Risk Management FAQ's

The Australian and New Zealand Standard for Risk Management (AS/NZS 4360:2004) defines risk as “the chance of something happening that will have an impact on objectives.”

Objectives are often linked with strategic levels within an organisation so this definition may not be relevant to your entire organisation. RiskCover’s Risk Management Services therefore utilise a broader definition of risk, “anything that can prevent you from successfully achieving what you have set out to achieve, in terms of strategic direction, daily activities or a specific project.”

The Australian and New Zealand Standard for Risk Management (AS/NZS 4360:2004) defines it as “the culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects.”

At its most effective, risk management is fully integrated into the planning and management of an organisation across all levels, including strategic, operational and project.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

The process is defined in the Australian and New Zealand Standard for Risk Management (AS/NZS 4360:2004) as “the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk.”

For further information, refer to the  Risk Management Guidelines (1,431KB) or contact RiskCover.

"Business Continuity Management provides the availability of processes and resources in order to ensure the continual achievement of critical objectives (HB 221:2004)."

OR

"Business Continuity Management is the act of anticipating incidents which will affect mission critical functions and processes for the organisation and ensuring that it responds in a planned and rehearsed manner (Business Continuity Institute)."

Please see RiskCover’s   Business Continuity Management Guidelines (1,69KB) for more information.

The following documents state the compliance requirements in relation to risk management for all Western Australian Government Agencies.

To download the   Treasurer’s Instruction 825 (2,55KB) (29/04/2005)

RISK MANAGEMENT AND SECURITY

“The Accountable Officer or Authority shall ensure that:

1. there are procedures in place for the periodic assessment, identification and treatment of risks inherent in the operations of the department or statutory authority;
2. suitable risk management policies and practices are developed;
3. an appropriate level of security is maintained over moneys, public and other property of or under control of the department or statutory authority; and
4. these procedures, policies and practices are documented in the accounting manual or other relevant policy manuals.”

To download the  Premiers Circular (2006/3) (26.1KB).

RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING

“All public sector bodies must practise risk management, regularly undertake a structured risk assessment process to identify the risks facing their organisations, be able to demonstrate the management of risks, and where appropriate, have continuity plans to ensure they can respond to and recover from any business disruption.

Public sector bodies must submit details of their risk management policy, assessment processes and continuity plans to RiskCover in accordance with a schedule that will be provided by the Department of the Premier and Cabinet.”

For further information, please contact RiskCover.

Please see RiskCover’s  Business Continuity Management Guidelines (1,69KB) for more information.

The identification and assessment of risk, and the development of treatment strategies to manage those risks should be an integral part of your planning process. The management strategies you develop and implement to ensure you achieve your objectives will be those identified to manage risk.

No. There are many aspects to achieving success. Risk management is simply one perspective to managing your business. However, it does improve decision making, helps avoid surprises and improves your chances of success.

There are six critical factors to the successful implementation of risk management within your agency:

1. Leadership commitment

   Without demonstrated commitment from the leadership of the agency, the implementation will not succeed. The leadership is charged with defining the responsibilities of each of the members of the agency with respect to both the services or functions they perform and therefore the risks they should be managing.

   As part of the implementation strategy, a senior executive manager needs to be nominated as sponsor of the initiative to ensure that the process becomes an embedded part of the culture of the organisation.

2. Develop and communicate a policy

   Develop a policy which includes a definition of the objectives and rationale for managing risks, provides guidance and common language for measuring risks (i.e. Risk Reference Tables), sets the criteria for managing risks (i.e. what is acceptable risk?), identifies responsibilities and accountabilities for the management of the risks and indicates how the agency's risk management performance is to be measured.

   The policy then needs to be effectively communicated to all stakeholders and employees of the agency.

3. Develop a systematic and embedded process

   Formal procedures for the identification, assessment, acceptance, treatment and reporting of risks need to be developed and clearly documented. The procedures should be based on a logical and systematic process — set at a level appropriate for your organisation. They should also indicate how the risk management process is integrated into your planning and reporting mechanisms at the strategic, operational and project level.

4. Implement the process

   Once the agency has established exactly how risk management is to be integrated into their existing management processes and structures, an implementation plan can be developed, which documents the steps needed to roll out the risk management process to the whole of the agency. At this point it is a good idea to consider a staged implementation, where the results and outcomes from the implementation in one particular area or context of your business, can be reviewed. If necessary modifications can be made to the process or procedures to ensure that the agency obtains maximum benefit.

   For a sample Risk Management Implementation Strategy please contact RiskCover.

5. Information management

   The information generated by this process needs to be managed appropriately, and consideration needs to be given to how the information is stored, accessed and reported. RiskCover has developed two risk management systems called RiskBase® - (1) web application and (2) an access database which are freely available to WA Government Agencies. General Information on RiskBase® is available in the   RiskBase® web application (568 KB) and   RiskBase® access database User's Guide (231 KB). As part of implementing a risk management tool, consideration needs to be given to issues of access, security, audit trail, data integrity and technical support.

6. Reality checks

   A critical part of the risk management process is to ensure that appropriate monitoring and review mechanisms are in place. These need to address both the outcomes of the process i.e. the risks, controls and treatment plans, but also the process itself in terms of its efficiency and effectiveness. Risk management should be implemented in such a way as to create specific value to the managers and stakeholders. If the outcomes of the process are not useful or relevant, then the implementation needs to be reviewed and changed to enable you to extract maximum benefit.

   One method for evaluating the effectiveness of the risk management program is to establish a system of incident reporting, where all incidents which have an impact on the ability of the agency to carry out its functions or service, or achieve its objectives, are monitored and reported. By tying these incidents back to the risk management system, a direct comparison can be made between the risks (what may go wrong) against the incidents (what has actually gone wrong). This valuable information can and should be used to improve the management of risks within your agency.

By implementing risk management you can expect to achieve the following:

• Improved chances of successfully achieving goals and objectives.
• Develop a thorough understanding of your risk exposures.
• Effectively manage the risk/reward balance in the provision of services to clients, the management of staff and the environment.
• Satisfy corporate governance and compliance requirements.
• Prevent unpleasant surprises, protect from loss and maximise opportunities.
• Ability to demonstrate due diligence.

The management of risk is an integral part of good management practice. There is a direct relationship between risk and opportunity on all business activities and as such, an agency needs to be to identify, measure and manage its risks in order to capitalise on those opportunities and acheive its goals and objectives.

Please see RiskCover’s   Risk Management Guidelines (1,431KB) for more information.

Further information is available from:

•  Risk Management Guidelines (1,431KB)
• Risk Management Services
• Contacting RiskCover

Further information is available from:

• GRM Magazine
•  Risk Management Guidelines (1,431KB)
•  Business Continuity Management Guidelines (1,69KB)
• Risk Management Services
• Contact RiskCover

While establishing the context, it is useful to define an agency’s risks into bite sized chunks, this allows a systematic and structured approach to managing the risks at each level.

The breakdown of context recommended by RiskCover’s Risk Management Services is:

Strategic Context

From past performance, environmental scan, SWOT analysis and strategic plan, the agency’s goals, strategies and key result areas are to be identified.

Once the goals, strategies and key result areas are identified, what are the critical success factors or key dependencies for them? This then forms the context for the risk identification step.

Operational Context

From past performance, business objectives and business plans, the operational area’s function and activities are to be identified.

Once the functions and activities are identified, what are the critical success factors or key dependencies for them? This then forms the context for the risk identification step.

Project Context

From past performance, project objectives and project plans, the project phases are to be identified.

Once the project phases are identified, what are the critical success factors or key dependencies for them? This then forms the context for the risk identification step.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

Risk management is everyone’s business; however there are some key roles and responsibilities to be involved in the process to ensure effective implementation.

Senior Management

• Need to show commitment to implementation and use of the risk management process.
• Are ultimately responsible for ensuring procedures are in place.
• Are key users of risk information.

Sponsor

• A champion of the project within Executive Ranks.
• Ensure an effective risk management system is established, implemented and maintained.
• Ensure performance of risk management system is reported.

Risk Management Committee

• Communicating the risk management policy.
• Raising awareness about managing risks.
• Ensure that management of risks is an integral part of planning, management processes and culture.

Risk Management Coordinator

• Communicates practical issues on application of policy and process.
• Acquires risk management skills and tools.
• Coordinates implementation and maintenance of risk management process.
• Coordinates training and development of skills throughout the agency.
• Monitors and Reports on whole of agency risk issues.

Managers of Risks

• Management of all risk issues within their area.
• Implementing and maintaining risk management process and system within their area.
• Treating risks (where appropriate) within their area or in conjunction with other areas.
• Using risk information in strategic and business planning processes.

Important Considerations

• The roles and responsibilities need to be aligned to the agency’s structure and linked to existing management reporting lines.
• There needs to be a clear understanding of who owns the risks and treatments, and who is responsible for the process.

The role of the Risk Management Coordinator within an agency should be to:

• Communicate practical issues on application of policy and process.
• Acquire risk management skills and tools.
• Coordinate implementation and maintenance of risk management process.
• Coordinate training and development of skills throughout the agency.
• Monitor and Report on whole of agency risk issues.

The role of the risk management Committee within an agency should be to:

• Communicate the risk management policy.
• Raise awareness about managing risks.
• Ensure that the management of risks is an integral part of planning, management processes and culture.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

Please see RiskCover’s   Risk Management Guidelines (1,431KB) for more information.

The Board and Executive of an agency play a key role in implementing risk management, without their support, the process cannot be effectively implemented. They need to show commitment to implementation and the use of risk management process, as they are ultimately responsible for ensuring the procedures are in place. To encourage this process, risk management should be a standing item on meeting agendas.

The Board and Executive are also key users of risk information and should be demanding from their agency information regarding the management of the agency’s risk. They need to be comfortable that their agency is doing all things reasonable to manage their risks

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

A  risk owner (1,431KB) is the person assigned to a risk upon its identification, they are ultimately responsible for the management of that risk, ensuring monitoring, and review of the risk, identified controls are effective and selected treatments are progressing.

It is important that the risk owner is correctly identified to be the person with whom the buck stops regarding that risk. There is no point having a person who is in charge of a $500, 000 operating budget to own a risk that could cost the agency more than $5M.

Please see RiskCover’s  Risk Management Guidelines (1,431KB)for more information.

The Risk Reference Tables are utilised for assessing consequence and likelihood to:

• Create a common language within an agency when describing risks. This means that when someone within the agency describes a moderate consequence, others within the agency know what that means.
• When constructing the tables the agency is required to think about what is crucial to its existence (i.e. Finances, People, and Performance etc). Impacts on the identified crucial factors are then used to assess the risk.
• It eases the monitoring and review process by showing how a risk was assessed.

The following factors are to be considered when selecting treatment options:

• How will the treatment change the level of risk. Select the treatment options with the greatest reducing impact on level of risk.
• Cost of implementation versus benefits derived, involves balancing the cost of implementing each option against the benefits derived.
• Compatible with the agency’s objectives and risk evaluation criteria.

Please see RiskCover’s  Risk Management Guidelines (1,431KB) for more information.

As Government agencies are sometimes the supplier of last resort, there will be some identified risks that due to their nature are not able to be directly controlled by the agency. This does not mean that because you cannot control them you can just forget them.

There are two components to risk; the likelihood of the risk occurring and the consequence of the risk if it does occur. While you may have no control over the likelihood of the risk occurring, there are usually treatments that can be implemented that will reduce the consequence if that risk does occur.

Remember you need to do all things reasonable to manage your risks, not everything possible.

The risk information is to be utilised to:

• Aid decision making
• Report on risks
• Monitor progress of treatments
• Maintain a record of risks and responsibilities
• Demonstrate compliance

This is best done in an electronic format such as RiskBase, where various reports or information can be extracted depending on the requirements. Please see RiskCover's Risk Management Guidelines (1,431KB) for more information.

The performance measures are to be linked to risk management objectives that are usually set out in the Risk Management Policy. That is, if an objective is to increase staff awareness of risk management then a performance measure is hours/number of staff training. Ultimately, the performance indicators should be reflective of how the agency manages risks as agencies frequently fail to meet targets because risks have occurred as an incident.

Regularly reviewing the risks is necessary because:

• Risks do not stay the same
• New risks will emerge
• Existing risks may change or cease to be current
• Risk priorities may change
• The mix of stakeholders may change
• There may be organisational changes
• There may be changes to the external environment