategic objectives or business goals is an indicator of a maturing risk management framework. An example is illustrated in the value chain report below. Value chain reports are useful to board and executive management as it shows the link between organisational strategy and risk. It is also a useful technique for identifying risks, i.e. what are the risks to the achievement of the objectives?
Risk Reporting: Value Chain
120
Linking strategy and risk MES Executive Team identified the following as significant risks to its ability to meet organisational objectives. The management of these risks is regularly reported to the Vice Chancellor (CEO equivalent) and risk committee. The risk committee will present this to the MES Council upon request.
ii) Operational risk report format Table formats, of which there are many variations, are useful for reporting on a large number of risks or when a greater amount of detail about each risk is required. This approach is best suited to operational risk reporting where, for example, the risk owner or risk manager will want to review more detailed risk and control information such as: control effectiveness levels rating scores treatment plans treatment due dates.
121
These reports are used by risk committees, programme managers and risk owners to monitor and manage the update, implementation and review of risk management activities/ plans. This level of detail can be provided as supporting information to summary executive reports, or provided where the board or executive wish to review a specific risk or cluster of risks. A key advantage of table or spreadsheet reports is that they can easily be filtered or sorted to meet the reporting requirements of a specific target audience. It is also easy to add to or modify content following risk update processes.
Risk Reporting: Operational Risk Report Sample Format 1
Risk Reporting: Operational Risk Report Sample Format 2
122
iii) Key Risk Indicators (KRIs) Key risk indicators which are used to measure risk levels should be developed once an organisation is satisfied that the basic elements of its risk management framework are well established and operating effectively.
Client Comment: I had never made the connection between the organisations risk management processes which I am not an expert in and the monthly business performance indicators we receive in preparation for our monthly meetings. After attending a risk management training session for the Board, I realise that we can use existing trend reports covering areas such as: Variance to budget OH&S incidents Staff turnover and vacancies Medication errors Patient falls
to monitor changes in risk levels or to identify new risks. The hospital is planning to define acceptable levels or thresholds for each business indicator it reports on, which if exceeded, would result in a re-appraisal of related risks and escalation of the risk to our Risk and Audit Committee for further action. Non-executive Board Member Regional Healthcare
In addition to reports containing qualitative data, once an organisation has established an effective system of risk reporting, it may wish to consider the use of quantitative data in the form of KRIs. Indicators are a valuable tool to facilitate the monitoring of risks and controls over time against an organisations risk appetite. Whilst risk and control data in many organisations is formally updated on a regular basis, key indicators enable an organisation to continuously and predicatively monitor changes to its risk profile or control framework, and allow actions to be carried out in a more timely and effective manner. It is important to note that use of KRIs is considered to be at the mature end of the risk management spectrum, and therefore organisations should not attempt to develop and role out such indicators until they have established a robust risk management framework that delivers clearly defined and understood risk and control data. In addition, as risk indicators can be costly to implement and maintain, it is recommended that such indicators are only used for significant risks. For organisations who are keen to focus on more quantitative data but which do not have the necessary resources to identify and monitor the large volumes of data required for risk indicators, it is recommended that priority is
123
given to the identification and monitoring of key control indicators instead (see definitions below) as they are easier to identify and capture, and will reflect a weakening in the control environment that is likely to result in an increased level of risk.
Key indicators allow an organisation to:

understand how the risk profile changes in different circumstances appreciate how risk moves and is affected by the business environment focus attention on risk drivers that are most volatile ensure controls around the drivers are robust and effective gain a forward looking perspective of the current risk profile understand the early warning signals for emerging risks.
For example, the motor insurance industry relies heavily on risk indicators when determining appropriate policy pricing. Factors such as age of applicant, neighbourhood and number of kilometres driven each year build a profile of the applicant and therefore the risk that the insurance firm will have to pay out on a claim. If an insurance company were to attempt to write new business without utilising indicators, underwriters would be forced to use their intuition to judge how likely a new customer would be to claim in the future. Whilst some may prove to have good insight, many would misjudge the risk and consequently business performance would be significantly (negatively) affected. There are three types of key indicators commonly used, Key Performance Indicators, Key Risk Indicators and Key Control Indicators. There is often confusion as to the difference between them. Below is a brief definition of each: i) Key Performance Indicators (KPIs) are used to monitor the change in overall business performance (e.g. budget) in relation to specific business objectives. KPIs can measure internal or external factors and can be seen as events that may raise warnings as to potential risks. Key Risk Indicators (KRIs) are a specific measure relating to a particular risk that shows a change in the likelihood or consequence of that risk event occurring. KRIs that demonstrate increased exposure to potential risks (e.g. significant increases in business volumes combined with staff numbers) can show what level of stress or strain current control activities may be put under.
ii)
iii) Key Control Indicators (KCIs) are metrics that can demonstrate a change in a specific controls effectiveness (e.g. a controls design and its actual performance). A deterioration of KCIs reflects a weakening in the control environment and is likely to result in an increase in a risks likelihood or consequence.
124
Examples of such indicators are illustrated in the following table:
Key Risk Indicator Example Business objective: To deliver major projects on budget Risk
Major project cost overrun
Control
Project plan (prevent) Business case (prevent) Risk management (prevent) Gateway review (detect) Resource plan (prevent)
KPI
Project delivered 90% within budget
KRI
# variations to scope (L) # variations to required budget (I)
KCI
# variations to project plan # passed gateway reviews % difference between target and actual budget #unacceptable risks
Cause: Project creep Impact: Additional project funding required
Defining an effective system of Key Risk Indicators (KRIs) can be broken down into five phases: i) ii) identify and document the key risk and control indicators source and validate existing KRI data
iii) establish tolerance levels and escalation procedures iv) analyse, report, and revise the KRIs v) monitor KRIs.
These phases are outlined in further details in the following table:
125
Phase
Identify and document the Key Risk and Control Indicators
Activities
Review existing risk profiles. Ensure that all major risks are captured and the causes and consequences are understood. Understanding the causes is essential for determining the risk metrics that measure changes in the likelihood of a risk occurring; and understanding the consequences is essential for determining the risk metrics that measure changes in the impact of a risk. Determine factors that lead to changes in risk consequence or likelihood these are the KRIs. Review the control environment and ensuring that the controls are adequately addressing the risks. Identify the Key Control Indicators that indicate changes to control design or performance.

Source and validate existing KRI and KCI data
Collect, extract or produce relevant data. Ensure that the KRI and KCI data is providing information that is reliable and of good quality. Clarify dependencies on other parties who are responsible for producing and maintaining the data. Ensure data history is maintained and ownership established. Once the indicators have been sourced, each KRI/ KCI needs to be documented. As a minimum, the information recorded should be:

Phase
Establish tolerance levels and escalation procedures
Description of the KRI/ KCI Owner Escalation protocols Actions Data source Tolerances/ thresholds
Activities
Consider at what level the organisation is prepared to accept a defined level of risk, and when and to whom risk data needs to be escalated. Escalation levels should be defined in line with risk tolerances and risk appetite, and to keep the system simple, Red/ Amber/ Green ratings can be used to represent the need to escalate to middle mmanagement (Amber) and senior management (Red).
Analyse, report and revise the KRIs/ KCIs
Analyse changes against the defined thresholds and report on a monthly basis. Identify trends and tendencies. Escalate to the relevant level of management as defined by the organisations risk tolerance levels. Assign the required actions and resolution dates to owners. Revise the process, indicators and data as required.
Monitor
KRI and KCI movements and trends should be monitored on a regular basis by linking the data to a risk reporting system, or real time exception based reporting.
126
4.3.7 The use of risk management software for reporting

The use of risk management software is useful in helping manage risk related information. However, it is not essential to use risk software to achieve a robust and effective risk management framework. Most specialised risk management and internal audit software tools, such as RiskMan, Cura, ERA and RiskAdvisor include automated risk reporting capabilities. Software tools can simplify and reduce the time required to report on risk management initiatives. While many generic reports can be drawn from such software, it is still important to ensure that the report format and content meets stakeholder requirements. In many cases, an organisation may commission consultants, software vendors or internal IT specialists to develop customised reports to meet specific reporting requirements.
4.3.8 The VMIAs Risk Register software
The VMIA has designed a simple risk recording and reporting tool, VMIA Risk Register, that is available free-of-charge to VMIAs insurance clients. The software is not designed to replace or replicate the functionality of specialised risk software packages. It has been developed to provide a simple and easy to use risk tool for the VMIAs insurance clients that may not require a comprehensive governance, risk and compliance software product. The VMIA Risk Register is designed to allow organisations to: Create a single risk register across the organisation Record pertinent risk information, including: Risk descriptions, causes and impacts Risk assessment outcomes (likelihood, consequence, control effectiveness etc.) Categorisation of risks (risk categories)
127
Linkage of risks to specific business units Linkage of risks to specific strategic objectives Current control information (summary level) Responsibility for risk Risk treatment and response (summary level) Risk response status and due dates
Select from a range of pre-defined summary and detailed risk reports in both graphical and text formats. The software is able to generate heat map reports.
4.3.9 Conclusion
The importance of an effective risk reporting system should not be underestimated as it ultimately supports improved decision-making ability. The failure to effectively report on risk will also undermine executive and Board support for the organisations risk management process. Reports should be viewed as a business tool, rather than a compliance requirement. Remember that there is no right or wrong approach to risk reporting, as long as the reports produced: meet the needs of your stakeholders are available when needed by the business contain current, updated quality information are easily understandable contain the right level of detail are supported by detailed underlying risk information, where appropriate support action and accountability for risk management across the organisation.
Considering these requirements when designing risk reporting solutions, should maximise the benefits obtained from risk management processes. Toolkit Reference: Appendix L: Risk register MS Excel template Appendix N: Risk reporting MS Word templates Appendix P: Risk management information systems check-list VMIA Risk Register software Refer to the VMIA website or contact your VMIA representative
128
4.4 Developing desired risk management culture

4.4.1 What is risk management culture?

Culture is defined as the way we work around here. It is the collective way of doing things, through accepted behaviours and processes. A risk management culture specifically refers to the way risk management is applied in the way people work within an organisation. It is about the accepted ways of being and doing with regards to risk and risk management. Risk culture involves how people recognise and respond to risk and how risk is considered in making decisions.
4.4.2 Why is risk management culture important?

Culture is intrinsic to risk management. The accepted behaviour or norms around maximising potential opportunities whilst managing adverse effects determines how embedded risk management is in your organisation. Hence, to have an effective risk management process or framework in place means having an appropriate culture that works for your organisation. If risk management is not working, a change in culture may be necessary. The appropriate risk management culture would vary depending on the unique context of your organisation. To determine this, a starting point is to understand the key drivers of culture.
4.4.3 Drivers of culture

There are various drivers within an organisation that shape culture. These drivers influence how well embedded risk management is throughout the organisation.
129
Cultural Drivers
Mission, Vision, Values, Purpose
Risk Management Culture

Risks are managed on a day to day basis as part of applying the values of the organisation. The mission, vision and purpose promote a risk culture The management systems and processes enable effective and efficient risk management. The process for managing risk is integrated with day to day processes There is a risk organisational structure to enhance accountability and delegation The structure enables risk-based decision making without bureaucracy, making jobs easier and delivering better outcomes Leadership skills and attributes around risk management are fostered and rewarded and implemented across the business Poor behaviours or practices around risk management are not tolerated by leaders Jobs are designed to reflect risk management and risk policies Job definitions include performance expectations around risk management Accountabilities with regards to risk and risk management are clearly articulated There is a clearly articulated consensus around desired behaviours across the business These are modelled by leaders and people are responsive to these desired behaviours
Systems and Processes

Structure
Leadership

Job Design and Role Definition
Desired vs. Actual Behaviours
The following client example illustrates the benefit of involving stakeholders in defining a risk management solution that reflects the needs of the organisation: Client Comment: During 2007-8, the VMIA was involved in co-funding two projects with the Metropolitan Fire and Emergency Services Board (MFESB) to improve its risk management processes. The process of involving managers in the testing and redesign of risk management components has lead to their engagement in maintaining the profile of risk management at the MFESB, and further enhanced internal knowledge and understanding about risk. MFESB Risk Projects Co-funded by VMIA
130
4.4.4 Embedding desired risk management culture

Embedding your desired risk management culture is a change journey. Managing change means shifting the organisation from where it is (current state) to where it wants to be (future state). Fundamentally this involves three key steps:
Determine desired risk culture
Assess gaps in current culture

Job design and role definition Desired vs. Actual Behaviors Systems and Processes
Implement interventions to close the gap

Culture Change Leadership Communication & Engagement Learning and Development Organisational Alignment Performance Management
Visions, Mission, Values and Purpose Structure
Leadership
4.4.4.1 Clearly define where your organisation wants to be in terms of risk management culture Define the level of involvement in risk management that you would like the whole organisation to have. Identify and articulate the desired behaviours around risk management. This includes tolerance for risk, how people respond to risks and risk events and the general awareness around risk and risk management. The desired culture would continue to evolve, as it would depend on the level of maturity that is acceptable to your organisation within a given period of time. Tools that could help you define the desired culture are benchmarking, surveys, workshops with senior management and independent risk framework assessment. Often, the definition process would be a top-down approach, followed by consultation down the line to engage buy-in (i.e. staff briefings, roundtable discussions, forums). 4.4.4.2 Assess what your organisations current risk culture is The current risk culture is an outcome of collective behaviour driven by existing norms around risk management. Determining your organisations current culture and identifying the key drivers that will be useful in identifying the appropriate interventions to achieve the desired risk culture. The most commonly used tools for assessing current culture are interviews, focused-group discussions and surveys. When conducting the assessment, it will be useful to get input from a sample of participants or respondents across the different part of the organisation, and across different levels.
131
4.4.4.3 Determine what cultural and behavioural interventions that are useful to help close the gap Determining the cultural and behavioural intervention will help you close the gap between where you currently are and where you want to be in your risk culture. The assessment provides a useful starting point in prioritising and developing your options for culture change.
Toolkit Reference: Appendix G: Communication and consultation plan template Appendix H: Risk training slides
4.5 Checklist Implementing a risk management framework

The following check list provides a number of questions relating to the implementation of your organisations risk management framework. Considering the answer to these questions will help you check your progress in implementing a robust and flexible risk management framework. The checklist distinguishes between those elements essential to ensure an effective risk framework, and those typically associated with relatively mature or sophisticated frameworks often found in large organisations.
Toolkit reference: Appendix : Risk management checklist
Section
Requirement
Implementing a risk management framework 1 Communicate Is risk management or awareness training provided to all and consult staff? 2 Communicate Does the Risk Manager (or equivalent) have access to the and consult CEO, Board and Audit/ Risk Committee when required? 3 Communicate Do your staff know that they have a right and and consult responsibility to assist in risk identification and escalation? 4 Communicate Do staff know who to report/ escalate risks to? and consult E
E E
132
Section
Requirement
5 Communicate Do managers or supervisors know that they are responsible for managing risk in their area/s of and consult responsibility? 6 Communicate Have the Executive and the Board provided guidance on and consult what information they would like to see in risk reports? 7 Communicate Is there agreement on when and how often risk reports and consult will be produced? 8 Communicate Have the recipients of risk reports been identified and and consult agreed? 9 Communicate Can different risk reports be produced to meet different and consult needs of stakeholder groups? 10 Communicate Has responsibility for managing/ treating specific risks and consult been assigned and communicated to those responsible? 11 Communicate Are staff encouraged or incentivised to report risk or and consult suggest risk reduction strategies? 12 Risk assessment 13 Risk assessment 14 Risk assessment 15 Risk assessment 16 Risk assessment 17 Risk assessment 18 Risk assessment Has a risk-brainstorming workshop (or workshops) been conducted? Have you considered the history of events and incidents in your organisation during the Risk Assessment process? Has research been performed to understand common risks in the industry? Has the Executive and Board considered risks relating to the achievement of key organisational goals and objectives? Are risks identified during compliance reviews/ audits always added to the risk register? Have existing controls been identified for risks during the risk assessment process? Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place? Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')? Have you identified possible actions/ treatment plans that could help to reduce the risk level? Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?
E E
A E
E A
A A
E E
19 Treat risks
20 Treat risks 21 Treat risks
133
Section
Requirement
22 Treat risks 23 Treat risks 24 Treat risks 25 Treat risks 26 Treat risks 27 Treat risks 28 Risk assessment 29 Risk assessment
Have risk treatment or action plans been documented and approved for important risks? Have due dates/ completion dates been agreed for risk treatment actions and plans? Is there a clear understanding of who will oversee the risk treatment selection and execution process? Have Key Risk Indicators been defined and agreed for key risks/ risk areas? Are valuable physical assets appropriately insured? Is a Business Continuity Plan in place for critical organisational functions/ processes? Has the risk register been updated in the last year? Is the risk register updated throughout the year to reflect changes in risk and emerging risks?
E A
E A E
134
5 Monitoring and enhancing the risk management framework

The ongoing relevance and usefulness of a risk management framework is largely informed by the extent to which it is continually improved. It is therefore essential for all departments and agencies to monitor, review and enhance the effectiveness of their risk management framework. By ensuring that a risk management framework remains fit for purpose and is customised to meet changing organisational circumstances and new leading practices, organisations will obtain significant value from risk management.
5.1 Monitoring and reviewing a risk management framework

5.1.1 What is it?

Monitoring and reviewing a risk management framework is different to monitoring of risks and their associated controls for effectiveness (as discussed in section 5.2.7). The latter is a sub-set of the former, as obtaining assurance on the effectiveness of the practices in place to manage specific risks; an organisation can be satisfied that at least part of its risk management framework is operating effectively. This review activity would then be coupled with review of additional components of the risk management framework to ensure its overall effectiveness.
135
5.1.2 Why do it?

Monitoring and reviewing the risk management framework is aimed at ensuring that appropriate framework enhancements are occurring when and as needed. It is important to gain assurance as to the effectiveness and efficiency of the risk management framework due to it providing the structure within which all risks are managed.
5.1.3 How to monitor and review your risk management framework

When monitoring and reviewing the framework, particular attention should be paid to whether the framework has been appropriately customised and is operating in a manner that illustrates that: risks are being effectively identified and appropriately analysed this leads to adequate and appropriate risk management and control there is effective monitoring and review by management and executives to detect changes in risks and controls.
There are several approaches available to assist Departments and Agencies in effectively monitoring and reviewing their frameworks, including reviewing the framework against: i) ii) Risk management process components; Risk management principles; and/or
iii) A risk management maturity models (Appendix N: VAGO Good Practice Guide).
The factors to consider when choosing the appropriate approach include: the maturity level of the risk management, as determined through any previous maturity assessments the number of planned risk management improvement initiatives currently being undertaken / recently having been undertaken the findings from previous risk management framework reviews the size and complexity of the organisation the number of major risks that have eventuated in that year whether the organisation has entered into providing any new services / products whether there have been significant organisational changes management of inter-agency risk use of implementation partners.
136
For example, a medium sized organisation that has been previously assessed as having mature risk management but which had numerous major risks eventuate in the last year would most likely to undertake more rigorous monitoring and review of its risk management framework. The fact that the organisation rated well in a previous maturity assessment does not outweigh the fact that the organisation had many risks eventuate, as this would normally indicate some form of failure in its risk management practices. Also, it should be noted that it may be that you choose to use a combination of approaches at different times or alternate the approach used from year to year. For example, it may be appropriate to conduct an annual review of the framework against the process components; however, on a three yearly basis, it may be useful to conduct a risk management maturity assessment, particularly if over that period a number of risk management improvement initiatives have occurred. Further detail is provided below on the different approaches that an organisation may use to monitor and review its risk management framework including examples of how these approaches could be practically implemented. 5.1.3.1 The role of Internal Audit in the risk management process The Institute of Internal Auditors Professional Practices Framework defines Internal Audit is an independent, objective assurance and consulting function designed to add value and improve an organisations operations and accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of: risk management control governance processes. Internal Audit services can be provided either by suitably qualified members of the organisation, or outsourced to a third party professional services or auditing firm. Internal Audit has an important role to play in monitoring and evaluating the effectiveness of an organisations risk management processes. The following tables describe the core roles of Internal Audit in the risk management process, as well as those activities and roles that Internal Audit should not fulfil or only do so when adequate controls are in place to ensure that conflicts of interest do not arise or the independence of the Internal Audit function compromised.
137
C O R E R O L E S
G iving A ssurance: C ontrol S ystems effectiveness R isk Management P rocesses T hat risks are correctly evaluated E valuating: R isk Management P rocesses R eporting of material risks R eviewing the management of material risks
The following safeguards should be considered when involving Internal Audit in the activities described in the table below: segregation of duties membership of the Institute of Internal Auditors that requires strict professional standards and ethical behaviours are adhered to appropriate Audit and Risk Management qualifications such as CIA (Internal Audit), CISA (IT Audit) and CRM (Risk Management) appropriate skill levels and knowledge of the organisation board review and approval of risk management outcomes.
W I T H S A F E G U A R D S
A dvice on R isk Identification and E valuation C hampioning establishment of ER M F acilitating: R isk workshops Management risk response C entral co-ordination point for ER M R isk monitoring across the business Holistic reporting on risk O perating the E R M F ramework Developing the R isk Management S trategy for Board approval
138
The following activities should never be performed by an organisations Internal Auditor/s:
S et risk appetite D O N O T Impose risk management processes T ake decisions on risk response Manage risks on behalf of management T ake accountability for risks and controls
Source: Standards Australia HB158-2006: Delivering assurance based on AS/NZS 4360:2004 Risk Management 5.1.3.2 Risk management process components The Standard provides non-prescriptive guidance on how to conduct an effective risk management process. The process contained therein, and described in the proceeding section of these guidelines identifies seven key risk management process elements. It is important to note that this form of review concerns the risk management process rather than the entire risk management framework; however, the process will depict a large extent of risk management effectiveness within an organisation. Process effectiveness is then looked at in conjunction with the extent to which the right capability exists and the right behaviours are being exhibited to determine overall framework effectiveness. One available approach for monitoring and reviewing a risk management framework is to review the organisations process against the seven steps set out in the Standard. Set out below is further detail on conducting this type of review. Element 1: Communication and consultation Element 1 is defined in the guide as meaning - Communicating and consulting with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole. The questions which Handbook 158 (handbook supporting implementation of AS/NZS 4360:2004) provides to assist in examining the effectiveness and appropriateness of communication are:
139
Have all key stakeholders have been consulted and involved as appropriate? Have stakeholders perceptions of risk been addressed? Where necessary, has a communication plan been developed? Is there ownership of risks and controls by members of the organisation? Typical Documentation When examining this documentation consider whether:
Stakeholder management plan (either dedicated to risk management or containing a risk management element). Communications plan (either dedicated to risk management or containing a risk management element).
Account is taken of the fact that different stakeholders should be communicated and consulted with using different medium and channels. Different stakeholders are being communicated different messages depending on their needed involvement in the risk management process. The timing of communications and consultation is appropriate, for example, it may not be appropriate to provide general external stakeholders with quarterly risk management updates; however, this may be required when communicating or consulting with suppliers who are delivering critical outputs on your behalf. The right mix of communication and consultation occurred, that is, if input from a stakeholder was crucial to the organisations ability to make a certain decision, did consultation rather than communication occur with that stakeholder? Stakeholders, both internal and external, exhibited a greater understanding and awareness of risk management as a result of the communication and consultation that occurred. This may be evidenced by increased participation in risk assessment exercises, increased contribution to risk reporting and / or through the outcomes of surveys.
Communications that have been provided to internal and / or external stakeholders, for example, the risk management component of an Annual Report or internal newsletters or bulletins containing risk management discussion. Outcomes of communication and consultation evaluation exercises.
Element 2: Establishing the context Element 2 is defined in these guidelines as meaning - Establishing the external, internal, and risk management context in which the rest of the process will take place. Criteria against which risk will be assessed should be established and the structure of the analysis defined.
140
When commencing risk assessment, is there a process to obtain a clear understanding of the organisations: External context (including the relationship between the organisation and its environment, and the organisations strengths, weaknesses, opportunities and threats)? Internal context (including the organisations capabilities, the organisations goals and objectives and the strategies that are in place to achieve them)? Risk management context (including the goals, objectives, strategies, scope and parameters of the risk management process, or the part of the organisation to which the risk management process is being applied); and Criteria of deciding when risk is tolerable or not? Typical Documentation

When examining this documentation consider whether:
Risk assessment presentations Risk assessment criteria including consequence, likelihood and overall risk levels Risk registers SWOT analysis outcomes.
The risk assessment process involved examining risks to achieving the organisations / areas / projects objectives Identified risks were clearly linked back to the relevant objectives Consequence and likelihood criteria, and overall risk levels are clearly established, and where appropriate, consistent across the organisation The right people were involved in establishing the organisations consequence and likelihood criteria, and overall risk levels There was some sort of review, and where appropriate updates, of the risk management framework to reflect any changes that have occurred in the organisations internal or external environment. For example, if new business units were established, these business units should now have a current risk register.
Element 3: Risk identification Element 3 is defined in these guidelines as meaning - Identifying where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of organisational objectives. Questions to assist in examining the effectiveness and appropriateness of risk identification are:
141
Is risk identification an integral part of planning including strategic, operational and project plan development, by linking the process to objective setting? Is it an integral part of change management processes? Does the organisation have ongoing, comprehensive and systematic processes for identifying risks? Is there a range of risk identification processes available (a tool kit) together with skilled practitioners for each process? (It is common for organisations to provide guidance on the approach and the level of rigour required. The effort required is usually related to risk severity levels.) Are the staff involved in risk identification knowledgeable about the processes or activity being reviewed and about the risks that must be managed as a part of that activity? Is risk identification normally a participative process that involves appropriate stakeholders? Are identified risks allocated to named individuals or positions (risk owners)? Typical Documentation When examining this documentation consider whether: Risks are identified, or the need for risk management is considered, during the strategic and business planning process Strategic and business plans clearly identify the key risks to delivery of the objectives contained therein Risk identification occurs at numerous levels within the organisation, that is, at strategic, operational and project levels Identified risks cover all categories or types of risk to which the organisation is exposed The right mix of people were involved in the risk assessment process. For example, were all Executives involved in identifying the organisations strategic risks and were the heads of business units involved in the process of identifying the risks for their business units The risk register clearly identifies individuals or positions, and not groups of people, who own risks.
Strategic and business planning day agendas and presentations Strategic and business plans Project business cases and implementation plans Risk registers Lists of participants in risk assessment exercises.
142
Element 4: Risk analysis Element 4 is defined in these guidelines as meaning - Identifying and evaluating existing controls, and determining consequences and the likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur. Questions to assist in examining the effectiveness and appropriateness of risk analysis are: Are the existing management and technical systems and procedures that are used to control risks identified and assessed for effectiveness as part of risk analysis? Is there a robust means of assessing risk control effectiveness? Are the most critical and important controls identified and are they allocated to specific positions or named individuals? Is there a coherent process for the analysis of risk that measures both consequences and corresponding likelihood? Is there appropriate analysis of the nature and extent of consequences? Is there rigour of the risk analysis always in keeping with the context, the risk criteria, the level of uncertainty in the analysis and the needs of decision makers?
Typical Documentation
When examining this documentation consider whether: Risk analysis involves identifying and considering the effectiveness of current controls, and determining the range of consequences that could result if the risk were to occur and the likelihood of the risk occurring Control effectiveness assessments are supported by information other than managements initial perceptions Reliable and appropriate information is used to predict the likelihood and consequences of risks occurring, for example, information on past events and available industry data The right people are involved in risk analysis to ensure that supported ratings are provided, for example, if there is a specific IT risk, involve the CIO and their relevant support staff in analysing that risk All risks are analysed using approved, and where appropriate consistent, risk assessment criteria (Likelihood, Consequence etc.).
Strategic and business planning day agendas and presentations Risk registers Root cause analysis outcomes Audit reports Control selfassessment outcomes.

143
Element 5: Risk evaluation Element 5 is defined in these guidelines as meaning Comparing estimated level of risk against the pre-established criteria and considering the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities.
Questions to assist in examining the effectiveness and appropriateness of risk evaluation are: Are risks evaluated and prioritised for attention using a consistent process? Does the organisation have treatment plans for the higher priority risks, taking account of benefits and costs? Typical Documentation

Risk registers
There are overall risk levels given to identified risks There is a priority order given to identified risks There are pre-defined actions required for certain risk levels There is a process in place for accepting risks that are beyond the organisations risk tolerance where there are no further viable treatment options available.
Evidence of discussion and approval of risks both within and beyond the organisations risk tolerance.
Element 6: Risk treatment Element 6 is defined in these guidelines as meaning - Developing and implementing specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs. Questions to assist in examining the effectiveness and appropriateness of risk treatment are: Is there a risk treatment plan (leading to controls) in place for each risk that is judged not to be tolerable? Do risk treatment plans include the consideration of resources and timing? Are performance objectives set during the design and development of controls?
144

Risk registers Risk treatment plans (if these are documented separately to the risk register) Budgeting documentation.
Risk treatments have the resources required to deliver upon those treatments identified and whether these resource requirements have been incorporated into the relevant budgets, particularly where significant resources are required Risk treatments have responsible persons and implementation timings identified Different risk treatment options have been considered for risks Treatments chosen reflect the organisations risk tolerance All treatment plans have been approved by someone with the requisite authority to do so.
Element 7: Monitor and review Element 7 is defined in these guidelines as meaning - It is necessary to monitor the effectiveness of all steps of the risk management process and overall risk management framework. This is important for continuous improvement and change management. Risks and the effectiveness of controls and risk treatments need to be monitored to ensure changing circumstances do not alter priorities. Questions to assist in examining the effectiveness and appropriateness of monitoring and reviewing risk are: Is there regular review and monitoring of: The risk management process? The risks and opportunities the organisation faces, and their priorities for treatment? The implementation and effectiveness of risk treatment plans (controls, strategies)? Whether the organisations risk management processes have been applied systematically to objectives at the corporate, business unit and project levels?
Are independence requirements recognised where 3rd party assurance providers are also responsible for the implementation of the risk management process?
145

Risk reports
Minutes of meetings to which risk reports are provided Reports documenting the results of effectiveness reviews, for example, Internal Audit Reports Evidence of updates to risk registers as a result of review findings.

Risk reporting is provided to all relevant stakeholders and is tailored to meet the relevant stakeholder groups requirements An appropriate level of independent review is occurring in respect of risk management There is a well thought through process for determining where and risk assurance activities are occurring All aspects of risk management are being covered by some form of monitoring and review activity.
5.1.4
Risk management principles

Another available approach to reviewing the effectiveness of a risk management framework is to do so in relation to established risk management principles.
The risk management principles identified in the Standard are:

1. Risk management creates and protects value 2. Risk management is an integral part of all organisational processes 3. Risk management is part of decision making 4. Risk management explicitly addresses uncertainty 5. Risk management is systematic, structured and timely 6. Risk management is based on the best available information 7. Risk management is tailored 8. Risk management takes human and cultural factors into account 9. Risk management is transparent and inclusive 10. Risk management is dynamic, iterative and responsive to change 11. Risk management ifacilitates continual improvement of the organisation
The following sections provide guidance on the factors to consider when conducting such a review, with the aim of reducing what could otherwise be quite a subjective assessment.
146
Principle 1: Risk management creates and protects value AS/NZS 31000 provides the following further information on this principle: Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, , project management, efficiency in operations, governance and reputation. For an organisation to demonstrate that its risk management is creating and protecting value, it is important to have defined indicators in place to measure the value being derived. Some examples of the ways in which an organisation may measure value include: reductions in risk level/s, as supported by clear and relevant key risk indicators achieving objectives, as set out in strategic and business plans, and as demonstrated by meeting clear key performance indicators delivering projects on time, within budget and to the requisite quality preventing negative outcomes or unnecessary expenditure or costs.
It is recognised that not all of an organisations success may be attributed to risk management; however, the fact that no catastrophic or severely damaging delivery issues have occurred means, by inference that there has been effective risk management. The use of quantifiable indicators helps to support a more robust process for measuring value. Principle 2: Risk management is an integral part of all organisational processes AS/NZS 31000 provides the following further information on this principle: Risk management is not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes. The ways in which an organisation may measure the extent to which risk management is integrated within its organisational processes is by determining whether risk management is considered as part of: Strategic planning Business planning Budgeting Performance planning and management
147
Project management.
If risk management forms a part of the above-listed processes and is seen to be consistently and correctly applied in those processes, an organisation should be able to confidently say that it practices integrated risk management. Principle 3: Risk management is part of decision making AS/NZS 31000 provides the following further information on this principle: Risk management helps decision makers make more informed choices, prioritise actions and distinguish among alternative courses of action. The value to be derived from risk management is diminished if risk information is not used for decision-making purposes. Risk information provides significant insight into whether an activity should be undertaken by an organisation, or if so, the extent of risk reduction resources needed to manage the risks associated with delivering that activity. Therefore, it is essential that risk information forms an input into decision-making rather than act as a separate stand-alone activity. Some of the factors to be considered when determining whether risk management is a part of decision-making are: Have any business strategies or activities been avoided because of the associated risks? Have budget changes occurred in order to appropriately manage risks associated with strategies that the organisation has chosen to undertake? Have any project business cases been rejected on the basis of the risks that may be created by undertaking the project?
If yes has been answered to any of the above questions, or if you can show evidence of why no was always answered from a risk perspective (that is, because the risks were too low to cause any changes in business practices), then it could be said that risk management forms part of the decision making of the organisation. Principle 4: Risk management explicitly addresses uncertainty AS/NZS 31000 provides the following further information on this principle: Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. This is a difficult principle to measure; however, it may be possible to measure whether this principle is being followed, by determining whether
148
any foreseeable risks have eventuated, which were not captured in the organisations risk register. Considering that risk management occurs in order to manage uncertainty, it is important that when the risk management process occurs, risks outside of the norm are considered. If risks have occurred that were foreseeable on the basis that there was uncertainty in some form of the internal or external environment, these should have been identified as part of the risk assessment process. If they were not, then there is a gap in the effectiveness of the process. Principle 5: Risk management is systematic, structured and timely AS/NZS 3100 provides the following further information on this principle: A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. Some of the questions that an organisation may ask in order to determine whether it uses a systematic and structured risk management process are: Are there more than one set of consequence, likelihood and overall risk level criteria used across the organisation? Are risks reported throughout the organisation in a manner that can be combined to provide one meaningful and consistent reporting format at Board level? Are there any independent reviews of the risk ratings or control effectiveness ratings provided by management, for example, by Internal Audit? Are there regular risk reviews conducted (e.g. monthly) by individuals who understand the risk and control environment?
If yes was answered to all of the above-listed questions then it is likely that the organisation has a fairly consistent, comparable and reliable risk management approach. Principle 6: Risk management is based on the best available information AS/NZS 31000 provides the following further information on this principle: The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
149
It is important to learn from both past experience and the experience of others when considering the risks to which an organisation may be exposed and the best available strategies available for treating those identified risks. As is indicated below, sources of information such as audit and incident reports, the outcomes of previous risk assessment exercises, and expert opinions, are all important inputs into the risk management process, as is the experience of individuals. This principle can be demonstrated by ensuring that the right inputs and participants are involved in the risk management process. An example of where this principle may not be met is when only one person has been given responsibility for compiling or updating a risk register as this may result in a more subjective and influenced outcome. Principle 7: Risk management is be tailored AS/NZS 31000 provides the following further information on this principle: Risk management is aligned with the organisations external and internal context and risk profile. Some of the ways in which an organisation can demonstrate that it practices tailored risk management are if it has: Risk categories that reflect its organisational context, for example, a healthcare organisation is likely to have a risk category around patient safety as compared to Department which may have a risk category around its policy development role; Likelihood, consequence and overall risk level criteria that reflect its risk appetite and tolerance, that is, which are not merely the same as those provided as examples in the AS/NZS 4360 Risk Management Standard; and Risk reporting that takes account of existing reporting structures rather than re-inventing the wheel for risk reporting.
There are also many other ways an organisation could demonstrate that it practices tailored risk management; however, these will be highly dependent on the nature and size and complexity of the organisation. When considering whether an organisation does practice tailored risk management, look to see whether the organisations risk management approach is solely a cut and paste from a standard or whether the approach being used is tailored to the organisations objectives, structures and existing processes. Principle 8: Risk management takes human and cultural factors into account AS/NZS 31000 provides the following further information on this principle: Risk management recognises the capabilities, perceptions, and intentions of
150
internal abnd external people that can facilitate or hinder achievement of the organisations objectives. Stakeholder management and communication is an important part of achieving effective risk management. Managing peoples risk management perceptions and generating a willingness of people to input into the risk assessment process are essential to its success. Therefore, when reviewing the risk management frameworks effectiveness, attention should be paid to whether: there is adequate participation in the risk assessment, that is, a cross section of executives, management and staff who have knowledge about a risk area, so as to reduce the subjectivity of assessment outcomes input has been gained from external stakeholders who may have an informed view as to some of the risks faced by the organisation, or may themselves form a source of risk communication of risk assessment outcomes has occurred in an appropriate manner, for example, the Annual Report includes the attestation (as described in further detail below) and articulates the organisations approach to risk management approval is sought for key risk management documents including the organisations risk register by groups that have the requisite authority to approve such documents and who have authority to direct the right amount of resources to risk management activity.
Principle 9: Risk management is transparent and inclusive AS/NZS 31000 provides the following further information on this principle: Appropriate and timely involvement and inclusion of stakeholders and, in particular, decision makers at all levels of the organisation ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. Evidence of this principle is determined in a similar way to the principle outlined directly above. The other essential component to this principle is that there is sufficient risk reporting and escalation to support effective risk governance and management throughout the organisation. It is important that the Secretariat / Board receive risk reporting on more than an annual basis and that the organisations key strategic risks are communicated to the lowest organisational levels. For risk management to be truly effective, all people throughout the organisation should understand how their individual actions contribute to achievement of the organisations key objectives. The governing body
151
should be well aware of its risk exposure. Hence, the importance of risk reporting and escalation throughout the entire organisation. Principle 10: Risk management is dynamic, iterative, and responsive to change AS/NZS 31000 provides the following further information on this principle: Risk management continually sesnses and responds to change. As internal and external wevents occur, context and knowledge change, monitoring and review of risks takes place, new risks emerge, some change, and others disappear. As an organisations environment will change regularly, so will its risk environment. The risks that an organisation is exposed to and the appropriate treatment strategies can change quickly. Therefore, it is important that an organisation has a robust process for monitoring its risk environment and updating its risk register as and when it is required. For example, if an organisation was only undertaking an annual risk review process and between reviews, no risk or control updates were occurring, this principle may not be met for some organisations; however, whether this inaction resulted in not meeting this principle would still be dependent upon the size and nature of the organisation and the type of risk environment in which it operates. Principle 11: Risk management facilitates continual improvement of the organisation AS/NZS 31000 provides the following further information on this principle: Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation. For an organisation to demonstrate continuous risk management improvement and enhancement, it would need to show that at least annually it is reviewing and updating its risk management framework as required, including but not limited to, documentation such as: risk management policy risk management procedure risk appetite and tolerance documentation risk reporting formats.
These changes could be identified by: internal stakeholders who have ideas for process improvements independent review parties
152
risk management thought leadership that indicates changes in leading risk management practices.
Toolkit reference: Appendix : 31000 Principles 20 Questions to Ask
5.1.4.1 A risk management maturity model Using a risk management maturity model against which to assess a risk management framework is another available approach to reviewing its effectiveness. A risk management maturity model should measure the technical design of an organisations risk management framework coupled with the extent that the framework is understood and applied consistently, that is, the extent to which risk management behaviours and capabilities are exhibited. It is important to concentrate not only upon whether the right documents exist but also to consult a cross section of the organisation to determine whether these documents and the processes contained therein are practised in reality.
A risk management maturity model should allow a framework to be assessed on both design and behavioural aspects in relation to:

governance and oversight including risk management reporting and communication integration of risk management with other business processes the existence and use of a risk management strategy, policy and processes.
When assessing the framework it is important to consider whether the following risk management attributes, as contained in the Risk Standard, are evident: 1. An emphasis on continual improvement in risk management through the setting of organisational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills 2. Comprehensive, fully defined and fully accepted accountability for risks, risk controls and risk treatment tasks 3. All decision making within the organisation, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree
153
4. Continual communications with and highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process 5. Risk management is viewed as central to the organisation's management processes so that risks are considered in terms of effect of uncertainty on objectives. Further information is provided on each of these five attributes below:
Attributes
1
Description An emphasis on continual improvement in risk management through the setting of organisational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills
Indicators This would be indicated by the existence of explicit performance goals against which the organisation's and individual manager's performance is measured. The organisation's performance could be published and communicated. Normally, there would be at least an annual review of performance and then a revision of processes, systems, and the setting of revised performance objectives for the following period. This risk management performance assessment is an integral part of the overall organisation's performance assessment and measurement system as applied at the business unit and individual level. Designated individuals fully accept accountability, are appropriately skilled and have adequate resources to check risk controls, monitor risks, improve risk controls and communicate effectively about risks and their management to internal and external stakeholders. This would be indicated by all members of an organisation being fully aware of the risks, risk controls and tasks for which they are accountable. Normally this will be recorded in job/position descriptions, database or information system. The definition of risk management roles, accountabilities and responsibilities should be part of all the organisation's introduction programs. The organisation ensures that those who are accountable are equipped to fulfil that role by providing them with the
Comprehensive, fully defined and fully accepted accountability for risks, risk controls and risk treatment tasks
154
Attributes
Description
Indicators authority, time, resources and skills sufficient to assume their accountabilities.
All decision making within the organisation, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree
This is indicated through the examination of the records of meetings and decisions to show that explicit discussions on risks took place. Also, it should be possible to see that all elements of risk management are represented within key processes for decision-making in the organisation. For example, for decisions on the allocation of capital, on major projects and on restructuring and organisational changes. For these reasons, soundly based risk management is seen within the organisation as providing the basis for effective and prudent governance. This is indicated by communication with interested parties as being clearly regarded as an integral and essential component of risk management so that communication takes place as part of each part of the risk management process. Communication is rightly seen as a two way process so that properly informed decisions can be made about the level of risks and the need for risk treatment against properly established and comprehensive risk criteria. Highly visible, comprehensive and frequent internal and external reporting of both significant risks to the organisation and of risk management performance contributes substantially to effective governance within the organisation. The organisation's governance structure and process are founded on the management of risk. Effective risk management is regarded by managers as essential for the achievement of the organisation's objectives. This is indicated by managers' language and important written materials in the organisation using the term uncertainty in connection with risks. This statement is also normally reflected in the organisations statements of policy,
Continual communications with and highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process
Risk management is viewed as central to the organisation's management processes so that risks are considered in terms of effect of uncertainty on objectives.
155
Attributes
Description
Indicators particularly that relating to risk management. Normally, this attribute would be verified through interviews with managers and through the evidence of their actions and statements.
Types of activities When conducting a risk management maturity assessment, it would be expected that the following types of activities would be conducted: i) ii) Review of risk management documentation Distribution of a survey (optional or may replace the meeting process)
iii) Conduct of meetings with key internal, and where appropriate external, stakeholders iv) Preparation of a report outlining findings and proposed recommendations. Each of these activities is described in further detail below. i) Review of risk management documentation The first step towards developing an in-depth understanding of a risk management framework is to undertake a review of current risk management and governance documentation. The types of documents that would typically be reviewed include: risk management policy risk management process and strategy documents risk identification and assessment tools and templates risk management training program and materials risk tolerance documentation including likelihood, consequence and overall risk level criteria risk registers risk reports.
ii) Distribution of a survey A survey can be used to determine the current understanding of risk management, both more generally and in the context of the organisations established risk management strategy. A survey would typically be used in larger organisations and is a useful tool for ascertaining the level of risk management knowledge and capability at lower organisational levels. A
156
survey would usually ask similar questions to those outlined below under conduct of meetings. The use of a survey is optional; however, if it is chosen to be used then it should be distributed prior to the conduct of meetings. This is because the meetings can then be used to confirm and, where necessary, clarify the information provided in the survey. iii) Conduct of meetings It is important to promote understanding and support of the risk management process by key individuals within an organisation. Therefore, as part of a maturity assessment it is important to conduct interviews with key executives /managers to gain insight into their current risk management understanding and to ascertain their views as to the effectiveness of the existing risk management framework. Meetings can also be used as an opportunity to obtain information on any improvements they consider would assist in further integrating and embedding risk management within the organisation.
The follwowing questions could be asked during these meetings:

How are risk management practices helping you to manage your risks? What form of risk reporting do you receive? How is risk information used by the organisation? Is there a regular review of existing risks? Are emerging risks being identified in time to effectively manage them? How are management held accountable for delivery of risk management responsibilities? Does the organisation have risk champions or risk specialists within certain areas? How are good risk management practices recognised and rewarded? How would you describe the risk culture of the organisation? What business processes incorporate a risk management component? How is project risk management incorporated into the organisations overall risk management approach? What training have you received in risk management? How is being managed at the lower levels of the organisation? How effectively are the aims, objectives and benefits of risk management communicated across the organisation? How does the organisation determine which risk treatment options can be implemented? Is this done on a cost versus benefit basis? How does risk management assist in overall business management?
157
iv) Preparation of a report It is important to record outcomes of a risk management maturity assessment into a formal report so that this information is available for future reference. When presenting assessment outcomes, all findings and supporting information should be included and where gaps are identified, recommendations provided on how these gaps could be closed.
Toolkit reference: Appendix: VMIA Risk Framework Maturity Model
158
5.2 Risk management attestation

5.2.1 What is it?

The Victorian Government Risk Management Framework (VGRMF), released in 2007, brings together information on governance policies, accountabilities, and roles and responsibilities for all those involved in risk management across the State. One of the more significant requirements under the VGRMF is the need for accountable officers (in departments) and the chair of the board (in statutory bodies) to attest in their organisations Annual Report that: Risk management processes consistent with the standard (AS/NZS 31000:2009) or equivalent are in place, An internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures and The audit committee (for a department) or board (for a statutory authority) verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.
5.2.2 Why do it?

It is recommended that all public sector agencies adopt the VGRMF, however it is mandated under Standing Direction 4.5.5 of the Minister for Finance Risk Management Compliance for those agencies that report in the
159
Annual Financial Report for the State of Victoria. This applies to approximately 300 public bodies. The majority of these are departments and larger public sector agencies. Attestation is effective for annual reports completed or issued after July 2008.
5.2.3 Roles and responsibilities

Secretaries, chief executive officers, and management of departments and agencies are ultimately responsible for developing and implementing risk management processes and internal control systems, and managing and continuously improving these processes and systems. The audit committee should take a leading role in the governance and oversight of the department or agency and be actively involved in the monitoring and review of risk management process and control systems. The accountable officers (in departments) chair of the board (in statutory bodies) will be required to attest in their organisations annual report and the audit committee (for a department) or board (for a statutory authority) will be required to verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.
5.2.4 Risk frameworks the current status

The VMIA (through our Risk Framework Quality Review program) has formed the opinion that the majority of public sector departments and agencies have adopted the Australian Risk Stamndard and are evolving their risk frameworks and risk maturity levels. These findings are consistent with those noted in the Victorian Auditor Generals report Managing Risk Across the Public Sector: Towards Good Practice (2007). The VMIA recognises that organisational risk frameworks and maturity will vary according to many factors including size, risk appetite and contextual aspects. There is no one size fits all model for risk management, nor is there a singular attestation model. Attestation is relative to risk maturity and a departments or agencies attestation should reflect this.
5.2.5 So what is new or different?

The attestation builds upon current directives and legislative requirements. It extends this to mandate use of the Risk Standard and focuses agencies on an organisation wide approach to risk management, both of which are widely understood and adopted throughout the public sector. The most significant change is the requirement to attest in an organisations annual report on the effectiveness of a departments or agencys risk management framework.
5.2.6 Implementation
The VMIA has developed a number of key principles to guide department or agencies that underpin the attestation process, some of which include:
160
Attestation is intended to provide assurance or demonstrate performance. It should not be merely a compliance or boxtickingexercise. Keep the attestation framework and process as pragmatic and relevant as possible. The Agencys maturity, size, complexity and risk appetite needs to be considered, since attestation is relative to maturity. A model, similar to the Australian Stock Exchanges "if not, why not" reporting style should be used. Thus if the Agency does not attest, you should explain why not and what you are planning to do about improving over the coming year.
It is essential that a department or agency treat the attestation requirement as a formal process. Initially this may require the application of project management principles to ensure the development of an attestation system or framework. Once completed this system should be integrated into risk, compliance and annual reporting processes. Key stages would include: Current state assessment/gap analysis against the Risk Standard and organisation wide risk models Review of current risk and compliance reporting frameworks for compliance/gaps/synergies Education programs for board, management, auditors, planning, risk management and annual reporting staff about the VGRMF, accountabilities and actions. Development of attestation policy, process maps and systems Rollout and embed procedures into core operations Review, report and refine policies and procedures
5.2.7 The attestation framework

The objective of the VGRMF is to promote sound risk management principles that embed risk management across all-important practices and processes throughout the organisation. Thus attestation is intended to provide assurance or demonstrate performance that this is being achieved. It is essential that accountable officer/chair of the board attestors and audit committee/board verifiers act in accordance with the above and do not treat the attestation process purely as a compliance exercise. Whilst each entity will have its own tailored attestation framework, all entities will benefit from keeping management and the board fully informed of the range and breadth of risk management processes, and control activities undertaken across the department or agency. In a risk mature organisation this will already be occurring.
161
A level of assurance will be required to support the attestation that: The Agency has risk management process in place consistent with the Australian/New Zealand Risk Management Standard (or equivalent designated standard) and The Agencys risk profile has been critically reviewed within the last 12 months.
This could be satisfied by: Evidence of third party reviews of the risk framework (e.g. VMIA RFQR, internal/external audit or risk service providers) A management self assessment or report on the application of and adherence to the Risk Management Standard Risk management strategies and business/action plans Details of management, executive, board risk assessments/workshops conducted over the past year
A key element in support of the overall attestation is assuring the executive understand, manage and satisfactorily control risk exposures. This may be demonstrated through a cascading sign off process linked to an entities risk or control register.
Audit Audit CT/ Board Verification
Secretary/Chairman Attestation
Executive Sign Off
Management Sign Off
Annual plan/s or calendar/s of risk and assurance activities will be of use.
162
These could include: the range/frequency of risk and audit reports dates of formal risk and audit meetings of management and the board the number/type of audits completed in support of the organisations risk framework and key risks the number/type of risk assessments/workshops conducted across the entity.
The risk and audit plans and calendar would need to be supported by an effective management process, including reporting and follow up of recommendations, actions items and risk mitigation plans.
In order to complete the process an entity may include a formal report or submission to the audit committee or the board. If the board or audit committee is fully informed of the risk and assurance program throughout the year, (in a manner described above) a formal report may suffice. If, however, the reporting processes or risk maturity are immature, then it would be likely that an entity will need to demonstrate activities more fully.
163
5.2.7.1 Example attestation statements Examples of attestations that could be used are set out below:
Examples of Risk Management Attestation
There may however, be reasons that a department or agency may wish to modify the sample attestation wording. Reasons may include the risk maturity of the department or agency, the progress being made towards implementation of a risk framework, incomplete coverage of organisation units, divisions or risk types or the inability to adequately determine the level of satisfaction over controls or risk exposure. Should a department or agency choose to modify the sample attestation wordings, an explanation as to why such modification is required should be made. The VMIA proposes a model similar to the Australian Stock Exchanges "if not, why not" reporting style. This means that if the department or agency cannot attest, for whatever reason, they should explain why not and what they are planning to do about their risk management framework and process, and control systems over the coming year. The VMIA would not see this as a negative or non-compliance. On the contrary, this could be seen as providing leadership and direction to improve an entities risk framework and in accordance with the intent of the VGRMF.
5.2.8 In summary
Attestation is intended to provide assurance or demonstrate performance. It should not be merely a compliance exercise. The department or agencies attestation process and system should be as pragmatic as possible and in line with the department or agencys risk maturity, size and complexity.
164
If a department or agency is to attest without variation, they should have a risk management framework in place that embeds risk management across all-important practices and processes and embody sound risk principles throughout the organisation.
5.3 Continuous improvement

5.3.1 What it is
The Risk Standard clearly articulates the continuous improvement loop that supports the ongoing effectiveness of a risk management framework. Set out below is the diagram provided within that Standard to demonstrate this process.
Continuous Improvement Process (ISO31000)
165
5.3.2 Why do it?

Continuous improvement and change management is essential in ensuring the ongoing relevancy and effectiveness of risk management activities within an organisation. To achieve the greatest benefits from continuous improvement, it must span all risk management framework elements including the process, capability, behaviours, tools and templates and reporting structures, and the practices used to manage actual risks.
5.3.3 How to achieve it?

As is evident in the diagram on the previous page, there is a direct link between the outcomes of monitoring and review activities and the continual improvement of the framework. Continuous improvement is supported and informed by both the monitoring and review of risks and controls (as outlined in the Implementing the Risk Management Framework section), and the monitoring and review of the risk management framework. As the continual improvement of a risk framework includes discrete risk management improvement initiatives, it makes sense that there is a clear link between an organisations risk management strategy and the initiatives it wishes to undertake to improve its framework. In Section 3 of this guide, the components of a risk management strategy were outlined including the need for a plan to be developed for the progressive enhancement of the organisations risk management practices and competencies. The initiatives that are identified during monitoring and review activities should be prioritised and then included within the risk management strategy and risk plans to ensure that they are appropriately approved and supported in their implementation. Inclusion of these initiatives in the strategy will also increase accountability for their delivery and should drive a need to measure their value once implemented, hence the importance of establishing linkages between the various elements of the process outlined in these guidelines.
By continuously improving its risk management framework, a department or agency should obtain benefits including:

Organisational resilience by being more proactive in managing risks as compared to reactive in managing issues Better governance through regular reporting which strengthens an organisations ability to oversee its risks and direct changes in approach where necessary Increased accountability through well defined risk management responsibilities against which performance is measured Being able to leverage leading risk management practice in its risk management approach.
166
5.4 Checklist Monitoring and reviewing a risk management framework

The following check list provides a number of questions relating to the risk management monitoring and review processes within your organisation. Considering the answer to these questions will help you check your progress in implementing a robust and flexible risk management framework. The checklist distinguishes between those elements essential to ensure an effective risk framework, and those typically associated with relatively mature or sophisticated frameworks typically found in large organisations. Toolkit reference: Appendix O: Risk management checklist
Section
Requirement
Monitoring and review / enhancement of a risk management framework 1 Monitor and review 2 Monitor and review 3 Monitor and review 4 Monitor and review 5 Monitor and review 6 Monitor and review 7 Monitor and review Does your risk process follow the steps described in the Risk Standard? Do Internal Audit review risk management processes? Is an Internal Audit function/ process in place? Do your Internal Auditors focus their time and effort on the most critical risks recorded in the risk register? Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels? Has the risk policy been reviewed and approved in the last year? Has the Board and/or Risk Management Committee (or equivalent) made an attestation in the Annual Report in accordance with the Victorian Government Risk management framework (if applicable) Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes? E
A E
A E
8 Monitor and review
167
6 Risk management toolkit

6.1 Appendix A: Risk management glossary 6.2 Appendix B: Risk management strategy template 6.3 Appendix C: Risk management policy template 6.4 Appendix D: Risk management procedure template 6.5 Appendix E: Risk rating criteria template 6.6 Appendix F: Common risk categories for the public sector 6.7 Appendix G: Communication and consultation plan template 6.8 Appendix H: Risk training slides 6.9 Appendix I: Common example risks 6.10 Appendix J: Risk assessment template 6.11 Appendix K: Risk management database MS Access tool 6.12 Appendix L: Risk register MS Excel template 6.13 Appendix M: Risk management register worked example
168
6.14 Appendix N: Risk reporting MS Word templates 6.15 Appendix O: Risk management checklist 6.16 Appendix P: Risk management information system checklist 6.17 Appendix Q: VAGO good practice guide
169

Risk Framework

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Framework

Uploaded by

Copyright:

Available Formats

Guide

Checklist Monitoring and reviewing a risk management framework............... 167

Steve Marshall Chief Executive Officer Victorian Managed Insurance Authority

2.2 How has the guide been developed?

2.3 Scope of the guide

Organisation-level risks Organisation-level risks

Organisation-level risks Organisation-level risks

Inter-agency risks Inter-agency risks State-wide risks State-wide risks

2.4 Overview of document

2.5 Key definitions and terminology

2.6 The role of the VMIA

2.7 The need for a risk management guide

These are described further below.

2.7.1 Victorian Auditor-Generals Office risk management audits

2.7.2 Victorian Government Risk Management Framework (VGRMF)

a responsible body or audit committee verifies that view.

Inter-agency risks Joined-up government

3 Developing a risk management framework

Con tinuou s Imp rove ment

3.1.1 What is a risk management framework?

The Soft and Hard aspects of risk management

3.1.2 What are the minimum requirements?

Communicate and Consult

Monitor and Review

3.1.3 Linking risk management with other processes

3.1.4 Linking strategic planning and risk

Monitor Control & Execution Gap

Risk Management Process

Strategic & Operational Planning Process

Linking strategic planning and risk

Executive Management Team Member Regional Hospital

3.1.5 Incorporating risk management within projects

3.2 Key considerations when developing a risk management framework

These questions are explored in further detail in the following sections.

3.2.1 How advanced should a risk management framework be?

Figure 2.2: Context for Risk Management

3.2.2 How effective are current risk management practices?

Toolkit reference: Appendix Q: VAGO Good Practice Guide

3.2.3 Towards organisation wide risk management

Risk Management Maturity

Traditional Traditional Risk Management Risk Management

Organisation Wide Enterprise Wide Risk Management Risk Management

Risk Management Value (Benefits Costs)

Optimal Risk Management Maturity

Risk Management Maturity

3.3 Documenting a framework

3.3.1 Why is risk management documentation important?

3.3.2 What are the attestation requirements?

3.3.3 What needs to be documented

3.3.4 Is there a preferred way to structure your documentation?

Risk Management Plan

Risk Management Policy

Risk Management Procedure

3.3.5 Risk management strategy

Toolkit reference: Appendix B: Risk management strategy - template

3.3.6 Risk management policy

3.3.7 Risk management procedures

3.3.8 Risk register

3.4 Risk management governance

3.4.1 Mandate and commitment

ensure that the necessary resources are allocated to risk management.

3.4.4 Indicative roles and responsibilities for risk management

RISK GOVERNANCE STRUCTURE