RM Guideline Australia

WA Government
RISK MANAGEMENT GUIDELINES

SECOND EDITION
A Division of the
August 2011
WA GOVERNMENT
RISK MANAGEMENT GUIDELINES
SECOND EDITION
A Division of the
Acknowledgement
RiskCover has produced the Risk management guidelines to assist the Western Australian State
Government Agencies to implement their risk management programs.
First edition January 2007

Second edition August 2011
Please direct all enquiries or comments on the contents of this document to:
Risk management Services
RiskCover
Insurance Commission of WA
The Forrest Centre
221 St Georges Terrace
Perth Western Australia 6000
(08) 9264 3806
riskmanagement@icwa.wa.gov.au
Table of Contents
PUBLIC SECTOR COMMISSIONERS CIRCULAR ................................................................................................ i
1.
INTRODUCTION .................................................................................................................................................. 1
1.1
1.2
1.3
WHAT IS RISK MANAGEMENT? ....................................................................................................................... 1

WHY MANAGE RISK? ...................................................................................................................................... 2
HOW DO WE MANAGE RISKS? ........................................................................................................................ 2
2.
COMMUNICATION AND CONSULTATION .................................................................................................. 4
3.
RISK MANAGEMENT PROCESS ..................................................................................................................... 6

3.1
STEP 1: ESTABLISH THE FRAMEWORK AND CONTEXT .................................................................................... 6
3.1.1
Risk management Framework.................................................................................................................... 6
3.1.2
Methodology of Assessing Risk .................................................................................................................. 9
3.2
Specific Risk Assessment Context ............................................................................................................ 10
3.3
Summary .................................................................................................................................................. 11
3.2
STEP 2: RISK IDENTIFICATION ....................................................................................................................... 12
3.2.1
What is a Risk? ........................................................................................................................................ 12
3.2.2
Causes of Risk .......................................................................................................................................... 12
3.2.3
Summary .................................................................................................................................................. 13
3.3
STEP 3: RISK ASSESSMENT - ANALYSIS & EVALUATION ............................................................................... 13
3.3.1
Existing Controls & Controls Assurance ................................................................................................. 13
3.3.2
Risk Analysis ............................................................................................................................................ 15
3.3.3
Risk Evaluation ........................................................................................................................................ 16
3.3.4
Risk Ownership & Risk Decision ............................................................................................................. 17
3.3.5
Risk Acceptance Decision ........................................................................................................................ 18
3.3.6
Summary .................................................................................................................................................. 18
3.4
STEP 4: RISK TREATMENT ............................................................................................................................ 19
3.4.1
Identify, Evaluate and Select Treatment Options..................................................................................... 19
3.4.2
Prepare & Implement Treatment Plans ................................................................................................... 20
3.4.3
Summary .................................................................................................................................................. 20
3.5
USING RISK INFORMATION ............................................................................................................................ 21
3.5.1 Categorisation of Risk ................................................................................................................................... 21
4. MONITOR AND REVIEW ...................................................................................................................................... 23

4.1
4.2
4.3
FOCUS AREAS ............................................................................................................................................... 23

RISK MANAGEMENT PERFORMANCE MEASURES........................................................................................... 24
ROLES AND RESPONSIBILITIES ...................................................................................................................... 24
5. RISK MANAGEMENT IMPLEMENTATION .................................................................................................... 26

1.
2.
3.
4.
5.
6.
EXECUTIVE AWARENESS AND COMMITMENT..................................................................................................... 26

DEVELOPMENT OF THE RISK MANAGEMENT FRAMEWORK ................................................................................. 26
COMMUNICATION / EDUCATION ......................................................................................................................... 27
MANAGING RISKS AT THE STRATEGIC LEVEL .................................................................................................... 27
MANAGING RISKS AT THE BUSINESS UNIT LEVEL ............................................................................................. 27
MONITOR AND REVIEW ...................................................................................................................................... 28
Appendix I ...................................................................................................................................................................... 29
GLOSSARY ................................................................................................................................................................... 29
Appendix II .................................................................................................................................................................... 36
SAMPLE RISK MANAGEMENT POLICY.......................................................................................................................... 36
Appendix III ................................................................................................................................................................... 39
SAMPLE RISK REFERENCE TABLES .............................................................................................................................. 39
Appendix IV ................................................................................................................................................................... 55
SAMPLE RISK REGISTER .............................................................................................................................................. 55
Appendix V..................................................................................................................................................................... 57
Risk management Guidelines

Copyright of Insurance Commission of WA RiskCover Division
Table of Contents
SAMPLE RISK MANAGEMENT IMPLEMENTATION SCHEDULE ....................................................................................... 57
Appendix VI ................................................................................................................................................................... 60
STRATEGIC RISK MANAGEMENT FRAMEWORK ........................................................................................................... 60
Appendix VII.....................................................................................................................................................................66
PROJECT LIFE CYCLE........................................................................................................................................................66

PUBLIC SECTOR COMMISSIONERS CIRCULAR

Number:
Issue Date:
Review Date:
2009/19
08/05/2006
23/03/2011
TITLE
RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING
POLICY
All public sector bodies must practise risk management, regularly undertake a structured risk assessment
process to identify the risks facing organisations, be able to demonstrate the management of risks, and
where appropriate, have continuity plans to ensure they can respond to and recover from any business
disruption.
Public sector bodies must submit details of their risk management policy, assessment processes and
continuity plans to RiskCover. Public sector bodies must ensure that risk management policies and
continuity plans are maintained and reviewed on a regular basis.
BACKGROUND
Risk management has been a feature of the operation of the public sector for many years, with such
requirements included in the Treasurers Instructions. The Insurance Commission of Western Australia
through its RiskCover Division has a mandate to manage and administer risk management arrangements on
behalf of public authorities and to provide advice to the Government on matters relating to risk management.
Planning for major risk events, such as natural disasters, often receives special focus with a great deal of
planning and mitigation work undertaken to deal with potential issues. However, it is a matter of good
corporate governance that risk assessment and continuity planning are subject to continual review at the
highest levels of an organisation. In more recent times the threat of terrorism and the possibility of an
influenza pandemic have reinforced the need for government agencies to be prepared and able to continue
to deliver services no matter the circumstances.
The proclamation of the Emergency Management Act 2005 together with other State initiatives such as the
Western Australian Management Plan for Pandemic Influenza, are parts of the process of ensuring that the
public sector and the community are well prepared for emergencies of any kind.

Page i
Many agencies will already have well developed risk management processes while others may be less well
prepared.
RiskCover consultants will continue to be available to guide and assist agencies to enable them to meet the
requirements (contact Mr Jim Hodges, Risk management Services Manager, RiskCover 9264 3702).
Education and training in risk management and business continuity planning is also available through
RiskCover.
MC Wauchope
Public Sector Commissioner
For enquiries contact:
Other relevant Circulars:

Circular/s replaced by this Circular:
Don Williams 9264 3400

Manager RiskCover Division
Insurance Commission of WA
Premiers Circular 2006/03

Page ii
Introduction
1. INTRODUCTION
These guidelines have been produced by RiskCover to assist State Government agencies in developing and
implementing effective risk management processes. They should be read in conjunction with the WA
Government Business Continuity Guidelines, as the management of critical incidents and emergencies is
just one aspect of an agencys overall approach to managing risk.
The purpose of these guidelines is to provide an overview and explanation of the risk management process,
some hints to the application of the process and includes sample documents for you to use. Please contact
RiskCover Risk Management Services on Tel: 9264 3806 or email riskmanagement@icwa.wa.gov.au
should you require any further information or assistance in implementing risk management within your
agency.
1.1 What is Risk Management?

The management of risk is an integral part of good management practice. There is a direct relationship
between risk and opportunity in all business activities, and as such, an agency needs to be able to identify,
measure and manage its risks in order to be able to capitalise on those opportunities and achieve its goals
and objectives.
A risk can be defined as any internal or external situation or event that has the potential to impact upon an
agency, preventing the agency from successfully achieving its objectives, delivering its services, capitalising
on its opportunities or carrying out its projects or events.
Risk management is simply the practice of systematically identifying and understanding risks and the
controls that are in place to manage them. Ultimately the process gets you to a point of deciding whether, in
the context of a particular strategy, activity or function, a risk is acceptable or requires further action.
The risk management process does not encourage managers to be risk averse. In fact, it is designed to
provide managers with a degree of confidence to be able to manage risk to an acceptable level and to take
a level of risk commensurate with the opportunity. The key element in managing risk is correctly balancing
risk and reward. A culture which is risk averse will create inflexibility in the business and erect barriers to the
achievement of the organisations goals. Alternatively, the acceptance of disproportionately high risk can
have significant impacts on the business.

Page 1
Introduction
1.2 Why Manage Risk?

The primary reason for managing risk is to enable agencies to successfully achieve their goals. With the
growing need for transparent decision-making, a structured, systematic risk management process
demonstrates the due diligence that is required and provides an audit trail for decision making.
comprehensive understanding of the risk exposures facing an agency also facilitates effective planning and
resource allocation, and encourages a proactive management culture, with flow-on benefits for every aspect
of an agencys operation.
1.3 How Do We Manage Risks?

Risk management is most successful when it becomes fully integrated into normal operating procedures,
processes and systems. Like all good management practices, it should be driven from the top down and be
recognised as the responsibility of everyone. Executives and Senior Managers have a particular
responsibility in demonstrating commitment to the implementation and use of the risk management process
and the information it generates.
These guidelines will take you through the process, which comprises of the following steps:
1. Establish the context
2. Identification of the risks
3. Analysis and evaluation of the risks
4. Where necessary, treatment of the risks
In addition, there are two important concepts Communication and Consultation, and Monitor and Review
that apply to every aspect of risk management. These are discussed at the beginning and end of the
guidelines, respectively.

Page 2
Introduction
Implementing risk management involves a logical and structured way of thinking and it requires the
development and use of a consistent language to support the process. It is important to use precise,
common terminology to ensure the effective communication and unambiguous description of the risks within
your agency and across the whole of government.
Refer to the Glossary of Terms provided in Appendix I.

Page 3
Communication and Consultation
2. COMMUNICATION AND CONSULTATION

Communication and consultation are essential to the overall risk management process. The effectiveness of
your risk management process depends upon, amongst other things, involving the right people at the right
time and ensuring they understand, are involved in, and contribute to the process.
Communication is the sharing of information and viewpoints. Effective communication has the following
attributes:
It is multi-directional. Information, ideas and perspectives are shared across functional areas, and
senior management are receptive to the views of their subordinates.
It involves information and opinions. Other peoples perspectives are understood and
acknowledged. Factual information is gathered from all relevant sources. No individual or
department has a monopoly on the facts.
It is interactive. Listening is as important as talking. Good communication involves the sharing of

information, opinions and experiences.
It is respectful. It focuses on ideas and information, not personalities. Communication is most

effective in an environment where people are valued and their viewpoints are respected.
It engages the participants, promoting their understanding and ownership of the outcomes.
Consultation is a process that uses communication to make effective decisions. Importantly, consultation is
not an outcome or an end in itself but a means by which outcomes are achieved. Consultation gives
stakeholders the opportunity to influence decisions, however, it is not joint decision making, but rather an
effective way to receive useful input and ensure that all relevant viewpoints are taken into account in
identifying and evaluating risks.
A well-structured approach to communication and consultation can provide the following benefits:
Organisational coherence and a positive culture for risk management implementation
Trust and understanding, resulting in better internal and external relationships
The risk management process becomes tangible: people know what it is and how it works
Integration of multiple perspectives
Risk management is embedded as an ongoing part of management and organisational practice
Each step of the risk management process relies on communication and consultation to achieve its purpose.
For instance, in setting the context, consultation with internal and external stakeholders is essential to reach
a thorough understanding of the operating environment and to define the purpose and scope of the
exercise. In risk identification, a diversity of input can prevent important risks being overlooked and ensure
that risks are accurately described. In the risk assessment process, communication and consultation allows
all perspectives to be considered in arriving at a realistic level of risk. Risk treatment is more effective
Page 4
because treatment plans are better understood and the monitor and review process depends upon effective
communication to ensure risk information is in use and current.
Communication and consultation does not mean asking everybody their opinion about everything. When
developing a strategy to implement a formal risk management process within your organisation, you may
wish to consider the following in relation to communication and consultation requirements:
Objectives What are the specific aims and goals of involving different parties in the process?
Participants Who are the appropriate parties to be involved at each step of the process?
Perspectives What particular contribution or viewpoint is anticipated and required from each
participant?
Methods How will consultation take place? It may not always be practical to get all the parties
together in one place.
How do we integrate risk thinking into all aspects of our business?
Hint: When agencies plan their communication and consultation for the risk management process,
frequently they fail to adequately consider the needs and viewpoints of all stakeholders. Obviously, risk
management involves the discussion of some matters that cannot be shared with external parties.
However, if we fail to incorporate the needs and viewpoints of all stakeholders, the full benefit of risk
management may not be realised.
A successful means of embedding the management of risks into an organisations culture is to integrate the
risk management process into existing management processes. Avoid having risk management as a
standalone process outside of our normal management activities as this reinforces the message that the
management of risk is part of managing the business.

Page 5
Risk management Process
3. RISK MANAGEMENT PROCESS

3.1 Step 1: Establish the Framework and Context
There are two elements to this step:
(1) Setting the Risk management Framework and
(2) Establishing the specific risk assessment context.
3.1.1 Risk management Framework

An agencys risk management program should be aligned to its strategic goals and objectives and is most
effective when it is integrated with the overall planning and management functions of the organisation.
In developing a framework for managing risk, an agency needs to consider the following:
Core purpose, vision, mission and values - why does it exist?

Strategic direction, goals, required outcomes and deliverables. These may be defined by legislation,
ministerial directive, charter, etc.
Internal and external environments, often assessed using a SWOT analysis.
Internal and external stakeholders - who are they, what are their needs and expectations?
Organisational planning, reporting & management processes
Roles, responsibilities and communication strategies
A program of review to ensure the framework continues to align with the organisations management
practices
Organisational Governance structures and the integration of the management of risk into these
structures
Based on the outcome of this analysis, an agency will then be in a position to define how risks are to be
managed across the organisation, through the development of:
A Risk Management Policy
Risk Management Procedures, which clearly define how the risk management process is
undertaken and integrated into the planning, delivery, monitoring and reporting activities of an
agency
Risk Reference Tables - Are the agencys language which define consequence and likelihood. They
also include a definition of the acceptance and reporting criteria for specific levels of risk.
Risk management Implementation Strategy a plan of how the policy and procedures are to be
communicated and implemented
Risk Register Tool an electronic tool to facilitate the recording, managing, reporting and use of risk
information

Page 6
Integration of the management of risk into the organisational structure, roles and responsibilities
Section 5 of these guidelines discusses the implementation of the risk management process in more detail.
Risk Reference Tables

Risk Reference Tables are developed by an agency for the purpose of establishing guidance as to how risks
are to be evaluated, assessed, measured, accepted and reported. As well as establishing a common
language, the use of semi-quantitative measures removes some of the subjectivity of the assessment
process and allows risks from any part of the agency to be compared with any other, and hence prioritised.
There are commonly four different tables used:
a) Controls Rating Table
b) Consequence Rating Table
c) Likelihood Rating Table
d) Risk Acceptance Criteria Table.
Refer to the samples of risk reference tables in Appendix III. Note that these tables are samples only
and need to be customised for each agency to reflect their own organisational context and tolerance
for risk.
a) Existing Controls Rating Table

This table is used to rate the adequacy of the collective existing controls that are in place at the time
of the assessment to manage a particular risk. It is usually qualitative in nature and it can be rated on
three levels e.g. Excellent, Adequate and Inadequate. A Control is an established mechanism,
procedure, process or practice that is currently in place to manage a risk. It controls the risk by
reducing its consequences, likelihood, or both. A control should be tangible and in place at the time
of an assessment
Hint: This is a reasonableness test. Is the agency doing what is reasonable in the circumstances to
reduce the likelihood and/or consequences of this risk? There may be several controls, each of which
contributes some way towards reducing the risk.
What we are rating is the adequacy of those
combined measures. This is not an assessment of the effectiveness of each individual control.
Effectiveness should be looked at in the control assessment process and be reflected in the rating of
the likelihood.
b) Consequence Rating Table
Consequence Categories
Consequence categories are based upon the individual agencys criteria for measurement of success
and should reflect the agencys economic, social and in some cases, environmental responsibility.
The categories should include those key areas, which, if impacted upon, would have a significant
Page 7
affect on the ability of the agency to achieve its goals. In government, these consequence categories
may include; Financial, Injury, Service Interruption, Reputation and Image, Operational
Effectiveness, Community, Legal & Compliance and Environment.
Consequence Scale
Consequences are usually rated on a scale of 1 to 5, 1 being insignificant and 5 being catastrophic.
This is generally referred to as the level of consequence. For each of the consequence categories
defined, an agency needs to define criteria for each of the levels specified. Care must be taken to
ensure that criteria relating to different categories are equivalent at the same level of consequence
i.e. the definition of a catastrophic Financial consequence needs to be equivalent in terms of priority
as the definition of, say, a catastrophic Reputation & Image consequence.
Refer to Appendix III for examples of Consequence Tables
Hints:
Be aware however, that when applying these scales, each consequence category is assessed on
its own merit. For example a catastrophic Reputation and Image consequence does not
automatically mean it is catastrophic across any or all other consequence categories.
When establishing the scale, avoid using subjective words such as significant when defining
levels of consequence, as this will lead to ambiguity. Where possible use quantitative measures
such as A financial loss of $25,000 - $50.000.
c) Likelihood Rating Table

The other measure of risk is likelihood, and this is also commonly measured on a scale of 1 to 5, with
1 being rare and 5 being almost certain. Likelihood can be considered in two aspects. In one sense,
you can base the scale on how frequently a given consequence will (or is likely to) happen, e.g. more
than twice per year, every year, every three years, etc. Alternatively, you can consider the probability
of something happening in a defined forward timeframe, e.g. in the next five years a consequence is
almost certain or expected to occur in most circumstances. In either case, each level of the scale
should be quantified.
Refer to Appendix III for examples of Likelihood Tables
Hint: The Consequence and Likelihood Tables become part of your agencys common risk language
and reflect the agencys level of risk tolerance. The language used in these tables must be relevant to
your agency not generic descriptions taken from samples.

Page 8
3.1.2 Methodology of Assessing Risk

Each risk is first analysed and evaluated in terms of the potential consequences resulting from a particular
risk scenario. Then the consequences of the scenario are rated in terms of how likely the risk is to occur with
the identified consequence. Using the 1 to 5 scales for Consequence and Likelihood this results in a Level of
Risk scale ranging from 1 to 25 (1 being the low consequence/low likelihood risks and 25 being the almost
certain catastrophic risks).
The level of a risk varies as you consider the context of how that risk is being managed. All risks will have
an Inherent Level of Risk this is defined as the level of risk with no formal controls in place, or the level of
risk in the event of a breakdown of all controls. Some organisations choose to assess and document this
level of risk prior to considering the effectiveness of existing controls. Having information available which
relates to this inherent risk level means that, when considering the adequacy of controls, the inherent or
worst-case scenario is known.
Once the existing controls have been identified, documented and assessed for effectiveness, the Assessed
Level of Risk can be evaluated. This is the Level of Risk with current controls in place.
Should the Assessed Level of Risk be unacceptable, then additional controls or improvements to existing
controls, in the form of Treatments, are put in place. In order to evaluate the cost benefit of these proposed
actions, a Predicted Level of Risk is estimated. This is the predicted Level of Risk after the Treatment Plan
has been implemented.
Finally, once a risk Treatment Plan has been implemented, the risk is once again evaluated and a Residual
Level of Risk is calculated. This is the remaining level of risk exposure and should now be in a range that is
acceptable to the agency.
a) Risk Acceptance Criteria Table

This table defines the agencys risk tolerance, or risk appetite and gives guidance as to the
acceptability of risk. For a given level of risk, the table defines how that risk is perceived (e.g. low,
moderate, high, or extreme) and may specify the level of controls rating (i.e. Inadequate, Adequate,
Excellent) that is necessary to accept the risk. The criteria can often define how risks are to be
reported, reviewed and who is the acceptance decision-maker.
Refer to Appendix III for sample Risk Acceptance Criteria Tables.
Hint: Once the tables are established, run through a couple of examples. Do they make sense? How
do the examples fit with your instincts and past experience? This acceptance criteria should be
periodically reviewed to ensure it is still in line with the agencys risk appetite.

Page 9
3.2
Specific Risk Assessment Context
Once the Risk Management Framework is established, the requirements for a specific risk assessment
exercise can be defined. For instance, you may be embarking on a new strategic planning cycle and need
to integrate the identification, assessment and management of risks as part of your strategic plan.
Alternatively you may be reviewing/developing your business plans and want to identify the risks for your
agency to inform this planning process. For each individual risk assessment exercise, it is important to set
the following:
The parameters: What is the specific subject of the assessment (e.g. the specific strategy,
activity, function)?
Identify the essential stakeholders who need to be involved in the assessment
Ensure all participants in the assessment exercise are clear about the purpose of the
assessment prior to the exercise.
The specific risk assessment context can be categorised as Strategic, Operational, or Project:
Strategic Level
Strategic risks concern the whole of the agency. They are the risks associated with long-term
organisational objectives and the means by which those objectives will be achieved. Strategic risk
assessment is normally conducted at a Board or Executive level and is most effective when
integrated with the strategic planning process.
Operational Level
Operational risks are associated with the development and implementation of operational plans or
the processes, functions or activities of the agency. They are the risks associated with your normal
business functions. Operational risks should be assessed by the parties familiar with the particular
function or service with which the risks are associated.
Project Level
Project risks are associated with specific projects or discreet initiatives. All projects will go through a
life
cycle,
i.e.
conception
to
planning,
scoping,
contracting,
design,
construction,
testing/commissioning, hand-over and operation. Project risks exist at every stage, and they need to
be identified and managed to ensure the successful completion of the project. (Refer Appendix VII)
Once the context for a particular risk assessment has been specified, and the particular strategy, activity or
project defined, the next step is to identify the critical success factors (CSFs) and key dependencies
associated with it. This is the basis of the structured approach to identifying risk: anything that has an impact
upon the CSFs constitutes a risk.

Page 10
A CSF is defined as any essential resource, expertise, input, or other factor, which is critical to the success
of that particular strategy, activity or function. The strategy, activity or function should define what it is you
do, the CSF is what is critical to enable you to perform this. CSFs can be outcome focused or input focused.
Hint: There may be more than one CSF per strategy, activity or function depending on the level at which the
agency wants to capture the risk information
There is no right or wrong way to identify a CSF. Whether you take an outcome based or input based
approach will depend on the focus of the agencys management. The risk information which flows from this
will still capture the important aspects. Using the outcomes based approach will simply capture this
information with a direct and obvious connection to the agency outcomes or deliverables. Some agencies
are outcome focused in that their plans and activities to achieve the plans are directly linked to the outcomes
desired. In this case the risk assessment should also be linked to the outcomes, whether they are strategic,
operational or project outcomes. These outcomes may be clearly stated in the agencys plans. The risks will
then be the things that will prevent you from successfully achieving the desired outcomes.
3.3
Summary
Step 1 of the risk management process is establishing the framework and context, in terms of how the
agency will manage risks language, criteria and methodology and the context for each specific risk
assessment. Risk management policies and procedures are established, and specific roles are assigned.
Then a set of tools, known collectively as the Risk Reference Tables are developed, to measure and
evaluate risks and controls. These tables establish a common language to manage risk and define the
agencys risk tolerance. Once the overall agency Framework is established, the context for a specific risk
assessments can be developed. Key strategies, activities or functions are defined, as are the associated
CSFs and dependencies.
For those agencies who are not as outcome focused or where the activity or project is further distanced from
the outcomes and there is not an easily identified link, it may be easier to focus on key dependencies or the
critical inputs required to enable the agency to deliver the identified service, function or project. These inputs
will be the things essential to enabling the service, function or project to be completed, ie. resources,
budgets, specific equipment or skills.

Page 11
3.2 Step 2: Risk Identification

3.2.1 What is a Risk?
ISO 31000 defines risk as the effect of uncertainty on objectives. It is measured in terms of consequence
and likelihood. To ensure that all key risks within an organisation are being addressed, a structured,
systematic approach to identifying risks is essential. The identification process considers; each strategy,
activity or function, as defined by the context set in Step 1, looks at what is critical to the success of that
strategy, activity or function, and then considers what may go wrong. This is defined as the risk. For
example, looking at a part of an operation that provides advice to clients one could identify a risk as follows:
Key Activity
Critical Success Factor
Risk
Providing advice to clients
Accuracy of information
Incomplete or inaccurate information provided

to clients
Hint: Do not mistake risks with consequences. Injuries, Financial Loss and Reputation Damage are not
risks but consequences of a risk - i.e. if your risk was to eventuate, it could result in injuries, financial loss
and/or reputation damage.
For each risk, you should identify possible causes of the risk event. Each risk may have one or more causal
factors which can either directly or indirectly contribute to the risk event occurring. Identifying the range of
causes will assist in understanding the risk, identify controls, evaluate the adequacy of existing controls and
design effective risk treatments.
3.2.2 Causes of Risk

The causes of a risk are identified to gain a better understanding of the risk and assist in identifying controls.
There are often a number of contributing factors which lead to a risk occurring. There may be both internal
and external causes of a risk. Identified causes assist in the process of identifying controls later on in the
risk management process. A well managed risk will have effective controls for each identified cause. The
absence of controls for identified causes highlights gaps in management of the risk and thus areas for
improvement.

Page 12
3.2.3 Summary
Step 2 is about identifying your risks in a systematic fashion The causes of risks need to be identified, so
that existing controls can be appropriately evaluated.
HINT: Identified risk can then be categorised to assist with reporting based upon like type risks. Avoid using
generic risk categories as context for risk identification, as this can seriously limit the thoroughness of your
risk assessment and can result in key risks being missed.
3.3 Step 3: Risk Assessment - Analysis & Evaluation

In general, agencies already have a broad range of public sector procedures and systems in place that act
as risk controls. As a result, the assessment process used by most State Government agencies takes into
account the effectiveness of these existing controls. Therefore, in this context, risk assessment involves:
Identifying and evaluating any existing controls
Analysing the risk in terms of Consequences and Likelihood
Evaluating the level of risk against a pre-defined acceptance criteria.
3.3.1 Existing Controls & Controls Assurance

Controls are the measures that are currently in place i.e. at the time of the risk assessment, that reduce the
consequences and/or likelihood of the risk.
Hint: It is useful to cross-reference your controls with the identified causes. Are there controls in place for
each potential cause of a risk?
a) Overall Control Rating

All controls are looked at as a whole in terms of their adequacy in managing the risk. The adequacy of the
controls is assessed on a common sense, qualitative basis. This can be viewed as a reasonableness test:
are you doing what is reasonable under the circumstances to manage i.e. prevent or minimise the risk? The
recommended rating scale is as follows:
Excellent
Doing more than what a reasonable person would be expected to do in

the circumstances.
Adequate
Doing only what is a reasonable person would be expected to do in the

circumstances.
Inadequate
Doing less than what a reasonable person would be expected to do in

the circumstances

Page 13
If it is reasonably foreseeable that a risk may impact on the agency, then agencies should ensure controls
are in place to manage the risk. These controls should be in line with what a reasonable person would do to
avoid the unwanted effects of the risk. To assist in determining what is reasonable, the following should be
considered;
1. the likelihood of the unwanted consequence/s occurring if no action was taken

2. the likely severity of the consequence
3. the availability, suitability and cost (financial and other) associated with implementing the control
4. the overall need to engage in a risk creating activity
5. the extent of knowledge about the risk, its elimination or mitigation
The above five points should be equally considered and guide agencys in implementing controls that would
be expected of a reasonable person.
It is important to remember that the adequacy of controls are considered in terms of doing all things
reasonable to manage a risk rather than all things possible. If budgets, resources and time where unlimited
then doing all things possible is achievable. However in reality, budgets are capped and resources are
limited.
b) Individual Control Assessment

While controls have been assessed as a group, each control needs to be looked at to ensure those controls
are effective and being used. This is what is commonly referred to as the controls assurance process. It is a
means to confirm the existence and effectiveness of an individual control and in doing so, consideration
should be given to factors such as:
Is the Control relevant?
Is the Control documented?
Is the Control in use?
Is the Control up to date?
Is the Control effective?
If an existing control is identified as being ineffective, then the necessary improvements should be
incorporated into a Treatment Action Plan.
The review and sign off of existing controls is an integral part of the management of the risk; responsibility
needs to be assigned to control owners to ensure there is accountability for and ownership of this important
aspect of the risk management process.
Hint: You might not be responsible for the management of all controls and as such some controls may not
be managed by the risk owner. For example Human Resources may be responsible for specific policies.

Page 14
The policy control would then be delegated for assessment to the appropriate and responsible Human
Resource staff member.
3.3.2 Risk Analysis

This is the process of considering the consequences and likelihood of a particular risk scenario to determine
the Level of Risk, using the Risk Reference Tables developed as part of setting the overall organisational
framework.
Refer to Appendix III for sample Risk Reference Tables
Consequence Rating
A risk that eventuates may impact an agency across a number of different areas, to a greater or lesser
extent. When analysing the consequences of a risk event, an agency needs to consider the level of impact
(1 to 5) in relation to each of the consequence categories defined in the Consequence Rating Table. For
example, a risk may have an impact of 5 for Financial Loss and 4 for Reputation and Image and little or no
impact in the other areas. Both ratings may be recorded, as this demonstrates that your consideration of the
risk has been thorough. When selecting the consequence rating, this must be done taking into account the
existing controls for the particular risk.
Hint: Only select the consequence categories that are relevant to that risk. You do not have to rate every
consequence category for each risk. Some consequences will not be applicable to a specific risk.
Likelihood Rating
This describes how likely it is that a risk will eventuate with the defined consequences. Likelihood can be
defined in terms of probability or frequency, depending on what is most convenient for the agencys
purposes.
Hints:
When you are rating the likelihood of a risk, ask yourself How likely is it for this risk to occur, given the
existing controls, to the level of consequence identified.
Past experience is an important guide to likelihood, but do not fall into the trap of thinking it is the only
guide. There may be internal or external factors that may increase or decrease the likelihood of such an
event occurring in the future.
Calculating the Level of Risk

The Level of Risk, or Risk Rating, is calculated by multiplying the consequence and likelihood ratings. For
any risk, there may be a number of different consequence/ likelihood scenarios. Within each category there
may be multiple scenarios ranging from minor but likely to catastrophic but rare. It is important to rate
what is the realistic worst-case scenario, which is the worst-case level of risk considering both

Page 15
consequences and likelihood. In these instances, it may be appropriate to rate the same consequence
category more than once. Where there are multiple ratings for a risk, the highest combination of
consequence/likelihood is taken as the level of risk.
In the example below, the assessor has considered two different scenarios in relation to Injuries; one with
a potential catastrophic consequences and the other a moderate consequence. However, because of the
difference in likelihood of these two scenarios, the highest level of risk (9 in this example) relates to the
moderate consequence/moderate likely scenario, and as such determines the level of this risk.
Consequence
Category
Consequence
Rating
Likelihood
Rating
Level
Of Risk
Explanation
Injuries
Multiple deaths very rarely happen.
Injuries
Injuries only requiring medical attention

are more common.
Service Interruption
It is unlikely that services could be

interrupted for more than three weeks.
Hints:
For risks that have a rating of 4 or 5 for consequence or likelihood this identifies a particular need to focus
on the overall controls rating for those risks.
When dealing with risks that result in a Service Interruption, the agency may need to formulate a Business
Continuity Plan (BCP) to address risks with major and/or catastrophic consequences (irrespective of
likelihood rating). If you do identify a risk that will interrupt your services, you should determine what would
be a maximum acceptable outage. That is, how long can you afford to have that service interrupted before
the consequences become unacceptable? Once implemented the BCP is a risk control to facilitate the
provision of critical services in a less than perfect operating environment until operations can be restored to
normal. Refer to the Western Australian Government Business Continuity Management Guidelines for more
detail.
3.3.3 Risk Evaluation

Once the Level of Risk has been determined, the next step is to evaluate the risk and see where the risk fits
against the agencys overall risk criteria. An example Risk Acceptance Criteria Table is shown below. The
table gives guidance as to the acceptability of the risk and who is responsible for the acceptance decision
for that risk.

Page 16
LEVEL OF RISK
13
Acceptable
45
REPORTING TO
WHO IS
RESPONSIBLE
Annual reporting to
Risk Owner
CRITERIA FOR MANAGEMENT OF

RISK
Low
(excluding risk with

consequence of 4
or 5)
6 9 (excluding
risk with
consequence of 4
or 5)
Moderate
10 14 (including
any risk with
consequence of 4
or 5 and LOR <15)
Significant
15 25
Critical
With adequate
controls
With adequate
controls
Audit & RM Committee

Annual reporting to
With adequate
controls
Quarterly Reporting to
Only acceptable with

excellent controls
Only acceptable with

excellent controls
Risk Owner
Audit & RM
Committee/Director
Director if not
already the Risk
Owner
Executive Director

and Executive
Immediate Reporting to
Executive and Director
General
Director General
3.3.4 Risk Ownership & Risk Decision

Each risk that is identified needs to be allocated a Risk Owner. This is the person responsible for managing
the risk, and is usually the person who is directly responsible for the strategy, activity or function that relates
to the risk. Some of the key responsibilities of the Risk Owner include:
Sign-off on acceptance of the risk
Responsible for the regular review of the risk
Responsible for the regular reporting on the risk
Monitoring of controls
Monitoring/implementation of any risk treatments
Assigning risk ownership ensures a specific person is responsible and accountable for a particular risk. It is
usually impractical and ineffective for risk ownership to be assigned to a body, such as a business unit or
committee.
Where a risk meets the criteria for acceptance as defined by an agencys Risk Acceptance Criteria Table,
then the risk owner is capable of accepting the risk. Where a risk does not meet the criteria for acceptance,
the risk must be managed by the position identified as having responsibility for that particular level of risk, as
indicated by the Risk Acceptance Criteria Table. Similarly a risk should also be transferred to the appointed
authority for acceptance when risks are defined as critical.

Page 17
3.3.5 Risk Acceptance Decision

Once a risk has been analysed and evaluated, the Risk Owner makes an informed decision to do one of the
following:
Accept the risk the opportunity outweighs the risk and the existing controls meet the criteria
specified in the Risk Acceptance Criteria Table
Avoid the risk do not carry on with the activity that is associated with the risk
Treat the risk reduce the consequence, likelihood or both and/or improve the controls rating by
strengthening existing controls or developing new controls, so that the risk can be accepted
The risk decision balances the issues of risk and opportunity. Should an opportunity be passed over
because of the risks associated with it? Should more be done to manage the risk so as not to miss out on
the opportunity? These are questions that the agency needs to address. An organisation cannot progress or
improve without capitalising on opportunities, and opportunities will always have associated risks. The risk
management process allows you to optimise these decisions and demonstrate you are effectively managing
the risks.
Hint: In some circumstances, it may be necessary for an agency to accept a high level risk. Government
agencies can be the provider of last resort in some instances or the only provider of specialised services. As
such they may have no option but to continue to provide those services and assume the risk associated with
them. In these circumstances it is important to ensure that the agency, for their own part, is doing all things
reasonable to manage the risk.
3.3.6 Summary
In this step, we have assigned values risk ratings to individual risks and made decisions based on those
ratings. We started by evaluating existing controls and subjecting them to an assurance process. Then,
taking those controls into account, rankings were assigned to each risk for consequences, likelihood and
level of risk, based on the measures established in Step 1. The rated risks are then evaluated against the
risk acceptance criteria to determine how to manage the risk. There are three basic choices: Accept the risk
as is, accept the risk after treatment, or do not accept the risk. Finally, we discussed the importance of risk
ownership to ensure that the risk is monitored and the controls remain in place.

Page 18
3.4 Step 4: Risk Treatment

In the previous step, risks were assessed and decisions were made to accept them or not. In practical
terms, risk avoidance, i.e. ceasing the activity that creates the risk, is rarely a practical option. Government
agencies normally have their activities define by a higher authority and if there are risks associated with
those activities, a way must be found to manage them.
In some cases, existing controls will be deemed to be adequate and effective, and the risk will be accepted
as it stands. In other instances, the risk will need to be more effectively managed before it can be accepted.
This latter case requires the formulation of risk treatments. Risk treatment involves identifying a range of
options to reduce the consequences and/or likelihood of a risk, or improve the controls rating, evaluating
those options, preparing treatment plans, and implementing them.
3.4.1 Identify, Evaluate and Select Treatment Options

Each unacceptable risk will have a number of treatments. Other than the option of avoiding the risk entirely,
treatment options will do one or all of the following:
Reduce the consequences of the risk if it eventuates
Reduce the likelihood of the risk eventuating
Improve the controls rating to Adequate or Excellent
Hints:
You may see alternative treatment options in other texts such as transfer the risk and share the risk.
However, the treatment resulting from transferring or sharing the risk will fit in the above categories: they
reduce consequences and/or likelihood.
Managing risk is about doing all things reasonable, not all things possible. To evaluate the treatment options
a number of selection criteria can be applied:
How will the treatment impact the Level of Risk and/or Controls Rating?
For each treatment option, a predicted level of risk and controls rating should be calculated,
considering the impact of adding this option as a new control. Treatment options, which reduce the
level of risk to an acceptable level and/or improve the controls rating, should be considered.
Cost of implementation versus benefits derived

Selecting appropriate options involves balancing the cost against the benefits derived. An option
may appear to be the best option from a risk reduction perspective, but the cost of implementation
may be prohibitive.
Compatible with agencies objectives

The options selected need to be compatible with the overall objectives of the agency. Treatments

Page 19
that are incompatible with existing objectives, culture, or policies are obviously unacceptable, no
matter how effective they might prove.
3.4.2 Prepare & Implement Treatment Plans

The purpose of the treatment action plans is to document how the chosen options will be implemented.
These plans should include the following:
Proposed actions What is the selected treatment?
Resource requirements What is required to implement the treatment?
Responsibility Who has responsibility to implement the treatment i.e. Treatment Owner?
Timing What are the timeframes for treatment implementation?
Performance measures What are the key indicators that will demonstrate the progress of
implementation and ultimately the effectiveness of the treatment option?
Reporting and monitoring requirements Who needs to be informed during and at completion of the
implementation of the treatment? How will the implementation be monitored?
A treatment becomes a control only when it has been 100% implemented and signed off by the Treatment
Owner. It is then subject to controls assurance and the regular monitoring and review process. Following
the implementation of the treatment options, the level of risk needs to be re-evaluated to determine if the
treatment brings the risk to an acceptable level for the agency. If not, further treatment options may need to
be selected.
3.4.3 Summary
Formulating and implementing Treatment Action Plans is the final step in the risk management process, but
it is only the beginning of fully integrating risk management into your agency. If the process stops once it
becomes a set of documents, it will generate minimal benefit, and the time you spent on Steps 1 4 will be
wasted.

Page 20
3.5
Using Risk Information
Risk management does not end once risks have been identified, assessed and documented. The risk
information generated should be used to inform the agencys strategic and/or operational plans, to guide
budgets or financial statements. Risk information thus becomes part of everyday thinking. How risk
information is extracted and used, is facilitated by how risk information is categorised, sorted and reported.
3.5.1 Categorisation of Risk

a) Source of Risk
A useful approach to help identify any common causes of risks across different areas of an organisation
is to categorise the risks by source of risk. This facilitates the reporting and management of those
systemic issues allowing common causes to be managed with agencywide controls or treatments,
rather than at an area or department level.
Hint: Appropriate and useful risk categories should be determined by each agency as part of setting the
organisational context. These are often linked to the categories of an agencys quality framework.
Examples of categories are:
Leadership
Strategy and Planning
Knowledge and Information
People
Customer and Market Focus
Innovation Quality and Improvement
Success and Sustainability
b) Impact Range
Another way to categorise risks is by impact range. The impact range is a classification hierarchy which
indicates how wide the consequences of the risk will reach, within the agency and beyond.
Hint: If the risk were to eventuate, ask yourself How wide an impact could it have? Could the risk
impact a specific division/department, the whole agency, or even the whole of the State? Common
Impact Range descriptors include:
State-wide
Agency-wide
Metro-wide
Directorate-wide
Division-wide

Page 21
Project Risks
Project risks are unique to each project and are identified at various stages of the project life cycle. Risks
evolve through each of these stages, for example from its conception, design through to completion and
handover and it is important that these be captured and monitored to ensure project success. Contracts are
a key component of most projects. Contracts not only represent a formalised agreement between the
principle and contractor they also include risks identified throughout the projects life cycle. These risks go
towards informing the contracts terms and conditions. Hence it is critical that a thorough risk assessment be
conducted prior to contract formation to ensure, where appropriate, risks are managed within the contract.
3.5.2 Using Project Risk Information

Project risks are those issues which will affect the successful delivery of the project, specifically its cost,
timeliness and deliverables. It is important to integrate risk thinking into the project planning as the risk
information can provide ideal checklists of what needs to be done to achieve a successful project and when
it should be done.
The early identification of the critical information will inform project planning and management, including the
formulation of any contracts required for delivery of specific services or elements of the project. The terms
and conditions specified in the contract should be reflective of the risk sharing decisions.

Page 22
Monitor and Review
4. MONITOR AND REVIEW

As with communication and consultation, monitoring and review is an ongoing part of risk management that
is integral to every step of the process. It is also the part of risk management that is most often given
inadequate focus, and as a result the risk management programs of many agencies become irrelevant and
ineffective over time. Monitoring and review ensures that the important information generated by the risk
management process is captured, used, and maintained.
Refer to Appendix IV for a sample risk register.
Monitoring and review are related processes, but the distinctions between them are important in the context
of risk management:
Monitoring is an ongoing process of routine surveillance of both internal and external

environments.
Review is a more periodic process that looks at the current status or situation, and is usually has a
specific focus.
Monitoring and review should be designed to detect both gradual and sudden change.
Continuous
monitoring is most likely to detect a dramatic change in a timely fashion, whereas periodic review of a
particular aspect of the risk process is more oriented towards detecting trends and incremental change.
4.1 Focus Areas

Monitor and review procedures are focused on two principle areas of risk management.
The first area relates to issues specific to a particular risk assessment, which would cover the following:
Context the risk assessment context, which was established from a number of facts and
deductions. For instance, the operational environment, agency structure, stakeholder expectations,
statutory requirements, economic conditions and political environment are all based on perceptions
at the time. The monitoring and review process should detect if any of these underlying assumptions
have changed, or if new factors have emerged that impact upon the context of the particular risk
assessment.
Risks & Controls numerous factors can cause the likelihood and consequences of risks, or the
actual nature of the risks themselves, to change. The controls for risks can also become less
effective or irrelevant. Monitoring by the risk owner and others will ensure the timely detection of
these changes so that appropriate action can be taken.

Page 23
Monitor and Review
Treatments risk treatments need to be monitored and reviewed to ensure they are on course to
be fully and correctly implemented. In some cases, treatments need to be adapted or strengthened
because the risk they are designed to address has changed; in other instances, resources can be
saved by discontinuing irrelevant treatments.
The second area for monitor and review is in the application of the risk management process across the
entire agency, with specific attention to the following:
Consistent application of the risk management process across the agency
Incorporation of the risk management process into Strategic, Operational and Project planning
Adoption of risk management practices and procedures by staff at all levels
4.2 Risk Management Performance Measures

To be able to effectively monitor and review the management of risk within an agency, appropriate
performance indicators need to be developed. These may be strategically or operationally focused. Higher
level organisational performance measures should be used to judge the performance of risk management
within the agency. To ensure there is congruency between the risk management process and organisational
performance measures, risk management should be linked into strategic plans, budgeting cycles and other
all encompassing documentation within the agency. At an operational level both outcome and process
measures should be used as benchmarks. Outcome based performance indicators (PIs) include claim
reports and are relatively accurate and sensitive. Process based PIs measure activities and processes as
they occur and thus provide more timely, if less precise information about changes. An example of an
outcome based PI is a performance report
4.3 Roles and Responsibilities

The monitoring and review of an agencys risks is an integral part of all core business functions, and it
should be seen and treated as such.
The monitoring and review of the risk specific contexts, risks, controls and treatments is primarily the
responsibility of Risk, Control and Treatment Owners and should be integrated into the existing reporting
lines and forums of the agency.
The monitoring and review of the application of the agencys Risk Management Policy and Procedures
should be integrated into the role of Senior Management, who should then ensure that the process is
effective in delivering the desired outcomes. Internal and external audit may also play an important part in
verifying application of the risk management process.
Page 24
Monitor and Review
Risk management should be fully incorporated into the operational and management processes at every
level of the organisation.
A final comment with regard to monitoring and review is the important role it plays in good corporate
governance. All government agencies face increasing requirements for sound and transparent decision
making and prudent allocation of resources. The monitoring and review process is pivotal in fulfilling these
requirements. A structured risk management process provides a means for Senior Executives and Directors
to stay informed about the risks associated with their agencys activities and to ensure appropriate
measures are in place to address those risks. It contributes transparency and objectivity to decision making,
and it provides an audit trail to demonstrate how those accountable officers have fulfilled their obligations to
provide good governance.

Page 25
Risk management Implementation
5. RISK MANAGEMENT IMPLEMENTATION

The key steps in implementing a risk management process within an agency are summarised below.
The risk management process will:
Consider risks at all levels of the agencies operations (strategic, operational and project);
Integrate with business planning objectives, decision making and other elements of the
agencys management framework;
Involve the whole organisation, from the board to senior management and employees.
The main principles underpinning effective risk management are:
Senior management commitment to a formal, documented and fully integrated risk management
process;
Use of common risk language;
Clearly defined responsibility & accountability for functions, activities and associated risks;
A process for identification and management of risk which is fully integrated with existing
management processes including business planning, budgeting and reporting processes;
Risk management is reinforced through training and induction;
Outcomes are monitored through the involvement of Senior Management and establishment of
support functions and champions.
1. Executive Awareness and Commitment

This involves the development of an organisational risk management philosophy and awareness of risk
at senior levels and includes the nomination of an Executive Sponsor who will act as a champion of the
process, and a Risk management Co-ordinator who will assist the sponsor by facilitating the process.
2. Development of the Risk management Framework

The risk management framework defines the context for managing risk within an agency as discussed in
Step 1. It includes:
Risk management Policy Develop a Risk Management Policy.
Refer to Appendix II for sample Policy document.
Risk management Procedures Provide direction and application of the risk management
process for the agency.

Page 26
Risk Reference Tables - Use of the Risk Reference Tables is critical to provide a uniform
measuring standard for risk and the means to aggregate and prioritise risks across the agency
as a whole. Due to its criticality, it is imperative that there is Senior Executive input during their
creation and their approval for use within the agency.
Refer to Appendix III for sample Risk Reference Tables
Risk Register Tool Agencies need to determine how to capture and report on the risk
information
captured
through
this
process.
Refer
to
the
RiskCover
website
www.riskcover.wa.gov.au for latest information regarding the RiskBase Web Application Tool
3. Communication / Education
A program of education and communication needs to be developed for the agency. This is typically
managed by the Executive and Management who are the Risk Management Committee. They are
charged with:
dissemination of the policy and procedures
raise awareness about managing risks
deliver education session on the specifics of the process
a performance management process
a process for recognition, rewards and sanctions.
4. Managing Risks at the Strategic Level
Risk Identification
Some aspects of the strategic planning process where risks can be easily and readily identified
include:
-
A Strategic Performance Review looking at what has gone wrong in previous terms
A Stakeholder Analysis looking at the risks to not meeting stakeholder expectations
External and Internal Environmental Analysis those external factors affecting the agency
SWOT Analysis looking at both the internal and external environmental factors
Strategy Formulation using risk information to inform the process of developing strategies
Strategy Implementation looking at those risks which will impact on the successful
implementation of the chosen strategies
5. Managing Risks at the Business Unit Level

Business Unit Directors/Managers need to agree on a program for identifying and evaluating risks
associated with the functions performed within their Business Unit/s. At this level they should be looking
at the risks associated with their Business Units operational plan and the functions they perform.

Page 27
The reporting on risks and management of the risks should be integrated into the Business Units
existing reporting forums and timeframes.
6. Monitor and Review
Develop indicators to measure the performance of the risk management process.
Risk reporting establish the process for business units and project teams to report on their risks
and progress of treatments in response to Executives and Managers need for risk information.
Link incident and accident reporting mechanisms to the risk management process.
Risk auditing develop links to the internal audit process to ensure that the risk management
process is efficient and effective in meeting the objectives set out in the Policy and that key
organisational risks are being managed.
Refer to Appendix V for a sample Implementation Schedule.

Page 28
Glossary
Appendix I
Glossary

Page 29
Glossary
Business Continuity Management (BCM)

Business Continuity Management is a discipline that prepares an organisation for the unexpected. It is a
management process that provides the framework for building resilience to business and service interruption
risks, responding in a timely and effective manner to ensure continuity of critical business activities, and
ensuring the long tem viability of the organisation following a disruptive event.
Business Continuity Plan (BCP)

The principle output of the BCM process.
A BCP is, in effect, a treatment plan for certain risks the
consequences of which could disrupt core functions.
The plan outlines the actions to be taken and
resources to be used before, during and after a disruptive event to ensure the timely resumption of critical
business activities and long term recovery of the organisation.
Cause (or Trigger)

The factors, either root or contributory, that may give rise to a risk event. A risk can have multiple causes.

Continual and interactive processes that an organisation conducts to provide, share or obtain information
and to engage in dialogue with stakeholders and others regarding the management of risk (Note: The
information can relate to the existence, nature, form, likelihood, severity, evaluation, acceptability, treatment
or other aspects of the management of risk; consultation is a two-way process of information communication
between an organisation and its stakeholders or others on an issue prior to making a decision or
determining a direction on a particular issue. Consultation is; a process which impacts on a decision through
influence rather than power, and an input to decision making, not joint decision making.
Consequence
The impact or outcome of a risk eventuating. A risk can have multiple consequences and can be expressed
qualitatively or quantitatively.
Consequence Categories
These are key impact areas, which if affected as a result of a particular risk event, could have a significant
impact on the ability of an Agency to deliver its outcomes. Consequence Categories are agency specific,
and should reflect the Agencys economic, social and environmental responsibilities.
Control
A procedure, system, activity or process that reduces the likelihood and/or consequences of a risk. A risk
may have more than one control, and a control may address more than one risk.

Page 30
Glossary
Controls Rating
A qualitative, common-sense measure of the adequacy of controls in addressing a risk.
Controls Assurance
The process whereby Control Ratings are verified through a series of questions regarding their relevance
and effectiveness.
Critical Success Factor (CSF)

A factor which is essential for the successful performance of a Key Activity.
Impact Range
A measurement of how widespread the consequences of a risk may be. This measurement can assist in
the assessment of controls and the formulation of treatments.
Implementation Plan
A plan created to establish how the risk management process is to be implemented into an organisation.
Key Activity
Any high level activity or function that is instrumental in an agency delivering required outcomes or
performing its mission.
Key Dependency
Inputs which are essential to enable the delivery of a service, function or project, e.g. resources, specific
data, specific equipment or knowledge.
Likelihood
A measure of how likely it is that a certain consequence will eventuate, ranging from rare to almost certain.
Monitor
An ongoing process of surveillance of the internal and external environments to ensure that risks continue to
be effectively and appropriately managed.
Operational (Context)
Deals with operational risks: those risks associated with normal, ongoing operations and activities.

Page 31
Glossary
Performance Indicators (PIs)

Clear, simple measures of performance over time used in the monitor and review process. PIs can measure
either processes or outcomes.
Project (Context)
Deals with Project Risks: those risks associated with defined projects and other discreet undertakings.
Residual Risk
Risk remaining after risk treatment.
Review
Periodic assessment of a specific aspect of the risk management process or a particular group of risks to
determine if there have been gradual changes over time and ensure they achieve established objectives
(Note: Review can be applied to a risk management framework, risk management process, risk or control).
Risk (or Risk Event)

(from ISO 31000:2009) effect of uncertainty on objectives
NOTE 1
An effect is a deviation from the expected positive and/or negative
NOTE 2
Objectives can have difference aspects (such as financial, health and safety, and
environmental goals) and can apply at different levels (such as strategic, organization-wide,
project, product and process).
NOTE 3
Risk is often characterized by reference to potential events and consequences, or a

combination of these.
NOTE 4
Risk is often expressed in terms of a combination of the consequences of an event

(including changes in the circumstances) and the associated likelihood of occurrence.
NOTE 5
Uncertainty is the state, even partial, of deficiency of information related to, understanding
or knowledge of an event, its consequence, or likelihood.
Risk Acceptance Criteria

Agency specific reference formulated in Step 1 that delineate under what conditions risks of a certain level
can be accepted. The higher the risk rating, the higher the standard of controls, monitoring, and ownership
required. Risk criteria are based on organisational objectives, and external and internal environments and
can be derived from standards, laws, policies and other requirements).
Risk Analysis
A process that assigns a risk rating to each risk by evaluating the effectiveness of existing controls and
assigning values for Consequences and Likelihood for various scenarios.

Page 32
Glossary
Risk Assessment
Step 3 of the risk management process, which involves assigning values (Risk Ratings) to individual risks
and deciding how to manage them (risk evaluation).
Risk Categories
Categorisation of risks within the agency by type, often based on source of risk. This helps identify common
risks in different functional areas.
Risk Decision
The decision made after Risk Evaluation, balancing risk and reward.
Risk Evaluation
Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its
magnitude is acceptable or tolerable.
Risk Identification
Step 2 of the Risk management Process, which uses
Critical Success Factors and Key Dependencies to identify risks.
A process of finding, recognising and describing risks relating to CSF and Key Dependencies. The
identification of risk includes the identification of risk source, events, their causes and their potential
consequences. Risk identification can involve historical data, theoretical analysis, informed and expert
opinions, and stakeholders needs.
Risk Management
The practice of systematically identifying, understanding, and managing the risks encountered by an
organisation.
Risk Management Framework

Set of components that provide the foundations and organisational arrangements for designing,
implementing, monitoring, reviewing and continually improving risk management throughout the
organisation. The Framework includes the policy, objectives, mandate, accountabilities, resources,
processes, activities and commitment to managing risk. The Risk Management Framework is embedded
within the organisations overall strategic and operational policies and practices.
Risk management Policy

Statement of the overall intentions and direction of an organisation related to risk management.

Page 33
Glossary
Risk Management Process

Systematic application of management policies, procedures and practices to the activities of communicating,
consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and
reviewing risk.
Risk Owner
The person with the accountability and authority, specifically assigned in Step 3 to manage the risk,
including monitoring the risk, its controls and any treatments that are implemented.
Risk Profile
A description of any set of risks. The set of risks can contain those that relate to the whole organisation, part
of the organisation, or as otherwise defined.
Risk Rating (or Level of Risk)

The value assigned to the risk which represents the highest product of Consequence and Likelihood.
Risk Reference Tables

Collective term for the various risk measurement and evaluation tools formulated in Step 1.
Risk Tolerance (or Risk Appetite)

The degree that an organization is willing to accept risk in order to achieve its objectives. Risk tolerance is a
product of mission, culture, policy, and other factors that determine what an agency is and how it goes about
its business.
Stakeholder
Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or
activity. There are internal (e.g. employees) and external (e.g. community groups) stakeholders.
Strategic (Context)
Deals with strategic risks: risks which concern the whole agency and are associated with long term
organizational objectives. Strategic risk management is most effective when conducted as an integral part of
the strategic planning process.
Treatment
A measure that is designed and implemented to further reduce the consequences and/or likelihood of a risk,
or improves the overall controls rating. Once a treatment is fully implemented and effective (in place), it
becomes a control.
Page 34
Glossary
Treatment Action Plan (TAP)

The plan formulated for the selected treatments in Step 4 to ensure they are fully and properly implemented.
TAPs should identify owners, proposed actions, resource requirements, schedule and predicted effect on
the risk.

Page 35
Sample RM Policy
Appendix II
Sample Risk Management Policy

Page 36
Sample RM Policy
SAMPLE: AGENCY NAME
Risk Management Policy

It is the policy of the agency to achieve Best Practice in the management of all risks that threaten to
adversely impact the agency, its customers, people, assets, functions, objectives, operations or members of
the public.
Risk management will form part of strategic, operational and line management responsibilities and be
integrated into the Strategic and Business Planning processes. In respect of a special risk responsibility may
be assigned to a nominated officer of the agency, or a Committee Chairman, as determined by the need.
There will be an Executive Risk management Committee to determine and communicate Policy, Objectives,
Procedures and Guidelines and to direct and monitor implementation, practice and performance throughout
the agency.
Performance will be measured by:
implementation and documentation of risk management,
identification of risks and successful treatment in accordance with procedures and guidelines,
mitigation and control of any losses,
reduction in the costs of risks, and
achievement of Best Practice.
Consultants may be retained from time to advise and assist in the risk management process, or management
of specific risks or categories of risk.
Every employee of the agency is recognised as having a role in risk management for vigilance in the
identification of risks to treatment and shall be invited and encouraged to participate in that process.

Page 37
Sample RM Policy
Objectives
To ensure Risk management is adopted throughout the agency as a prudent management practice.
To ensure that all employees are made aware of the need to manage risk and to promote a culture of
participation in that process.
To protect the agency from adverse incidents, to reduce its exposures to loss and to mitigate and control
loss should it occur.
To ensure the ongoing, unimpeded capacity of the agency to fulfil its mission, perform its key functions,
meet its objectives and serve its customers.
To reduce the costs of risk to both the agency and the Western Australian State Government.
To adhere to Australian Risk management Standards and comply with the Public Sector Commissioners
Circular 2009/19.

Page 38
Sample Risk Reference Tables
Appendix III

Page 39
Sample 1
EXISTING CONTROLS
LEVEL
FORESEEABLE
DESCRIPTOR
Excellent
More than what a reasonable person would be expected to do in the circumstances.
Adequate
Only what a reasonable person would be expected to do in the circumstances.
Inadequate
Less than what a reasonable person would be expected to do in the circumstances.
QUALITATIVE MEASURES OF CONSEQUENCE

LEVEL
RANK
Insignificant
Minor
Moderate
INTERRUPTION TO
SERVICES
SOCIAL/COMMUNITY
Impact absorbed through routine

operations
All agency activity

stopped for less than 2
hours
Low localised event with no

broader impacts
Revenue/cost impact
2-5% of operational
budget
Minor delays in achieving

objectives. Majority of objectives
remain on track.
All agency activity

stopped for 2 4
hours
Minor delay impacting on

ability to meet social /
community expectations
Some negative media coverage or

industry
criticism.
Tenants/
clients/ contractors make formal
complaints.
General
Manager/Director involved.
Revenue/cost impact
5-10% of operational
budget
Management effort required to redirect resources to avoid delays in

achieving
strategic
intents.
Administration of the program/
project/ activity could be subject
to significant review or change
All agency activity

stopped for 4 hours
1 day
Community backlash, Social

and community rejection
Substantial damages /
life threatening injury
or illness
Extensive public criticism. Statewide media exposure. Public

embarrassment.
Loss
of
credibility. Director General
involvement.
Revenue/cost impact
of
10-20%
of
operational budget
Significantly reduced ability to

achieve
objectives
/
key
deliverables. Continued function
of the program/ project/ activity
would be threatened.
All agency activity

stopped for 1 3 days
Long delays in service

delivery leads to Statewide
impacts socially, economically
and financially. Emerging
environment and/or health
issues.
Loss
of
life.
Permanent disabilities
Sustained State and National

media reporting. Very high
multiple
impacts
across
Government. Minister involved.
Government censure. Third party
actions
Revenue/cost impact
more than 20% of
operational budget.
Failure to achieve one or more

key deliverables resulting in,
major flow on effects for external
stakeholders and other public
sector agencies.
All agency activity

stopped for more than
3 days
Widespread social problems

causing multiple impacts.
Serious
long
term
environmental and health
issues.
INJURIES
REPUTATION & IMAGE
FINANCIAL LOSS
OPERATIONAL EFFICIENCY
Minor incident / near

miss report but no
immediate signs of
injury
Individual tenant/ contractor /

client complaint. Issue rectified at
local level
Revenue/cost impact
0-2% of operational
budget
Injury
or
illness
requiring first aid
only
Negative media article. Low local

exposure.
Tenant/
client/
contractor complaint handled at
Line Manager level
Medical
treatment
necessary/ Insurance
claim/ rehabilitation
programme/ lost time
injury or illness.
Major
Catastrophic

Page 40
QUALITATIVE MEASURES OF LIKELIHOOD

LEVEL
EXAMPLE DETAIL DESCRIPTION
DESCRIPTOR
FREQUENCY
Rare
The event may occur only in exceptional circumstances.
Less than once in 5 years
Unlikely
The event could occur at some time.
At least once in 5 years
Moderate
The event should occur at some time.
Likely
The event will probably occur in most circumstances.
At least once per 1 year
Almost certain
The event is expected to occur in most circumstances.
More than once per year
RISK ACCEPTANCE CRITERIA TABLE

LEVEL OF RISK
CRITERIA FOR MANAGEMENT OF RISK
WHO IS RESPONSIBLE
1-3
Low
Only acceptable with adequate controls.
Risk Owner
4-5
Minor
Only acceptable with adequate controls.
Risk Owner
6 - 11
Significant
Only acceptable with Excellent controls.
12 - 25
Extreme
Only acceptable with Excellent controls.

Page 41
CEO / Executive Group

CEO / Executive Group
RISK ASSESSMENT CRITERIA TABLE

Consequence
Likelihood
1
Rare
Unlikely
Moderate
Likely
Almost Certain
Insignificant
Minor
10
Moderate
12
15
Major
12
16
20
Catastrophic
10
15
20
25
Approved as at ..../..../....
By:
.......................................

Title:
..................................................................
Page 42
Sample 2
EXISTING CONTROLS
LEVEL
FORESEEABLE
DESCRIPTOR
Excellent
Adequate
Inadequate

LEVEL
RANK
FINANCIAL
INTERRUPTION
TO SERVICES
REPUTATION & IMAGE
INJURIES
STAKEHOLDER
COMPLIANCE
IMPACT
Unsubstantiated, low impact or no

news item.
Minor
injuries
not
requiring First Aid, or
near
miss.
No
psychological stress
Insignificant weakening of
a
single
stakeholder
relationship
and
little
impact to staff morale
No noticeable regulatory
or statutory impact
Substantiated, low impact, low

news profile.
First aid treatment and/or

one off counselling
Some temporary
compliances
1 day to 1
week.
Substantiated,
public
embarrassment, moderate impact,
moderate news profile, Ministerial
involvement.
Medical
treatment
required
and/or
psychological
intervention/treatment
required
Damage to 3 stakeholder
relationships
and
temporary change to staff
morale, able to be rectified
in the short term
Weakened
relationship
with a significant number
of stakeholders and, some
reduction in staff morale,
requiring
specific
measures to rectify
$500 000 $1.5 m.
1 week to 1
month.
Substantiated,
public
embarrassment, high impact, high
news profile, Third Party actions,
public Ministerial involvement.
Serious or extensive
injuries and/or significant
and
long
term
psychological stress
Damage done to the

majority
of
existing
stakeholder
relationship
and,
significant
and
widespread staff absences
Non compliance results

in termination of service
or imposed penalties
> $1.5m.
More than 1
month
Substantiated,
public
embarrassment, very high multiple
impacts, high widespread multiple
public Ministerial involvement,
Government censure.
Death or severe
permanent
physical
and/or
psychological
disablements.
Total loss of credibility with

all stakeholders and loss
of key staff

in criminal charges or
loss
of
required
accreditation
Insignificant
< $10 000.
less than 1
hour
Minor
$10 000 $50 000.
1 hour to 1
day.
Moderate
$50 000
$500 000.
Major
Catastrophic

Page 43
non
Short
term
non
compliance
but
with
significant
regulatory
requirements imposed

LEVEL
DESCRIPTOR
FREQUENCY
Rare
Unlikely
Moderate
Likely
Almost certain

LEVEL OF RISK
13
CRITERIA FOR MANAGEMENT OF RISK
Acceptable
With adequate controls
REPORTING TO
WHO IS RESPONSIBLE
Annual reporting to
Risk Owner

45
Low
(excluding risk with

consequence of 4 or 5)
Annual reporting to
Risk Owner
6 9 (excluding risk with

consequence of 4 or 5)
Moderate
10 14 (including any risk

with consequence of 4 or
5 and LOR <15)
Significant
15 25
Critical
Audit & RM
Committee/Director
Only acceptable with excellent controls
Director if not already the

Risk Owner
Executive Director
Audit & RM Committee and

Executive
Only acceptable with excellent controls
Immediate Reporting to
Executive and Director
General
Director General
(Note: Any risk with a consequence rating of 4 or 5 can only be accepted by the Executive Director with Excellent Controls)
Page 44

Consequence
Likelihood
1
Rare
Unlikely
Moderate
Likely
Almost Certain
Insignificant
Minor
10
Moderate
12
15
Major
12
16
20
Catastrophic
10
15
20
25
(Note: Any risk with a consequence rating of 4 or 5 can only be accepted by the Executive Director with Excellent Controls)
By:
.......................................

Title:
..................................................................
Page 45
Sample 3
EXISTING CONTROLS
LEVEL
FORSEEABLE
DESCRIPTOR
Excellent
More than what a reasonable person would be

expected to do in the circumstances.
Controls fully in place and require only ongoing maintenance and monitoring.
systems are being continuously reviewed and procedures are regularly tested.
Adequate
Only what a reasonable person would be expected

to do in the circumstances.
Being addressed reasonably. Protection systems are in place and procedures exist for given
circumstances. Periodic review.
Inadequate
Less than what a reasonable person would be

expected to do in the circumstances.
Little to no action being taken. No protection systems exist or they have not been reviewed for
some time. No formalised procedures.
Protection

LEVEL
RANK
INJURIES
FINANCIAL
LOSS
NATURAL ENVIRONMENT
Water Bodys
Flora & Fauna
Insignificant
Minor
injuries not
requiring
first aid, or
near miss
Less
than
$10,000
Plant life not affected

No loss of marine life
Loss of Water Quality temporarily less for
less than 12 hours
Water levels not affected.
Area will regenerate in less than 6
months with minimal interruption or repair
Minor
First
aid
treatment
$10,000
$50,000
of
operational
budget
Moderate
Medical
treatment
required
$50,000
$250,000 of
operational
budget
Less than 10% of water communities

affected
Water quality affected for less than 24
hours
Water levels rise of 0.5 -1m above
highest natural level
Minor
impact
to
fish/mammal/sea
birds/reptiles.
50 200 ha affected
Area will regenerate in 6-18 months with
low level of intervention
10 40% water communities affected
Water quality affected for 1 3 days
Water level rise of 1-2m above highest
natural level
201 400 hectares affected
Loss of 20-100 fish
Communities will regenerate in 18
months to 5 years with some level of
intervention and repair

HISTORIC
REPUTATION
& IMAGE
INTERRUPTION
TO CRITICAL
SERVICES
OPERTAIONAL
EFFICIENCY
Insignificant effect on
Flora
No animals affected
Less
than
20ha
affected
Will regenerate in less
than 6 months with
minimal intervention or
repair
Less than 10% of plant
or mammal life affected
20ha - 100ha affected
Area Will regenerate in
6-18 months with low
level of intervention or
repair
Minor
maintenance,
localised,
reparable
damage
affecting
items/ areas
of
little
significance
Limited,
reparable
damage
of
items/ areas
of
some
significance
Credibility
not
challenged. Low
impact or no news
item
Less than 2 hours
Little impact
Credibility
challenged locally
by an individual.
Minor impact, low
news item
2 hours 4 hours
Inconvenient delays
10 40% of plant or
mammal life affected
101ha
200ha
affected
Will regenerate in 18
months 5 years with
some
level
of
intervention or repair
Limited,
irreparable
damage
of
items/ areas
of
some
significance
Public criticism of
moderate impact
from a number of
sources,
moderate
news
profile,
Minister
involved
4 hours 1 day
Delays in
deliverables
Page 46
major
LEVEL
RANK
INJURIES
FINANCIAL
LOSS
NATURAL ENVIRONMENT
Water Bodys
Flora & Fauna
HISTORIC
REPUTATION
& IMAGE
Major
Death
or
severe injury
$250,000
$1m
of
operational
budget
40 75% of water communities affected

Water quality affected for 4- 10 days
Water level rise of 2-3 m above highest
natural level
401 2000 ha affected
Loss of 100-250 fish
Communities will regenerate in 5-10 years
with some intervention and repair
40% - 75% of plant or

animal life affected
Will regenerate in 5-10
years with high level of
intervention or repair
Localised
or
limited,
irreparable
damage of items/
areas
of
considerable or
exceptional
significance
Catastrophic
Multiple
deaths
severe
injuries
More than $1m

of operational
budget
More than 75% of water communities

affected
Water quality affected for more than 10
days
Water level rise of >3m above highest
natural level
2001 to 3828ha affected
Loss of >250 Fisk
Communities may regenerate in more than
10 years with some intervention or have
no regeneration
>75% of plant or animal

life affected
May regenerate in more
than 10 years with
considerable high level of
intervention or repair, or
have no regeneration
Permanent,
widespread,
irreparable
damage, serious
loss of heritage
values
or
Public
criticism
with high impact
from a number of
sources,
widespread,
high
news
profile,
Minister
and
Government
required to make
public statement
Public
criticism
from
multiple
sources, very high
impact,
international
and
national
multiple
media
coverage,
community groups
involved,
public
Ministerial
and
Government
involvement,
Government
censure
or
disclaimer
INTERRUPTION
TO CRITICAL
SERVICES
OPERTAIONAL
EFFICIENCY
1 day 3 days
Non-achievement of
major deliverables
More than 3 days
Non-achievement of
major key objectives

LEVEL
DESCRIPTOR
FREQUENCY
Rare
Unlikely
Moderate
Likely
Almost certain

Page 47

Level of Risk
Risk Rank
15
Low
6-9
Who is Responsible
Criteria for Management of Risk

Acceptable. Requires Adequate controls and semi-annual monitoring.
Risk Owner
Moderate
Management Control Required. Requires Adequate controls and quarterly

monitoring.
Risk Owner
10 - 14
Significant
Urgent Management Attention Required. Requires Excellent controls and

monthly monitoring.
Director
15 - 25
High
Requires Excellent controls. Risk Reduction Required.
CEO

Consequence
Likelihood
1
Rare
Unlikely
Moderate
Likely
Almost Certain
Insignificant
Minor
10
Moderate
12
15
Major
12
16
20
Catastrophic
10
15
20
25
By:
.......................................

Title:
..................................................................
Page 48
Sample 4
EXISTING CONTROLS
LEVEL
FORESEEABLE
DESCRIPTOR
Excellent
Adequate
Inadequate

LEVEL
RANK
FINANCIAL
REPUTATION & IMAGE
Budget
Funds Under
Management
OPERATIONAL
EFFICIENCY
INJURIES
COMPLIANCE
Insignificant
Less
than
$5,000
Less
than
$500,000
Unsubstantiated, Insignificant impact

or no news item.
Little impact.
Minor
injuries
not
requiring First Aid, or
near miss.
No noticeable regulatory
or statutory impact
Minor
$5,000
$20,000
$500,000
$3M
Substantiated, Minor impact, low

news profile.
Inconvenient
delays.
First aid treatment.
Some temporary
compliances
Moderate
$20,000 to
$100,000
$3M to $40M
Substantiated,
public
embarrassment, moderate impact,
moderate news profile, Ministerial
involvement.
Delays in major
deliverables.
Medical
required.
treatment
Short
term
non
compliance but with
moderate
regulatory
requirements imposed
Major
$100,000 to
$300,000
$40M to $120M
Substantiated,
public
embarrassment, Major impact, Major
public Ministerial involvement.
Non achievement
of
major
deliverables.
Serious or extensive
injuries.

in termination of service
or imposed penalties
Catastrophic
More
than
$300,000
More
$120M
Non achievement
of
major
key
objectives.
Death or
multiple
severe
permanent
disablements.

loss
of
required
accreditation
to
to
than

Substantiated,
public
embarrassment, multiple impacts,
widespread multiple news profile,
Third Party actions, public Ministerial
involvement, Government censure.
Page 49
non

LEVEL
DESCRIPTOR
FREQUENCY
Rare
Unlikely
Moderate
Likely
Once per year
Almost certain
Level of Risk
Risk Rank
15
Low
6-9
Moderate
Requires Adequate controls before an acceptance decision can Risk Owner

be made. Quarterly monitoring.
10 - 14
Significant
Requires Excellent controls prior to an acceptance decision Director

being made. Monthly monitoring. Urgent Attention Required
15 - 25
High

Requires Adequate controls and semi-annual monitoring.
Who is Responsible
Risk Owner
Requires Excellent controls and all Treatment Action Plans to CEO

be explored and implemented where possible, prior to an
acceptance decision. Continuous Monitoring. Urgent Attention
Required

Page 50

Consequence
Likelihood
1
Rare
Unlikely
Moderate
Likely
Almost Certain
Insignificant
Minor
10
Moderate
12
15
Major
12
16
20
Catastrophic
10
15
20
25
By:
.......................................

Title:
..................................................................
Page 51
Sample 5
EXISTING CONTROLS
LEVEL
FORESEEABLE
DESCRIPTOR
Excellent
Adequate
Inadequate

Level
Rating
Insignificant
Minor
Moderate
Major
Catastrophic
Safety of People
Operations
Technical
Economic
Environment
No real injuries
Some
insignificant
Operational - minor
Isolated
delays or change to
<$20k loss or damages
rectification required
impact
service
area
Political & public
Suggested
low improvements
unsubstantiated
complaints
Compliance
and Guidance required for

compliance
1 aid injury
Some minor delays or

Service restrictions
some
services
rectification required
cancelled
Medical injury
Complaints and short

Some moderate delays Not operational - minor
Uncontained
impact
$100k to $999,999 loss
term drop in patronage.
and some services rectification
required
able to be rectified in
or damages
News
reports
and
cancelled
before operational
short term
parliamentary questions
Many compliance or
probity
infringements
and some processes
repeated
Death or major injuries
Not
operational
Extensive
hazardous
Major delays and most extensive rectification $1m to $9m loss or
impact
long
term
services cancelled
required
before damages
rectification
operational
Sustained
drop
in
patronage. High profile
news
reports
and
political embarrassment

in
termination
of
process or imposed
penalties
Patronage
decrease
causes cancellation of
service.
Widespread
or Uncontained hazardous
news reports and major
impact residual effect
political/government
repercussions
or
change

loss
of
required
accreditation
st
Multiple deaths
All services cancelled

Not
operational
cannot be rectified
Substantiated
- $20k to $99k loss or
Contained Minor impact complaints and lobby Some non compliances
damages
group correspondence
- >$10m
damages
loss
Page 52

LEVEL
DESCRIPTOR
FREQUENCY
Rare
Unlikely
Moderate
Likely
Once per year
Almost certain

Level of
Risk
Rank
15 - 25
Extreme
Treatment Action Plan Required. Excellent controls

required
Risk is unacceptable refer to Executive
10 - 14
High
Treatment Action Plan Required. Excellent controls

required
Risk is undesirable. Decision on acceptance of risk to be

made by the relevant Executive Director.
6-9
Moderate
Risk may be accepted by the relevant Director or Senior

Manager EXCEPT where the Consequence is
Catastrophic, a Treatment Action Plan is required.
Decision on acceptance of risk to be made by the

relevant Director or Senior Manager EXCEPT where the
Consequence is Catastrophic, decision on acceptance or
risk must be made by the relevant Executive Director.
1-5
Low
Risk is acceptable manage by routine procedures

EXCEPT where the Consequence is Catastrophic, a
Treatment Action Plan is required.
Risk is acceptable - manage by routine procedures

EXCEPT where the Consequence is Catastrophic,
decision on acceptance or risk must be made by the
relevant Executive Director.

Who is Responsible
Page 53

Consequence
Likelihood
1
Rare
Unlikely
Moderate
Likely
Almost Certain
Insignificant
Minor
10
Moderate
12
15
Major
12
16
20
Catastrophic
10
15
20
25
By:
.......................................

Title:
..................................................................
Page 54
Sample Risk Register
Appendix IV

Page 55

All Risks Identified sorted by Level of Risk

Page 56
Appendix V
Sample Risk Management Implementation Schedule

Page 57
Sample RM Implementation Strategy
SAMPLE: Agency Name

Risk Management Implementation Schedule
Step
No.
What?
Support of Senior
Management
Development of
Organisations RM
Policy
Communicating
the Policy
Managing Risks at
Strategic Level
(Agency)
Managing Risks at
Business Unit
Level
Risk Auditing
Produce briefing paper & implementation plan

Briefing to Executive
Obtain executive sign-off
Formation of Risk management committee
(including documented terms of reference)
Draft policy
Draft Risk Reference Tables
Determine roles and responsibilities
Determine individual & corporate KPIs
Obtain executive sign-off
Arrange RM awareness sessions
Distribute policy, procedure & risk reference tables
Ensure all managers understand their
responsibilities in managing risk modify JDFs
where appropriate.
Develop a program plan i.e. Develop a framework &
procedure for identifying & managing strategic risks
& obtain executive sign-off
Identify, assess and prioritise risks as part of

strategic planning session.
Treat risks - Develop risk reduction strategies as

part of strategic planning session
Monitor & review risks and risk reduction strategies

as part of regular strategic management process
Develop a program plan i.e. Develop & agree

framework & procedure for identifying & managing
operational risks and reporting requirements.
When?
Who?
(Responsibility)
How?
Identify , assess and prioritise risks as part of

operational planning session or dedicated workshop
Treat risks - Develop risk reduction strategies as

part of strategic planning session
Develop risk reduction strategies as part of regular

operational management process
Monitor & review risks and risk reduction strategies

as part of regular operational management process
Report risks and treatment strategies quarterly to

RM committee as required by program plan.
Develop & agree an audit plan to ensure the

effectiveness of the RM process and the
management of key risks

Sept 2009
RM Co-ordinator
Sept 2009
RM Co-ordinator &
RM Committee
Oct 2009
RM Co-ordinator &
RM Committee
??? 2009
Executive with
assistance from RM
Co-ordinator
????? 2009
Executive with
assistance from RM
Co-ordinator
From ??? 2009

Monthly at
executive
meetings
Oct 2009
Executive with
assistance from RM
Co-ordinator
RM Co-ordinator &
RM Committee
Endorsed by
Executive
Oct 2009
From Oct 2009

Monthly at
management
meetings.
From Oct 2009
Monthly at
management
meetings.
??? 2009
Business Unit
management team
Business Unit
management teams
Business Unit
management teams
RM Co-ordinator /
Executive /Audit
Page 58
Sample RM Implementation Strategy

Step
No.
What?
How?
When?
Who?
(Responsibility)
Implement the audit plan

Annually ???
Audit Manager
Page 59
Project Life Cycle
Appendix VI
Strategic Risk Management Framework

Page 60
Project Life Cycle
STRATEGIC RISK MANAGEMENT CONTEXT

RISK MANAGEMENT AND STRATEGIC PLANNING
Strategic management is the continuing process of aligning the internal capabilities of the organisation with
the external demands of its environment. It involves the formulation and implementation of strategies to
achieve the organisations goals and objectives. It is an iterative process, in which management of change,
monitoring and review are important parts.
A Strategic Plan is a comprehensive master plan that states how we are going to achieve our mission and
objectives. Anything that has a bearing on that is strategic. Strategic management is the set of managerial
decisions and actions that determines the long run performance of the organisation.
Strategic Risk management is the identification and management of risks likely to have a material impact on
the organisations ability to achieve its mission and objectives.
The risks identified and evaluated as a part of the strategic planning process will be risks that affect the
entire agency and its ability to achieve its mission. This is the point at which the agency will identify risks
which will prevent the agency from exploiting its opportunities and strengths, expose its weaknesses and fail
to address the agencys threats.
STRATEGIC RISK MANAGEMENT

There are two elements to the management of risks at a strategic level and these are:
1. The identification/evaluation/management of risks in the Strategic decision making process.

Risks are identified at each stage of the planning process, for example;
Examination and evaluation of current Mission, Objectives, etc.
External Environmental analysis
Internal Environmental analysis
development and evaluation of alternative strategies
selection of strategies

Page 61
Project Life Cycle
2.
The identification/evaluation/management of risks associated with particular strategies

(current) and their implementation.
As our businesses are going concerns, there are strategic plans in various states of implementation.
Therefore, the particular approach for your agency must reflect the current situation.
The following flow diagram shows how risk identification becomes an integral part of the strategic planning
process.

Page 62
Project Life Cycle
Typical Strategic Planning Process

Strategic Risk Review
Financial
Performance
Operational
Performance
Mission / Vision
Existing Goals and

Objectives
Achieved? Did anything go wrong?
Stakeholder Profile
Stakeholder
Expectations
Impact if not
met
Strategic Risk Profile

Environment Scan of Strategic Factors
Internal
Structure
(The
Organisation)
Culture
(Beliefs,
Expectations,
Values)
Strengths
Risks to
strengths
Resources
(Assets, Skills,
Competencies,
Knowledge,
Systems)
External
Societal
(General Forces)
Strategic Risk Profile

SWOT Analysis
Weaknesses
Opportunities
Risks that can
Risks that
arise from
accompany
weaknesses
opportunity
Task
(Industry
Analysis)
Threats
Outright risks
Strategic Formulation
Mission / Vision
Goals and Critical

Success Factors
Objectives and
KPIs
Strategies
Policies
Achievable? What can go wrong? Are all threats avoided and weaknesses minimized in respect
to mission, goals and objectives?
Strategic Implementation (Operational Planning)

Programs
Budgets
Procedures
Can anything go wrong in this stage that will impact achievement?
Evaluation and Control

Are there any weaknesses in information , management or control systems, or
reporting?

Page 63
Project Life Cycle
The Process Explained

1. Strategic Performance Review
Review how the organisation has performed against previous Goals/Objectives:
a. Were they achieved?
b. Did something prevent you from achieving your Goals/Objectives?
c.
Were all performance targets met?
This review will highlight anything that should be taken into account for future planning.
2. Stakeholder Profile
Identify who the organisations stakeholders are and their expectations. In addition, it is important to
consider what the consequences will be if their expectations are not met.
This should sharpen the focus and ensure that the strategies you are adopting will meet the needs and
expectations of the stakeholders.
3. Environmental Scan
Environmental scanning identifies factors which influence what the organisation will do and how it will do it. It
covers both the Internal and External environmental factors. From the Environmental Scan, the organisation
can assess where it sits in relation to industry, societys expectations, and how it is situated to appropriately
respond to market trends or demands.
4. SWOT
A SWOT analysis is used to identify
Risks to strengths
Risks from weaknesses
Risks from opportunities
Threats which are Risks
These risks are then evaluated in terms of impact upon achievement of objectives.
5. Strategy Formulation
In this stage, strategies are identified to achieve Goals and Objectives whilst being focused on the
organisations Mission/Vision. An assessment of the risks and opportunities associated with each proposed
strategy and the potential for impact upon the achievement of objectives, should be an integral part of this
step.
This is the creative stage of developing strategies that will deliver the organisations goals and objectives,
mission and vision without exposing it to unacceptable risk.

Page 64
Project Life Cycle
6. Strategy Implementation
Once the strategies are decided upon, the process of implementing them carries a new set of risks. Each of
these risks need to be identified and appropriate risk minimisation strategies built into the implementation
plan.
7. Evaluation and Control

There needs to be system reviews which ensure that the process is implemented efficiently and effectively
and progress needs to be reported. Mechanisms need to be put in place to monitor the implementation of
the Strategic Plan and identify any new risks arise. The annual Strategic Review process needs to be
programmed so as there is an opportunity for a formal review.

Page 65
Project Life Cycle
Appendix VII
Project Life Cycle

Page 66
Project Life Cycle
Example -

Page 67

RM Guideline Australia

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

RM Guideline Australia

Hochgeladen von

Copyright:

Verfügbare Formate

WA Government

RISK MANAGEMENT GUIDELINES

First edition January 2007

WHAT IS RISK MANAGEMENT? ....................................................................................................................... 1

COMMUNICATION AND CONSULTATION .................................................................................................. 4

RISK MANAGEMENT PROCESS ..................................................................................................................... 6

4. MONITOR AND REVIEW ...................................................................................................................................... 23

FOCUS AREAS ............................................................................................................................................... 23

5. RISK MANAGEMENT IMPLEMENTATION .................................................................................................... 26

EXECUTIVE AWARENESS AND COMMITMENT..................................................................................................... 26

Risk management Guidelines

Risk management Guidelines

PUBLIC SECTOR COMMISSIONERS CIRCULAR

Risk management Guidelines

For enquiries contact:

Other relevant Circulars:

Don Williams 9264 3400

Risk management Guidelines

1.1 What is Risk Management?

Risk management Guidelines

1.2 Why Manage Risk?

1.3 How Do We Manage Risks?

Risk management Guidelines

Refer to the Glossary of Terms provided in Appendix I.

Risk management Guidelines

Communication and Consultation

2. COMMUNICATION AND CONSULTATION

It is interactive. Listening is as important as talking. Good communication involves the sharing of

It is respectful. It focuses on ideas and information, not personalities. Communication is most

Organisational coherence and a positive culture for risk management implementation

Trust and understanding, resulting in better internal and external relationships

Integration of multiple perspectives

Risk management is embedded as an ongoing part of management and organisational practice

Communication and Consultation

How do we integrate risk thinking into all aspects of our business?

Risk management Guidelines

Risk management Process

3. RISK MANAGEMENT PROCESS

3.1.1 Risk management Framework

Core purpose, vision, mission and values - why does it exist?

Internal and external environments, often assessed using a SWOT analysis.

Organisational planning, reporting & management processes

Roles, responsibilities and communication strategies

A Risk Management Policy

Risk management Guidelines

Risk management Process

Risk Reference Tables

a) Existing Controls Rating Table

What we are rating is the adequacy of those

b) Consequence Rating Table

Risk management Process

Refer to Appendix III for examples of Consequence Tables

c) Likelihood Rating Table

Refer to Appendix III for examples of Likelihood Tables

Risk management Guidelines

Risk management Process

3.1.2 Methodology of Assessing Risk

a) Risk Acceptance Criteria Table

Refer to Appendix III for sample Risk Acceptance Criteria Tables.

Risk management Guidelines

Risk management Process

Specific Risk Assessment Context

Identify the essential stakeholders who need to be involved in the assessment

Risk management Guidelines