Beruflich Dokumente
Kultur Dokumente
PRACTICE GUIDE
© State of Victoria through the Victorian Managed Insurance Authority 2016.
Except for any logos, emblems and trademarks, this work, Victorian Government Risk Management Framework Practice Guide, is licensed under a
Creative Commons Attribution 4.0 international licence, to the extent that it is protected by copyright. Authorship of this work must be attributed to
the State of Victoria. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/
February 2016 – V3
CONTENTS
Overview........................................................................... 2 Resources.......................................................................33
Principles.......................................................................... 6 Glossary..........................................................................36
Risk process..................................................................22
OVERVIEW
The community expects Government to be
vigilant – to be alert and respond to the full
Message from the CEO
It’s a privilege to work with the Victorian public sector
R isk management is the combination of culture,
systems and processes undertaken by an agency to
coordinate the identification and management of risk. Risk
range of potential harms that comprise the and provide the education, insight, advice and support management activities inform decision making, support the
needed to help you effectively manage risk to achievement of objectives and the prevention of harm.
safety, security and wellbeing of Victorians. confidently deliver on the Government’s agenda.
Victorians expect their government to be vigilant and Government requires:
In order to meet this expectation and achieve controlling the range of harms that could compromise
either their safety, security and wellbeing. As a result, • awareness and evidence to make informed decisions on
its strategic objectives, Government must be
the Victorian Government must be prepared for risk. It its appetite for risk
prepared for risk. It needs its public sector needs its public sector to be productive, innovative and • a clear line of sight across inter-agency and State
to be productive, innovative and efficient, efficient and tackling the risk-related issues that affect significant risks over the medium to long term.
its ability to deliver the services needed.
anticipating and managing the risks that Risk management, done well, will prevent harm or reduce Government needs to have confidence that the public
could affect the delivery of its policy agenda. its impact. This guide is a practical tool to help you plan
sector can deliver services to the community and:
for and engage with risk, both in your agency and across
the public sector. Using this guide will help you: • understands and manages the risks it is exposed to
• Navigate the Victorian Government Risk • receives support and advice from experts in risk
Management Framework
management
• Understand your agency’s risk profile
• employs value-for-money risk solutions.
• Be confident the measures you take reflect sound
planning
This guide has been developed to support the framework
• Reinforce an organisational culture improving
and help agencies meet their risk obligations and
outcomes for Victorians
accountabilities including attesting that risks are being
• Improve your agency’s risk maturity over time.
managed effectively and efficiently.
We welcome your feedback and experience in using
the guide.
2
OVERVIEW
Visit our website for further resources www.vmia.vic.gov.au Principles pages 6-7
How to deliver
Risk management pages 8-13
Risk governance pages 14-21
Risk process pages 22-32
Resources page 33
Where to look for help
Insurance pages 34-35
Glossary pages 36-38
Appendices pages 39-47
Templates page 48
3
OVERVIEW
• Insight
Helping you turn information into knowledge, to know
what’s important and guide your action.
• Learn
Reflecting what’s gone wrong to make changes for
the future.
4
MANDATORY REQUIREMENTS
Government requires your agency to comply
Risk management Insurance
with the framework. Your senior officers must
Your agency must be satisfied that risk management Your agency must arrange all of its insurance with
attest to your agency’s compliance with the is adequately resourced and that its risk management VMIA (unless exempted) and as part of your annual
framework and Victorian law. framework: insurance renewal process:
• Is consistent with the Australian and New Zealand • Consult with VMIA to determine appropriate
Standard. insurance levels.
• Supports the development of a positive risk culture • Maintain a register of insurance and indemnities.
• Is reviewed annually.
• Provide information on claims management
• Includes processes that effectively manage risk. capability, resources, structures and processes
• Makes it clear who is responsible for managing for any self-insured risks.
each risk.
For self-managed claims your agency needs to
• Addresses the management of inter-agency risks
maintain adequate claims management capability
and State significant risks.
and processes and provide self-managed claims
• Demonstrates that business planning activities
data to VMIA.
incorporate risk management.
5
PRINCIPLES
This section outlines the 11 principles of the
Standard and how they have been defined.
R isk management principles are not compliance-
focused. They provide a set of statements to guide
and assist in the design, implementation and oversight
Reference to decision making, human behaviour and
cultural factors includes ensuring risk management
is operating as intended and contributes to improved
This guide has been designed to ensure of your risk management framework. performance and outcomes.
6
PRINCIPLES
7
RISK MANAGEMENT
This section outlines the terms and concepts
associated with risk management and provides
T here are a number of terms and concepts that are
often used to describe activities relating to managing
risk. Understanding these will help an agency manage risk
Risk
“Risk is the effect of uncertainty on objectives.”
guidance on risk framework development, more effectively. AS/NZS ISO 31000:2009
implementation, profile and maturity. The following are some of the key terms and concepts The effect that uncertainty has on the achievement of an
covered in this section: agency’s objective, gives rise to risk.
• risk All agencies in the public sector are exposed to some level
• risk-based decision making of risk, which all agencies have an obligation to manage.
• risk management An agency will be exposed to risk from many sources such
• risk management framework as: political, economic, social, technological, regulatory or
• risk maturity. environmental. There are many different types of risk and
multiple factors that influence risk. These may be global or
localised and within the actual agency. Some factors will
The following are not risks:
be beyond the agency’s ability to influence or control but
Issue –
the agency may still be impacted.
A current problem or concern influencing objectives.
A risk can become an issue, but an issue is not a risk. The positive aspect of risk is the “risk/reward” concept,
Incident – where the benefits of taking a risk outweigh the potential
An event or circumstance which could have, or did lead negative impacts. Risk taking should be guided by an
to, unintended and/or unnecessary harm to a person agency’s risk appetite and managed in accordance with
and/or a complaint, loss or damage. its risk framework.
Hazard – To manage risk, it is important to understand how uncertainty
Anything that has the potential to harm people or and objectives influence risk:
property. A risk arises when it is possible that a
hazard will actually cause harm.
Event –
Occurrence or change of a particular set of circumstances.
8
RISK MANAGEMENT
Uncertainty – There is no absolute certainty about the Business objectives are often described as SMART –
future but there is generally a level of predictability to S(specific) Practical tips
outcomes and performance. Uncertainty reduces the
M(measurable) For risk management:
predictability, in turn giving rise to risk.
A(attainable) u
define the objective to determine the risk(s)
As uncertainty changes, so does the risk. This means a R(relevant)
risk is dynamic and needs to be monitored and reviewed u
consider the objective in a future context (either
T(time-bound). short, medium or long term)
on a regular basis.
In most agencies there will be multiple strategic, operational u
identify what is uncertain about the objective
Common sources of uncertainty are – When something
and project objectives. Executive and senior managers
is not available, unreliable or invalid; where the interaction u
formulate a view of what is important to achieve
have a role to manage conflict or dependencies between
or relationship is unknown, is variable or can be interpreted the objective
objectives and find ways to address any uncertainties.
differently; when something is random, inconsistent; or has
a range of possibilities and changes over time. Assumptions u
identify and manage through the risk management
When considering risk:
and presumptions are also common sources of uncertainty. process (see process section)
• identify what event or situation would cause you to not
Objective – A clear understanding of the objective is achieve the objective u
consider resources required to manage risks
important to risk identification. If there is a lack of clarity • consider the potential impact(s) to the objective u
assess future requirements as priorities change.
about what the agency is trying to achieve, it can result • describe the risk as a clear concise meaningful statement
in a risk being identified that is not an actual risk. This
• undertake an assessment of the risk
can have flow-on consequences, such as unnecessary
investment in controls and resources and underlying • decide what action should be taken.
exposures left unidentified and unmanaged.
9
RISK MANAGEMENT
10
RISK MANAGEMENT
Risk management The benefits of risk management Risk management includes the approach, process and
activities undertaken to ensure that:
“Coordinated activities to direct and control an
organisation with regard to risk.” • adequate oversight, reporting, monitoring and
AS/NZS ISO 31000:2009 assurance occurs
Risk management is used to describe the activities under- • risks are identified, assessed and action is taken
taken by an agency to identify, assess and manage its risk. • controls are identified, assessed and sufficient
Risk management is fundamental to improving performance investment occurs
and achieving outcomes. When routinely applied, informed
• people have the right capability and skills to manage risk.
decisions can be made with more confidence.
Risk management is most effective when: Risk management applied as a discipline within the
agency’s prescribed risk management framework will:
“every person thinks about risk and manages risk
as part of their job.” • support successful execution of strategy, business
plans and projects
Risk management cannot prevent every risk from
• increase the chance of achieving objectives
occurring due to the uncertain nature of some risks.
• improve culture
Risk management will:
Risk management supports an assessment and decision • provide confidence to Government and the community
• develop a discipline to avoid or reduce the likelihood and regarding:
potential impact(s) of a risk • promote the efficient allocation of resources
• what risks to avoid
• provide a level of comfort that informed decisions are • reduce negative perceptions and impact on reputation
• why some risks can be taken
being made • empower people to make decisions with confidence
• how risks must be managed.
• ensure the Victorian public sector is doing all it • determine how much risk can be taken and tolerated
reasonably can to manage its risk.
• inspire others to follow examples and work collaboratively.
11
RISK MANAGEMENT
Risk management framework Core components of ensuring an effective • commit to improving, monitoring and measuring risk culture
risk management framework
• assess its risk appetite and incorporate it into decision
A risk management framework is the:
making and corporate planning
“Set of components that provide the Mandate • develop an approach that provides assurance to the
foundations and organisational arrangements and
Responsible Body risks are being managed.
commitment
for designing, implementing, monitoring,
reviewing and continually improving risk Process
management throughout the organisation.” Continual
Design
improvement
AS/NZS ISO 31000:2009 The agency will:
• establish and communicate its process
A framework is the term used to describe the totality of
all processes, procedures, documents, policies, resources, • develop appropriate tools and templates
governance, and arrangements it has in place that Monitor • ensure people have adequate skills and capability
and Implementation
contribute to risk management. • develop escalation protocols
review
An agency will already have many frameworks in place, • ensure risk appetite is defined in its risk criteria
designed to deliver its services and undertake activities. AS/NZS ISO 31000:2009 • identify State significant and inter-agency risks
Some examples include: compliance framework, safety • invest in control assessment and management
framework and governance framework. i
See Appendix A for risk management framework components.
• align internal auditing to monitoring risk.
A framework is essential to ensure there is an agreed
Developing an effective risk
approach to manage risk. It is required as part of overall Resources
management framework
governance arrangements and will also complement and
The agency will:
support other frameworks. The following can be considered:
• invest adequate resources into the function
The Standard sets out the components of a risk Risk governance • support independence and escalation of risks
management framework. While an agency will have
The agency will: • assess capability requirements and link it to
processes and approaches in common with other
• develop a risk management strategy and improvement plan development plans
agencies, all agencies are different due to their mandate
and requirements. This means their approach to risk • ensure roles and responsibilities are well defined and • create opportunities for people to champion risk
management should be developed and tailored to suit included in position descriptions • provide adequate training and learning opportunities.
their specific requirements.
12
RISK MANAGEMENT
Risk profile review Risk maturity Risk maturity goes beyond the structural elements of
ensuring a framework is in place. It also requires an
This is a formal process where the agency’s risk profile is Risk maturity describes the capability and level of maturity agency to determine if it is effective. This means an
reviewed periodically and annually. an agency operates at in terms of its risk framework. agency would need to assess whether:
Risk maturity is linked to an agency’s performance and
This could involve a requirement to: • risk management is contributing to its overall performance
achievement of outcomes.
• collect evidence of the identification, evaluation and • risk management function is operating as expected
Risk maturity typically encompasses all elements of the risk
review of risks and their controls • outcomes are being achieved.
management framework. There may be varying levels of risk
• assess effectiveness that is supported by audit activities maturity across different elements within the framework.
and data to provide assurance. Risk maturity assessment
Risk maturity is not a static concept and is susceptible to
• review and sign-off of the process by risk owners internal and external factors and drivers over time. As an An assessment of risk maturity enables the agency to
• escalate any deficiencies and failures in systems or agency and its context changes, risk management also assess the performance of the risk management framework
processes with recommendations for further actions needs to evolve to ensure that it continues to support the and to determine whether it is meeting expectations. An
achievement of objectives. assessment provides a roadmap for improvement through
• assess that the process has been adopted and implemented
The desired level of risk maturity should be considered identifying opportunities to mature the framework to the
• check that there is evidence of: desired level. An agency may choose to undertake a self-
by the Responsible Body aligned to achieving strategic
- governance, systems and reporting objectives and managing its risk profile. The desired risk assessment of its risk maturity using an internally developed
maturity should be reflected in the agency’s risk management methodology or an established model such as that defined
- risk identification and understanding of the agency’s in AS/NZS ISO 31000 or the VMIA risk management
strategy to influence risk improvement activities.
risk profile and management plan assessment methodology.
- assurance activities An agency should consider developing and implementing
strategies to improve its risk maturity (or maintain it at the Further guidance, tools and templates are available on
- failures and deficiencies identified and escalated for
desired level). VMIA’s website at www.vmia.vic.gov.au
further actions
Continual improvement is a fundamental element for
- continuous improvement in managing risks which
effective risk management. An agency will need to develop
are dynamic and changes as the operating
its approach to risk management over time and invest
environment changes.
adequate time and resources to achieve its desired rating.
13
RISK GOVERNANCE
This section outlines the inter-dependence Risk Management Effective risk governance supports an agency to improve
performance and achieve desired outcomes as it will:
of good risk governance and effective risk
• guide required risk management behaviours
management. It provides guidance on how
Agency • establish consistent processes
to improve risk governance, and assess
• drive informed decision making.
its effectiveness.
Risk governance includes
Practical tip ensuring there is adequate
oversight and consideration of the accountability for setting
For a risk
objectives andmanagement framework
defining the strategies to be effective:
to achieve objectives.
u Alignment of corporate planning to the risk
management framework is an essential
component of good governance.
14
RISK GOVERNANCE
The following diagram depicts the three lines of defence Corporate and business planning Risk management in corporate and business planning
and the risk and control environment: would include the identification and validation of key risks
Corporate and business planning refers to the annual to strategic objectives and risks associated with business
planning an agency undertakes at all levels to determine or divisional plans.
its objectives and develop supporting plans.
Risk management should also be undertaken for projects,
Risk management must be incorporated into corporate and policy development and as part of delivery of programs and
business planning processes as a mandatory requirement. services. This will ensure there is a comprehensive, consistent
Incorporating risk management provides value to decision and integrated approach across the agency. Failure to do
makers as it will: this could result in gaps and unexpected exposures.
• identify what could impact the agency’s objective(s) Each agency will need to determine the best approach
to incorporate risk management and this should be
• provide an opportunity to develop strategies to minimise
documented in its risk management plan.
the impact
• support decisions on how much risk can be taken to The risk process section (page 22) provides guidance
achieve an objective. on how to undertake strategic risk identification.
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
i
See Appendix B for three lines of defence model.
15
RISK GOVERNANCE
The following is an example of how risk management can be embedded into corporate activities:
Practical tips
Quarter 4 Activities Quarter 1 Activities
Corporate plan finalised Corporate plan roll out
To develop a risk management policy an agency
Annual risk reporting Annual Report should consider how it will:
Insurance Attestation (including attestations) u
tailor it to the agency context
Risk Attestation Q4
Checklist
Q1 Checklist
Review Risk Register
u
state the rationale for managing risk
16
RISK GOVERNANCE
17
RISK GOVERNANCE
Risk culture Developing a positive risk culture requires a continuous Combined, these characteristics reflect the behaviour of
improvement approach. This will ensure people are an agency towards risk management.
Risk culture refers to the behaviours provided with opportunities to grow and improve their risk
that lead to how every person thinks It is possible to assess risk culture and align the outcomes
management capability and knowledge. It will also support
about and manages risk. Culture to the risk improvement plan.
consistent and appropriate risk decisions.
Risk culture is a component of the Many agencies now include risk culture as part of their
Risk culture encompasses how risk management is
overall culture of an agency. Risk annual staff engagement survey or undertake a separate
embodied and includes:
Culture risk culture survey.
The risk management framework • Accountability – the way in which accountabilities are
must support the development of The results are reported through to the Responsible Body
communicated and managed.
a positive risk culture within Risk and relevant governance committee and aligned to the
Behaviour
the agency. • Awareness – how aware people are of the risk risk improvement opportunities and development plans.
management framework.
The Responsible Body and the
Decision
executive are responsible for Making • Attitudes – the attitude towards risk management and
setting the ‘tone at the top’. They its value proposition.
play a key role in influencing and
articulating the desired risk culture. Three key components for a positive risk culture
18
RISK GOVERNANCE
The following provide guidance on the three components for developing a positive risk culture:
Practical tips
Accountability Awareness Attitudes
To develop a positive risk culture an agency should:
The Responsible Body and executive Risk management is at the front- Risk management is viewed as u
ensure the message is communicated by the
take leadership responsibility for end of decision making and everyone’s responsibility.
Responsible Body and the executive
risk management. aligned to objectives. • risk management function has
• obligations, delegations and • risk management policy and influence u
assess whether staff understand the message
accountabilities are documented procedures are readily available • value is expressed through u
determine how risk culture is reflected in day-to-
and communicated • integrated into corporate and discussions, actions and activities day practice
• commitment and ‘tone from the business planning cycle • ongoing learning supports
top’ are widely understood and u
assess how a positive attitude towards risk
• applied as part of day-to-day improvement initiatives
consistently applied management is modelled through line managers
decision making and activities • people feel free to challenge
• intent is reflected in values and • standard approaches and access to and escalate u
develop a safe environment to report and escalate risk
behaviours and are consistently supporting documents and tools
applied • people operate within delegations u
determine whether action to occur for risk taking is
• common vocabulary is developed • agency values are evident in outside an individual’s delegated authority or scope.
• reporting is transparent and timely and understood people’s behaviour
• performance mechanisms support • obligations, delegations and
and reward positive risk behaviour • ethics and integrity underpin activities.
accountabilities are understood
• roles, responsibilities and ownership and applied
are documented and communicated • roles, responsibilities and ownership
• risk culture is evaluated and aligned are understood and accepted.
to the risk improvement plan.
19
RISK GOVERNANCE
Examples of where risk culture would be evident are: Case study of a positive risk culture
• mission and values statements A Victorian public sector agency’s board made a strong commitment to risk management and
expressed a desire for it to be a relevant, sustainable and an effective part of its organisational culture.
• board orientation program
Key points
• by-laws and charters
• There is strong board and management commitment for risk management.
• delegation authorities
• Risk culture is positive and is assessed annually and benchmarked.
• policies and procedures • A common and shared understanding of organisational purpose is evident.
• position description • The value and role of risk management in decision making is well understood and applied.
• staff induction programs • Staff are encouraged and supported to identify and escalate risks.
• posters and brochures The agency requested we conduct a risk maturity assessment to further understand its risk maturity, including its
risk culture. The review was able to validate:
• feedback from suggestion boxes
• a shared and common understanding of the agency’s purpose, key functions, programs and improvement initiative
• minutes of meetings • a shared view that risk management is an important discipline and management tool used in planning and
• staff engagement surveys decision making throughout the agency
• that staff reported they were encouraged and supported to identify and raise risks
• stakeholder feedback
• that a central risk team supported the risk management function
• complaints
• evidence of continuous and rigorous risk discussion by the executive and directors.
• learning and development programs
To further develop its risk culture, the agency also invested in a Risk Champion Model. Risk champions are mid-level
• standard templates and tools. managers selected across the organisation to be conduits for the business by informing and managing the risk profile.
20
RISK GOVERNANCE
Risk appetite Defining risk appetite will: Steps in determining risk appetite
• focus on what is important to the agency A statement can be a high-level statement or include
Risk appetite refers to the type and amount of risk that
expectations for particular risks.
an agency is prepared to accept or avoid. It encourages the • develop a shared view of risk
consideration of risk in strategic and tactical decisions by asking: i
See Appendix C and D for an example of a risk appetite
• promote risk-based decision making
statement and steps for determining one.
“Is this course of action compatible with our
risk appetite?” • improve oversight and monitoring.
Develop
In the case of Government an agency’s risk appetite A risk appetite statement supports:
statement is the shared view of the Responsible Body and
• defining new initiatives and project priorities
executive management on the nature and amount of risk
Monitor Communicate
it will retain or accept to achieve its strategic objectives. • corporate and business planning and reporting
The risk appetite statement influences and guides • investment and resource allocation.
decision making, clarifies strategic intent and ensures Develop
choices align with the capacities and capabilities of the • design statement to suit the agency
Practical tips
agency. It supports a shared understanding of: • define against key strategic objectives
Things to consider for risk appetite: • clear statements for decision makers.
• opportunities and uncertainties
u
What does risk appetite mean for your agency?
• what type of risk to pursue Communicate
u
Why would risk appetite add value?
• how much risk to accept • set the tone for risk management
u Who needs to set the expectations and accountability? • ensure risk criteria reflects risk appetite and tolerances.
• what risk can be tolerated
u How can it be included into the governance, Monitor
• investment required.
framework and process?
• include in risk reporting
Mandate, legislative requirements and stakeholder expectations
u When should decisions about risk appetite be • review and adjust as the internal and external
affect how much risk an agency can accept. Expectations
made and communicated? environment changes
should be set by the Responsible Body and agreed with
the executive. The executive communicates expectations to • incorporate into continuous improvement activities
ensure monitoring, reporting and reviewing occurs. • utilise internal audit to review.
21
RISK PROCESS
T
This section outlines the risk management he risk management process is a core component of Process for managing risk
the risk management framework.
process, including the risk process steps,
Having a documented risk management process is
how to describe a risk as well as guidance important as it will outline the steps about how to: Establishing
on inter-agency and State significant risks. the context
• establish the context
• understand what is uncertain and potential effects Risk
assessment
• identify and assess what could happen
Practical tip
When undertaking the risk process an agency should: AS/NZS ISO 31000:2009
u
Make sure the establish the context step is not
missed. This step provides value to the process as
it is where the alignment, planning, understanding
and preparation occur.
22
RISK PROCESS
In practice, there are essentially two ways the risk process occurs in an agency:
A formal documented risk assessment process has not occurred but the risk is A coordinated approach where the steps of the risk management process are followed
considered and some action may be taken. Informal risk management process may and applied. This can occur in a structured discussion, workshop or meeting and can
occur during day-to-day activities where there is some uncertainty that may affect what often be facilitated. It will result in risk(s) being recorded and actioned with an owner,
the agency is trying to achieve. time frames, reporting and monitoring.
The following may occur: A formal risk assessment may occur for:
• Discussions of potential future risks of concern are discussed either with a manager • defined objectives important to the successful execution of an agency’s strategy and
or colleague and this leads to a change to a work practice or process. operations (included as part of the corporate and business planning activities)
• Discussions of a potential future risk of concern occur and specialist expertise is sought. • projects
• Discussions occur where there has been a change in the context or environment and • new services and/or products
there may be heightened monitoring of the situation.
• Government initiatives or policy directives
• A trend in incidents is identified and there may be a need to assess the potential for
• change in the agency’s mandate or requirements
a risk to an objective emerging.
• identified problems that require further assessment and/or analysis
• Discussion of an emerging issue or risk is escalated and considered for formal assessment.
• inter-agency matters, agreements or requirements
• A standard meeting agenda item could include identification of potential risks or
emerging issues for discussion and/or action, which could include escalation. • State significant or whole-of-Government operations.
23
RISK PROCESS
Risk assessment
This step includes: Practical tips Common pitfalls
• risk identification For describing risks: There are some common pitfalls in relation to
• risk analysis describing a risk. For example an agency may:
u
It is helpful to test the risk description with a
• risk evaluation.
person who is not the risk owner. This will help • Identify risks as broad statements. Broad
to ensure it can be understood and that it is statements are less informative and difficult to
Risk identification
describing the actual problem. manage at both an operational strategic level.
Risk identification defines the “risk” problem and provides
insight into “uncertainty” and the possible effect on the i
See Appendix F for a sample risk description and
• Identify risks as a cause. A cause contributes
informal assessment example.
achievement of objectives. to a risk event occurring, rather than the risk
itself. Articulating risks in this manner hinders the
A well-described risk is important to provide context and
effectiveness of monitoring and measurement activities.
meaning of the cause, event and impact for management Describing a risk can be challenging and may take multiple
and oversight. Key reasons are that it will: attempts and a lot of discussion to agree on the risk. • Identify risks as incidents. Incidents are risks that
• assist to direct controls assessments and treatment planning have materialised. Treatment plans would be focused
Breaking the risk up into three elements helps to: on managing the incident rather than preventing the
• provide meaningful information for reporting and oversight
• Identify the cause of the event to help determine what incident from occurring again.
• reduce over or under investment in unnecessary controls controls would be required
• Identify risk as consequences. Consequences
• align the uncertainty to an objective(s). • understand the “something” that could happen to consider may be measurable but cannot be managed effectively
the possible impact as they do not represent a specific “risk event”.
Risk will have a source and the following are the three key
elements of a risk:* • explore the potential impacts of the event to inform what • Identify a risk as a “type” of risk. For example
Option 1 decision is required. Occupational Health and Safety or Information
Cause Event Impact Technology.
Some agencies also describe a risk as an “event”. When
Option 2 describing the risk as an event it is helpful to consider
Event Cause Impact how a post-event analysis would be conducted for the risk
being described.
* The term “impact” has been used to simplify guidance for risk identification. It is
referred to as “consequence” in AS/NZS ISO 31000. 24
RISK PROCESS
u
Refer to the objective to ensure there is a focus Practical tips Controls influence how a risk is rated. A risk may be rated
on what is important. too high or too low based on how the control is viewed, its
For a risk analysis and evaluation:
effectiveness or in the absence of a control.
u
Identify dependencies with other agencies as u
Rate the risk based on current controls and
these can lead to identifying shared risks. their effectiveness Understanding the control environment is an essential part
u
Identify and consider the risks associated with not of the risk process. The risk owner is the best person to
u
Analyse the risk against the range of risk
pursuing an opportunity. provide a view of the control. Specialist expertise may be
categories to determine potential impacts
required to support and validate this view.
u
Assess risk against all categories of risk to
Risk analysis and evaluation Controls are important because an agency cannot operate
determine most appropriate rating
effectively without appropriate governance, structure,
These are separate steps in the process but are usually
u
Determine option – avoid, share, reduce, accept. processes and procedures. Every agency will have
undertaken together.
controls to govern and guide the way it operates and
Analyse to: delivers its services.
25
RISK PROCESS
A new agency would need to establish its governance and Where there are multiple controls, it is important to identify
Some common controls include: control environment and many of the controls would be the important ones or the ones that are critical. This is
established due to legislative or regulatory requirements. important to help make a decision about what action is
• legislation
Controls are generally the responsibility of risk owners and required or about additional investment.
• delegations would include their oversight and implementation.
Each agency should have its own control effectiveness
• committees
When analysing and evaluating a risk, consideration is rating approach to guide the process and how controls
• reporting given to the specific controls that are currently in place should be rated. This should be supported by an internal audit
• policies, procedures, guidance material that would modify the risk. program that is aligned to the risk register and risk plan.
• qualifications Considering both the design and operating effectiveness of A simple approach is assessing whether the control is:
• credentialing controls is a critical aspect of the risk management process.
1. effective
• insurance Multiple controls may exist and some will be more important
2. partially effective
• employment screening or effective than others. Failure of controls could lead to
an event. 3. ineffective.
• training and required learning
Key fundamental questions to consider are: After the controls have been identified, assessed and
• OHS representatives, champions, other representatives
rated, a decision can be made as to whether additional
• position descriptions • What are the current control(s) in place that would
controls are required.
modify this risk?
• values and behaviours, code of conduct
• audit, reviews, investigations • Why is this control important in modifying this risk?
• equipment, devices, infrastructure • How effective is the control at modifying this risk?
26
RISK PROCESS
27
RISK PROCESS
28
RISK PROCESS
29
RISK PROCESS
Inter-agency and State significant risks Some inter-agency risks could become State significant • Vulnerabilities may be different depending on service
or have some Statewide implications. delivery requirements.
Agencies are required to identify and
• Triggers may be different and require different
contribute to the management of both
inter-agency and State significant risks. management or indicators.
State
significant • Controls may be different depending on the context.
Identifying and managing these risks
• Assurance arrangements and requirements may vary
is important to provide confidence to
Government and the community that these risks are being RISK • Escalation arrangements may extend beyond your agency.
managed and there is a clear line of sight over the medium
to long term. Inter-agency Agency
These risks may to require an agency to:
Being satisfied your agency is contributing to the • undertake detailed exploration and analysis
identification and management of these risks includes • seek support from an expert
being able to demonstrate the agency has:
• develop a specific approach to manage
• Adequate governance arrangements to ensure clear Inter-agency and State significant risks are essentially a • form a partnership and/or collaborate
accountability and oversight. “category” of risk. The normal risk assessment approach
• develop of a whole-of-Government response
• Agreed the lead agency, including roles and responsibilities. should be applied. If the process has to be adapted
• engage with private entities and the Commonwealth
• Integrated requirements into the risk management differences may include:
to develop strategies/solutions.
framework and supporting documentation. • A higher degree of uncertainty due to the nature and
• establish joint monitoring and reporting
• Applied the risk process in consultation with relevant agencies. complexity of the risk problem.
• gain consensus on the appropriate response
• Worked collaboratively to identify and manage these risks. • Solutions may be required that involve multiple parties
• Established appropriate monitoring and reporting. • determine ownership and accountability
and entities.
• fund risk mitigation activities or treatments
Inter-agency and State significant risks are typically shared • Time frames may be longer term particularly for State
significant risks. • ensure agreed actions are undertaken by the respective
by two or more agencies where a shared objective or a key
dependency exists. agencies
• Scale may be beyond normal thresholds and may
require different consideration. • provide an aggregated summary of the risk to Government.
Formal or informal processes may be in place which
could include executive forums, formalised partnerships • Interdependencies may not be clear or change over time. i
See Appendix G for key components to managing inter-
and committees. agency and State significant risks.
30
RISK PROCESS
31
RISK PROCESS
32
RESOURCES
M
This section provides an overview of the anaging risk is everyone’s responsibility. Effective • ensure staff possess the appropriate experience and skill
risk management requires resources. It is now a • provide access to required areas of the agency
key resources and capability requirements mandatory requirement to allocate adequate resources to
for developing and implementing your risk risk management. This means considering what is required • require notification and escalation of matters of concern
to satisfy the agency’s obligations and accountabilities. or that deviate from the agreed approach
management framework.
• create a level of independence to support the three lines
An agency will need to make a decision regarding what
of defence and overall governance.
constitutes adequate investment based on its mandate,
size, complexity, services and level of risk maturity.
33
INSURANCE
This section outlines why insurance
is an important option to help protect
W e provide insurance products specifically for
Government – delivering broad cover at low cost –
helping to protect important assets and services.
• type, scale and nature of risk
• what risk the agency is prepared to accept
• availability of alternative risk management and
an agency from the financial risk of Departments or participating bodies must arrange all mitigation strategies
something going wrong. insurance with us unless: • level of insurance required based on your objectives,
risk profile and tolerance
• exempted by the Minister for part or all risks
• past claims experience
• we have formally declined or cannot offer insurance for
a specific risk. • availability and cost of cover.
An agency must have appropriate insurances in place Agencies are responsible for managing and funding any
self-insured and under-deductible losses. This means an
that reflect its risk profile. Portfolio departments are
agency will need to determine:
accountable for providing oversight of their agencies.
• the loss the agency is able to manage and fund (often
Insurance does not prevent something from occurring.
referred to as a deductible)
If something unexpected does happen insurance means
an agency won’t have to fund the full cost of the loss. • the number of losses the agency is able to manage and
The community benefits from an agency being able fund any given policy year
to recover financially and it minimises the impact on • capability to manage claims and appropriately reserve
consolidated revenue. for losses.
Not all risk can be covered by insurance as there are Important points to note:
many risks that do not have a direct financial impact and Insurance may be a viable cost effective option to reduce
alternative risk management strategies would be required. the financial impact for the agency if the risk occurs.
Insurance should not be the only option.
Risk-based decisions can also be made not to insure
a risk, where a cost benefit assessment determines • Preventative or mitigating strategies should be
insurance is not the best option. considered to reduce the likelihood and/or impact.
• Provide a cost benefit analysis of potential actions.
We can help to determine appropriate insurance programs.
Key factors to consider include: Risks that cannot be insured should be included as part
of the risk management framework.
34
INSURANCE
• ensure that the financial impacts of any indemnities Construction Risk Medical Indemnity
have been adequately assessed and align with the Damage and liability during construction projects Covers healthcare providers and rural GPs
agency’s risk appetite
Cyber Liability Motor Vehicle
• ensure that the valuation basis for valuation of self- Legal liability from actual or alleged breaches Damage to motor vehicles and
insured retained losses is recorded of an agency’s data and corporate information third-party property
• be satisfied that adequate claims management Director’s & Officers Liability Personal Accident
capability is maintained where the agency manages
Claims against agencies’ directors and officers Cover for volunteers in agencies
below deductible claims
• ensure required below deductible claims data is EmRePSS Professional Indemnity
provided to VMIA. Emergency service providers Alleged breaches of professional duties
• We can manage below deductible claims on your behalf. Damage and loss of artworks and property Injury and property damage to third parties
35
GLOSSARY
Accountable Officer In relation to a department of public body, means the Australian/New Zealand Risk AS/NZS ISO 31000:2009. The Standard provides
accountable officer for that department or public Management Standard principles and generic guidelines about risk management,
body as determined under section 42 of the Financial and can be applied to a wide range of activities, including
Management Act 1994.1 strategies and decisions, operations, processes, functions,
projects, products, services and assets.
Agency Any department or public body as defined in the
Financial Management Act 1994. 2
Consequence Is the outcome of an event and has an effect on objectives.5
Agency required to insure A Department or participating body as defined in section
with the VMIA 3 of the Victorian Managed Insurance Authority Act 1996. Control Measure that is modifying risk.6
Agency-specific risks Risks that can be managed entirely within a single Formal risk management Occurs where the steps of the risk management process
agency’s operations and can generally be well are followed and applied.
understood and effectively managed with straight
forward risk management processes.3 Informal risk management Occurs when a formal documented risk assessment
process has not occurred but the risk is considered
Audit committee The Standing Directions of the Minister for Finance
and some action may be taken.
state that an audit committee is appointed to oversee
and advise the department or agency on matters of
Inter-agency risks Risks shared by two or more agencies that require
accountability and internal control. This committee is a
coordinated management by more than one agency
subset of the Responsible Body (or Board) which has
and may include systemic risks. The responsibility for
been formulated to deal with issues of a specific nature.4
managing and inter-agency risk is shared by all the
Australian/New Zealand Risk AS/NZS HB436: 2013 (HB436) the risk management relevant agencies and will benefit from a coordinated
Management Standard guidelines – companion to the Australian New response where one agency takes a lead role.7
Zealand Standard. HB436 provides guidance on the
implementation of the Australian New Zealand Standard Responsible Body For a department, the accountable officer is the
and is a useful reference document for an agency that is Responsible Body. For other agencies, it is the board or the
aiming to further develop its risk management framework. person or body with ultimate decision making authority.8
1
Department of Treasury and Finance, Victorian Government Risk Management Framework – Definition page 22 5
AS/NZS ISO 31000:2009
2
Ibid 6
AS/NZS ISO 31000:2009
3
Department of Treasury and Finance, Victorian Government Risk Management Framework, page 16 7
Ibid
4
Ibid 8
Department of Treasury and Finance, Victorian Government Risk Management Framework – Definition page 22
36
GLOSSARY
Risk Effect of uncertainty on objectives.9 Risk management framework Set of components that provide the foundations and
organisational arrangements for designing, implementing,
Risk appetite Refers to the type and amount of risk that an agency is monitoring, reviewing and continually improving risk
prepared to accept or avoid. management throughout the organisation.12
Risk criteria Terms of reference against which the significance of a Risk management plan Scheme within the risk management framework
risk is evaluated.10 specifying the approach, the management components
and resources to be applied to the management of risk.13
Risk culture Refers to the behaviours that lead to how every person
thinks about and manages risk. Risk management policy Statement of the overall intentions and direction of an
organisation related to risk management.
Risk evaluation Process of comparing the results of risk analysis with
risk criteria to determine whether the risk and/or its Risk management process Systematic application of management policies,
magnitude is acceptable or tolerable. procedures and practices to the activities of
communicating, consulting, establishing the context,
Risk governance Refers to the culture and arrangements developed and identifying, analysing, evaluating, treating,
by an agency to manage the uncertainties to achieving monitoring and reviewing risk.14
its objectives.
Risk management strategy Describes an agency’s future vision, direction and
Risk identification Defines the ‘risk’ problem and provides insight into objectives for risk management. It incorporates key
‘uncertainty’ and the possible effect of this on what is activities designed to achieve these objectives and the
trying to be achieved. plan to build risk management capability and maturity.
Risk management Coordinated activities to direct and control an Risk profile A description of any set of risks. The set of risks can
organisation with regard to risk.11 contain those that relate to the whole agency or part of
the agency.15
9
AS/NZS ISO 31000:2009 12
Ibid
10
Department of Treasury and Finance, Victorian Government Risk Management Framework – Other risk terms page 19 13
Ibid
11
AS/NZS ISO 31000:2009 14
Ibid
15
Department of Treasury and Finance, Victorian Government Risk Management Framework – Other risk terms page 19
37
GLOSSARY
Risk tolerance The agency’s readiness to bear the risk after risk
treatment in order to achieve objectives. Risk
tolerances are based on the maximum level of
acceptable risk and may be expressed in various ways
depending on the nature of the risk.16
Risk treatment Process to modify risk, it can involve: avoiding the risk
by deciding not to start or continue with the activity that
gives rise to the risk, taking or increasing the risk in
order to pursue an opportunity, and/or removing the risk
source.
16
Department of Treasury and Finance, Victorian Government Risk Management Framework – Other risk terms page 19
17
AS/NZS ISO 31000:2009
18
Department of Treasury and Finance, Victorian Government Risk Management Framework – Other risk terms page 17
38
APPENDICES
Appendix A | Risk management framework components
Mandate and Commitment
What is it? Typically this would be reflected in: The agency would:
It reflects the intent to ensure effective risk management. • mission and values statements • endorse the risk management policy
• by-laws and/or charters • ensure a positive attitude towards
Why is it important?
• policies risk management
It provides the basis for a common and consistent approach.
• position descriptions • review regularly the effectiveness
How is it evident? of its risk management.
• staff recognition programs
When commitment to risk management is strong and
• continuous improvement plans.
supports a positive risk culture.
Design
What is it? Typically this would be reflected in: The design of the framework takes
It reflects what is required and what should be included. • risk management procedures into account:
• governance structure • internal and external factors
Why is it important?
• risk management policy • accountability and responsibility for
It considers context, requirements, and components. managing risk
• by-laws and/or charters
How is it evident? • integration into corporate and
• terms of reference of committees
Design of the framework enables a systematic and business planning
• communication and consultation plans.
structured approach. • communication and reporting mechanisms.
39
APPENDICES
Implementation
What is it? Typically this would be reflected in: The agency would:
It reflects what actions are required to make it real. • risk management strategy • develop a risk management
• project documentation strategy to support integration
Why is it important? • risk management policy • identify its requirements for
It ensures planned activities occur and are resourced. • maps of the decision-making process building capability
• corporate and business plans
How is it evident? • review its progress
• minutes of committee meetings
Implementation and integration the risk management • budgeting and planning processes • report outcomes
framework supports risk-based decision making • procedure manuals associated with • re-assess post implementation.
across the agency. management systems
• risk management training systems
• internal audit and assurance systems.
40
APPENDICES
Continual improvement
What is it? Typically this would be reflected in: The agency would:
It reflects the continual improvement process. • a risk management improvement plan • develop a risk improvement plan
• a risk attestation statement • incorporate improvement activities
Why is it important? • risk management policy in its quality cycle
It ensures it is dynamic and aligns to requirements. • minutes of committee meetings
• measure improvement through
• an agency-wide quality improvement plan
How is it evident? monitoring and assurance.
• performance templates
Implementing a risk management improvement plan • risk management KPIs
continuously enhances risk management and risk. • control effectiveness assessment reports
• audit reports.
41
APPENDICES
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
42
APPENDICES
Service A low appetite to lose a valued position of trust with our clients. Board-approved
≥85% 75% – 80% ≤75%
Delivery We will maintain a level of client engagement of at least 85%. minimum level
Provide services and A moderate appetite to innovate through projects and R&D
products to enhance to benefit our clients.
our clients’ capacity Annual board-
Projects We accept that 10% of project effort may not result in ≥10% 10% – 20% >20.0%
approved budget
immediate or direct client benefits as long as lessons are
learned for future services and products.
Maintain high levels Information
A very low appetite for information security breaches, frauds Government Information
of information Management
or proven ethical complaints. Security Policy Standard, 0 instances 0 instances
governance, security & Legal
We maintain a zero tolerance for such events. Compliance Standard
and accountability Compliance
43
APPENDICES
2. Identify expectations of stakeholders and their general 2. Establish the preferred methods for communicating 2. Ensure adequate systems (technology) to facilitate
attitude to the risk profile and its capacity to bear the with each stakeholder group (e.g. memoranda, monitoring, timely reporting and escalation when
risks. Using surveys or event-based scenarios may governance meetings, etc). tolerances are exceeded.
assist with this.
3. Identify and agree on points in the business where 3. Establish the content and form of risk appetite 3. Ensure corrective actions to address variations
key decision making is pivotal, so that risk appetite communication (policy inclusion, memorandum, are identified and implemented and that progress
can be applied at those points (e.g. strategic planning, bulletin, poster, etc). is reported.
projects, organisational change, etc).
4. Identify how risk appetite performance will be 4. Review risk criteria to ensure it reflects risk appetite
monitored (e.g. key performance indicators). and tolerances.
5. Identify the limits for each risk appetite statement (e.g. 5. Confirm that the performance of the risk appetite
total annual loss is not to exceed 5% of budget or $50K). statement will be monitored by the Responsible Body.
44
APPENDICES
Context summary including a plan for phase 2 Strategic risk profile for assessment and treatment Validated strategic risks with treatment plans
planning in phase 3
45
APPENDICES
Objective: Supporting high-quality Government Category: Human Resources Category: Information Management and Security
decision making and implementation
Objective: Improve staff capability to provide Objective: Upgrade learning management system
high-quality advice to support increased capability requirements
Risk description
An ineffective recruitment program (cause) leads to Risk description Risk description
lack of policy expertise in key roles (event) resulting in
Poorly implemented learning management system Ineffective subject matter expert identification (cause)
sub-standard policy advice to Government (impact).
(cause) leads to staff not completing required training leads to poor quality specification design for IM learning
(event) resulting in key skill gaps (impact). management system upgrade (event) resulting in
product that doesn’t meet user needs (impact).
Objective: What is it we are trying to achieve? Provide new public infrastructure in a Melbourne
growth corridor by the end of the year.
What would cause this risk to occur? Late changes to specifications for the new infrastructure
What event would impact our ability to be successful Designs and drawings are delayed
in achieving our objective?
What potential impacts are there if the event occurred? Delay in delivery of the new infrastructure and
avoidable costs to the community
46
APPENDICES
• A
pprovals/delegations, charters, committees are in place • Documented in risk escalation protocol • I ncluded as part of formal process for corporate and
and reviewed business planning
• Defined in category of risks
• Oversight, monitor, review, assurance established • Undertaken for projects or major initiatives
• Described in consequence table
• R
eporting and escalation through to the Responsible • Discussed at meetings and minuted
• Included in treatment/action plans
Body are developed and applied • Defined in risk criteria
• Included in risk improvement plans
• P
rotocols, memorandum of understanding or • Described in consequence table
agreements developed • Escalation protocols developed and applied
• Included in treatment/action plans, initiatives
• R
esponsibility included in relevant position descriptions • Adequate resources allocated
• Developed treatment plans/action plans
and featured in terms of reference for committee • People have capability
• Demonstrated evidence of analysis assessment
• Part of attestation process • I ncluded in risk register, business continuity,
incident register • Communicating, collaborating, consulting
• Ensuring agency can demonstrate how inter-agency and
State significant risks are addressed • Agenda item and documented in minutes of meeting • Monitoring, reviewing, reporting
47
TEMPLATES
1. Risk Management Policy – Draft a risk management policy including the purpose, objectives and mission statement
4. Risk Register Example – Record all risks identified in the risk assessment process