Risk management framework

Transcription

1 Risk management framework Security classification: PUBLIC Reference number: DSITI:FW:001P Policy owner: Executive Director, Strategic Transformation & Performance Contact officer: Principal Consultant, Risk Management (07) Version Effective Date Approved by Next review date /04/2015 Policy Coordinator November 2015 Table of Contents 1 Introduction Purpose Principles and benefits The framework Risk governance and assurance Risk governance Risk assurance Risk management policy Risk management system Culture and capability Tools and templates Risk reporting Evaluation and review Risk management processes Strategic risk Departmental risk Business area risk Project and program risk Cross-agency risk Specific risk functions Definitions References Attachment 1: DSITI risk assessment matrix Attachment 2: DSITI risk rating responses... 18

2 Strategic Transformation and Performance Security classification: PUBLIC 1 Introduction While there are many varied definitions of risk it is generally accepted that if management know for certain something is going to happen it has no risk attached to it. Should there be an element of uncertainty surrounding it, then risk exists. Accordingly, the AS/NZS ISO 31000:2009: Risk management principles and guidelines defines risk as the effect of uncertainty on objectives. Risk management is not a process for avoiding risk, but rather to manage risk. The public sector tends to focus on the downside aspect of risk. However, risk doesn t just relate to the challenges facing the department, but also the opportunities; they are two sides of the same coin. The Queensland Government s values certainly encourage a positive approach to risk taking. Therefore, the framework encompasses both possible threats and opportunities, reflecting the potential for either of these to impact positively or negatively on the department s vision and purpose. Risk management should be treated as an integral part of planning, management and decision making processes that need to be considered and addressed by everyone. Effective risk management is a useful discipline in a manager s armoury and will help achieve objectives, improve service delivery, accountability and decision-making, and ultimately contribute to the success of the department. 2 Purpose The risk management framework (the framework) provides an overview of the key concepts for managing risk within the department and guidance on how the risk management processes can be integrated with normal management processes and responsibilities. The construct of the framework is based on the following prescribed legislative requirements, international best practice and government guidelines: Financial Accountability Act 2009 Financial and Performance Management Standard 2009 AS/NZS ISO 31000:2009: Risk management principles and guidelines Queensland Treasury and Trade s A guide to risk management, July Principles and benefits The framework is based on the AS/NZS ISO 31000:2009 principles (Figure 1): Figure 1 Risk Management Principles However, as in any management process, risk management has its limitations: Page 2 of 18

3 Security classification: PUBLIC Risk management framework Risk management will not make decisions for the business. Risk management will not guarantee freedom from all risk. Risk assessments will not be all-encompassing and are therefore not fail-safe. The benefits of managing risk are depicted in Figure 2: 4 The framework Figure 2 Risk management benefits A risk management framework is a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation 1. The framework (Figure 3) comprises the following four components, which are each described in the body of this document: 1. governance and assurance; 2. risk management policy; 3. risk management system; 4. risk management process. Figure 3 - Components of the risk management framework 1 AS/NZS ISO 31000:2009: Risk management - Principles and guidelines Page 3 of 18

4 Strategic Transformation and Performance Security classification: PUBLIC 4.1 Risk governance and assurance Risk governance This component of the framework purposely aligns with the department s governance framework, enabling risk related information to better inform decision-making. Figure 4 illustrates the four types of risk mapped against the department s corporate governance framework. Figure 4 Risk types mapped against the DSITI leadership and accountability model The risk governance arrangements ensure the Board of Management (BoM), governance committees, divisional heads and business area executives have the relevant information to oversee and manage their risks. For strategic level governance: BoM provide corporate governance leadership and promote effective risk management. This includes the review of the department s strategic risk profile, the associated treatment strategies, setting the department s risk appetite and moderating strategic and departmental risks from a whole-of-department perspective. The Audit and Risk Management Committee is responsible for reporting to the Director-General on the effectiveness of the risk management framework. Departmental risks will be captured in the departmental risk register, which will provide divisional heads, functional heads and governance committees with an enterprise view of risks common across all divisions, in particular human resource, finance and information communications technology related risks. For operational level governance: Page 4 of 18

5 Security classification: PUBLIC Risk management framework Executive management oversee and provide direction for risks within their business area. These risks will be captured at the operational or local level. Program and project boards will provide oversight and direction for project and program risks relating to change initiatives. These types of risks will be managed using prescribed Queensland Government program and project management methodologies (see 4.4.4). The risk governance model (Figure 5) depicts the relationship between the four risk types and how risks are captured, reported and may be escalated in line with the department s governance and accountability arrangements. Figure 5 Risk Governance model Risk assurance Risk assurance is an important component of the framework as it provides feedback to management that quality processes and controls are in place and effective. The two risk assurance mechanisms are: Risk management monitoring and reporting The department s Risk management policy details the roles and responsibilities of key officers and governance committees in relation to monitoring and reporting on risk. The effective execution of these responsibilities will provide the department with the assurance that: risks have been assessed in accordance with the department s risk management framework risks are regularly monitored and reported emerging risks are escalated to the appropriate level of management assurance mechanisms from various sources map to the risks that threaten objectives. Page 5 of 18

6 Strategic Transformation and Performance Security classification: PUBLIC Internal Audit Internal Audit s annual plan tests the internal controls around DSITI s material risks. Internal Audit may periodically conduct reviews of the risk management framework and report on its effectiveness. They will bring objectivity and consultation by using a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. 4.2 Risk management policy The policy is a key component of the risk management framework and states the overall intention and direction of the department s senior executive in relation to risk management, emphasising the risk management philosophy and responsibilities for managing risk. The key objective of the policy is to ensure everyone actively manages risk within their area of responsibility and fosters a culture where risk is appropriately identified, assessed, communicated and managed. The policy is managed by the Strategic Transformation and Performance (STP) unit and will be reviewed annually to reflect any changing circumstances within the department. 4.3 Risk management system Risk management capability is a key driver for the effective management of risk. This component of the framework describes the systems that support a risk capable organisation. To build a risk capable department it is important for staff to be provided with relevant training, tools and templates. Deputy/Assistant Directors-General, General Managers, Executive Directors and Directors are responsible for ensuring their staff are appropriately skilled, trained and supported to identify and manage risks effectively. By cultivating a risk capable organisation the department will enhance its awareness and responsiveness so that risks and opportunities can be identified and managed Culture and capability All managers within the department have an important role in developing a risk aware culture. The Queensland Government s values positively encourage a risk culture where understanding, managing and calculating a prudent level of risk is part of the everyday decision-making process. This is in contrast to a negative risk culture where people are risk averse, ignorant of risk or overconfident with risk-taking. The elements that will contribute to a positive risk culture are: leadership, which is articulated in the policy communicating the benefits of risk management integrating risk management with other business processes and systems so the task of managing risk is not regarded as an additional burden Tools and templates STP has developed guidelines, tools and templates to assist staff in the identification, analysis and monitoring of risk. Refer to risk management processes and guidelines in section 4. These tools and templates will include: guidelines for managing strategic, departmental and business area risks Page 6 of 18

7 Security classification: PUBLIC Risk management framework departmental risk criteria (consequence and likelihood table and risk matrix (see Attachment 1)) departmental risk register template and supporting guidelines Risk reporting Risk reporting is an important way of communicating risk information across the department and to stakeholders. Therefore, risk reporting has been closely aligned with the department s governance structure (Figure 5). The department has multiple layers of reporting: 1. Strategic and significant operational risks that affect the department as a whole will be reported to BoM at least quarterly and more often when BoM identifies a need to monitor more regularly. The STP unit will coordinate risk reporting to BoM. 2. Departmental risks will be captured in the departmental risk register. These are the high and extreme risks extracted from the business area risk registers and reported to BoM, governance committees and corporate functional heads. The secretariat of each governance committee will coordinate relevant risk reporting to the governance committees for consideration at each meeting. 3. Divisional Heads, General Managers, Executive Directors and Directors should define risk reporting timeframes and requirements for their areas of responsibility. Risk reporting at the business area level should be integrated into existing reporting arrangements Evaluation and review Risk management goes beyond reviewing the risks themselves and extends to reviewing the department s risk management capability and governance systems. As risks, risk management capabilities and the risk environment are constantly changing and evolving, there will be a regular review of the risk management framework to ensure it is fit for purpose. The Audit and Risk Management Committee is responsible for reviewing the adequacy of the department s risk management framework and its application. While the committee has no responsibility for managing the risks themselves, they are responsible for regularly reviewing the framework to provide assurance to the Director-General that it remains relevant and robust. Business areas should periodically evaluate their local risk management practices to ensure they align with the framework and are operating effectively. An emphasis will be placed on continual improvement in risk management through the review and subsequent modification of processes, systems, resources, capability and skills. 4.4 Risk management processes The department aims to create a culture where understanding, managing and accepting risks are seen as part of everyone s decision making processes. To do this, the management of risk is embedded within the department s business processes. As shown in the risk governance model (Figure 5) the framework defines four risk types. These are described briefly below Strategic risk Strategic risks are the high level, long-term risks, which can be complex and less easy to quantify. They are the risks of most concern to the senior executive and therefore require direct attention by Page 7 of 18

8 Strategic Transformation and Performance Security classification: PUBLIC BoM. They are usually identified through analysis of environmental factors, stakeholder expectations and strategy development and will likely have a material impact on the department s ability to achieve its government mandate and strategic objectives. Strategic risk management is not intended to identify every risk facing the department but to identify those that are most significant to achieving its vision and purpose. Therefore, strategic risk management is most effective when conducted as an integral part of the strategic planning process. This type of risk information will be presented via a strategic risk profile, i.e. a high-level synopsis of the department s key risk factors, developed in consultation with senior management, which includes the risk treatment strategies that require implementation. In determining the strategic risk profile the department will have to collect information, through environmental scanning, which is broad enough to include a range of trends, influences and time horizons. The department s strategic risk profile will be refreshed on a six monthly basis to alert BoM to potentially significant changes to the operating environment. Knowledge of the internal and external challenges will also help determine the department s risk appetite, which is the amount of risk the department is willing to accept in pursuit of its vision and purpose. A good understanding of the internal and external context, including government priorities and interagency demands, will increase awareness of the risks we face, identify threats and opportunities, build resilience, and improve long/medium term planning. Refer to the Strategic risk management process and guidelines (under development) for a description of managing strategic risk Departmental risk Departmental risk predominantly relates to corporate services and functional business processes that support the department s service delivery objectives, e.g. finance, procurement, human resources, industrial relations management, information management, technology etc. On a quarterly basis the high and extreme risks will be extracted from the business areas risk registers and consolidated into a single departmental risk register, owned and maintained by the STP unit. This risk type takes a horizontal perspective of risk across the department. Figure 6 illustrates the horizontal view in contrast to the vertical/hierarchical view of divisional and business area risk. The identification of departmental risks will support BoM, governance committees, divisional heads (ADG, DDG) and functional heads (CFO, CIO) in fulfilling their responsibility for overseeing risks across the department. In view of this, corporate functional heads have to consider risk from two perspectives: business area risks those risks that relate to their business area s purpose, objectives and operations departmental risks those risks that relate to the department as a whole, or a number of business areas. While this risk type mainly focuses on corporate services, there may be risks that affect other agencies. In which case, high and extreme interagency risks should also be recorded under the departmental risk register. Page 8 of 18

9 Security classification: PUBLIC Risk management framework Figure 6 Departmental risk type (horizontal and vertical risk perspectives) Business area risk Business area risks (also known as operational risks) are the day-to-day risks associated with business area activities. It is these risks that will most likely have a material impact on a business areas ability to achieve its business and operational objectives. These risks are managed by the individual business areas and relate to the business area s purpose, objectives and operations. By integrating risk management into business and operational planning, risks can be managed vertically (Figure 6), linking operational plans and specific purpose plans with the department s strategic plan. Each business area has responsibility for managing their key risks and recording them in a risk register. The high or extreme risks, rated by the business areas, will be extracted and entered in the departmental risk register. Each risk rating will be re-evaluated against the DSITI risk assessment matrix to ensure risks align with the broader departmental context. The risk management process to be used is based on AS/NZS ISO 31000:2009: Risk management Principles and guidelines (Figure 7). The business area Risk management process guideline describes the process for managing and assessing risk in greater detail. The guideline includes: process description risk assessment matrix (see Attachments 1 and 2) risk register template risk categories Page 9 of 18

10 Strategic Transformation and Performance Security classification: PUBLIC risk identification techniques risk controls and effectiveness. Figure 7 AS/NZS ISO risk management process Project and program risk Project and program risk refers to the risks unique to a specific project/program. The department regularly undertakes significant projects and programs, management of which should be consistent with the Queensland Government Project and Program Management methodologies. These methodologies stipulate the requirement and approach to managing risk within the project/program environment and align with the AS/NZS ISO 31000:2009 Risk management Principles and guidelines. Projects and programs should maintain a separate risk register and regularly report the risks to the project/program governing body. Any significant risk that is strategic in nature should also be incorporated in the departmental risk register to ensure visibility across the enterprise. Some technical projects may use customised likelihood and consequence scales, e.g. timeframes, budget, quality benefits. In these circumstances strategic or extreme risks should be moderated against the department s risk assessment matrix. For example, a cost over-run of 100% of a project budget may be extreme within the context of the project, but only moderate or low within the broader departmental context. Page 10 of 18

11 Security classification: PUBLIC Risk management framework Cross-agency risk Cross-agency risk is a risk that relates to more than one agency and may require treatment by multiple agencies to be effective. As the Queensland Public Sector embarks on a number of major reform initiatives, cross-agency risk management will require a high level of collaboration. DSITI is a major provider of services across government and has lead agency responsibility for whole-of-government ICT reform, as well as participatory responsibility for other government-wide initiatives. Therefore, any cross-agency risk that requires the department to contribute to the treatment strategy should be formally recorded and a suitable risk owner nominated to ensure the risk/treatment is managed effectively. If there is no suitable risk owner, i.e. the risk is beyond the nominee s delegation, the risk should be formally escalated up the governance hierarchy for reassignment. As a lead agency (ICT Reform) the department is responsible for opening up the dialogue within the cluster of departments and gaining a broader understanding of the relationship between the agency s risks, cross-agency risks and whole-of-government risks Specific risk functions Fraud and corruption Fraud and corruption risk management is an important subset of the department s overall risk management framework. The department and constituent business areas are required to conduct a fraud risk assessment on a regular basis, in doing so; the assessment should be consistent with the process prescribed in the framework (Figure 7). Correspondingly, provision for fraud has been integrated into the departmental risk register to enhance fraud and corruption reporting. Refer to the Fraud and corruption prevention policy and Fraud and corruption reporting guideline. Business continuity management Some risk is unavoidable and it is not within the ability of the department to completely manage, e.g. natural disasters. A key strategic risk for the department and its business areas is the inability to remain operational and continue delivering government services. In these instances, the only action that can be taken is the preparation of contingency plans for business continuity. Business continuity management is a key mitigating factor as it increases the department s resilience in, response to and recovery from events that may disrupt business services and operations. Refer to the Business continuity and community resilience policy and framework. Work Health and Safety Officers (persons conducting a business or undertaking) are responsible for protecting workers and other persons against harm to health, safety and welfare through the elimination or minimisation of risks arising from work or from particular types of substances or plant. The management of risk is an important element in gaining an understanding of the operation and taking into account all relevant matters including: likelihood of the hazard or the risk concerned occurring degree of harm that might result from the hazard or the risk what the person concerned knows, or ought reasonably to know about the hazard or the risk and ways of eliminating or minimising the risk the availability and suitability of ways to eliminate or minimise the risk. Page 11 of 18

12 Strategic Transformation and Performance Security classification: PUBLIC Non-compliance with Work Health and Safety legislation can result in severe consequences, including personal fines up to $600,000 or imprisonment for up to five years. Refer to the Work health and safety policy. 5 Definitions The following definitions are consistent with AS/NZS ISO 31000:2009 and ISO Guide 73:2009 (where applicable). Term Business area Business area risk Cause Consequence Definition A departmental unit that reports to an Assistant/Deputy Director-General Risks that relate to the business areas purpose, objectives and operations. Also see Operational risk. Something that results in an event. The outcome of an event or circumstance affecting the achievement of objectives. An event can lead to a range of consequences A consequence can be certain or uncertain and can have positive or negative effects on objectives Consequences can be expressed qualitatively or quantitatively Initial consequences can escalate through knock-on effects. Control Measure that is modifying risk. Controls include any process, policy, device or practice, or other actions which modify risk Controls may not always exert the intended or assumed modifying effect. Corruption Current risk Involves a breach of trust in the performance of official duties and includes conduct which does or could adversely affect the honest or impartial exercise of official functions by an employee, whether or not for the benefit of the person. It also includes conduct by an employee involving dishonesty or failure to impartially exercise an official function. The risk remaining after risk treatment. It is the level of risk that remains after assessing the effectiveness of the controls, treatments and any management strategies and other mechanisms currently in place to modify a particular risk. Note: this is the same definition as residual risk in the ISO Guide 73:2009. Efforts have been made to use everyday language rather than purist risk management speak. Departmental risk Operational risks that relate to the department as a whole, sometimes referred to as 'corporate risk'. These risks are common across multiple business areas or potentially interagency. Page 12 of 18

13 Security classification: PUBLIC Risk management framework Term Division Divisional head Existing control Fraud Impact Interagency risk Level of risk Likelihood Operational risk Definition A group of business areas that report to a Deputy/Assistant Director-General. Deputy Director-General or Assistant Director-General responsible for a number of business areas. Controls that are in place at the time of risk identification and at the time of initial risk rating. Refers to an intentional dishonest act or omission done with the intent of deceiving. It may have the object of obtaining a benefit for some person or causing a detriment. It includes the situation where a person makes a false representation about something and lacks belief in the truth of the representation or makes it recklessly, not caring whether it is true or false. See Consequence A risk that relates to more than one agency (for example, collaborative projects) and requires treatment by multiple agencies to be effective. The magnitude of a risk measured in terms of the combination of the consequences and likelihood. The chance of something happening. Those risks that arise in day to day operations, and which require specific and detailed response and monitoring regimes. If not treated and monitored organisational risk could potentially results in major adverse consequences for the department. Queensland Treasury and Trade s A guide to risk management further expands on this definition, stating: A risk that may arise in day to day operations and could have an impact on the achievement of: the department s strategic objectives from the perspective of actions undertaken by a particular division, business area, branch or work unit program or project management objectives Also see Business area risk. Program Project A grouping or list of projects and activities planned and managed in a coordinated way in order to achieve outcomes and realise benefits. A temporary process or endeavour which has a clearly defined start and end time, a structured set of activities and tasks, a budget and a specified business case. Page 13 of 18

14 Strategic Transformation and Performance Security classification: PUBLIC Term Project management Residual risk Risk Definition The management of the full project life cycle to ensure stakeholders are fully engaged, risk is actively managed and outputs are delivered. It is the planning, monitoring and control of all aspects of the project to achieve the project objectives on time and to the specified cost, quality and performance. See Current risk The effect of uncertainty on objectives. An effect is a deviation from the expected positive and/or negative. Objectives can have different aspects and can apply at different levels (such as strategic, organisation wide, project, product and process). Risk is often characterised by reference to potential events and consequences or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood. Risk analysis Risk appetite Risk assessment Risk category Risk criteria Risk description Risk escalation Risk evaluation The systematic process to comprehend the nature of risk and level of risk. The amount and type of risk the department/business area is prepared to pursue or take to achieve an objective. The three process steps of risk identification, risk analysis and risk evaluation form the risk assessment. A way of categorising a risk to enhance risk identification and analysis and risk reporting. Terms of reference against which the significance of a risk is assessed. Statement of risk, which describes the risk in terms of the risk event, causes and consequences of the risk. Process facilitating a change of risk ownership to a next higher management level in cases where the approval and management of additional controls is beyond the delegation/authority of the management level at which the risk was identified. Process of comparing the results of the risk analysis against risk criteria to determine the level of risk and whether it is tolerable or not. Page 14 of 18

15 Security classification: PUBLIC Risk management framework Term Risk event Definition An uncertain occurrence or set of circumstances, that should it occur will have an effect on the achievement of an objective. An event can consist of something not happening An event can be one or more occurrences, and can have several causes. Risk treatment action Strategic risk Any specific action designed to reduce the likelihood or consequence of a risk. Risks that may affect the department s ability to meet its overall purpose and strategic objectives and require direct oversight by BoM. 6 References The requirements set out in this document are based on, and are consistent with, relevant government legislation, regulations, directives, information standards and/or policies at the time of publication. Legislation and regulations Financial Accountability Act 2009 Financial and Performance Management Standard 2009 Work Health and Safety Act 2011 Professional standards AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines IEC/ISO Risk Management Risk assessment techniques ISO Guide 73:2009 Risk Management - Vocabulary Standards Australia HB Risk Management Guidelines on risk assessment techniques Queensland Government documents A Guide to Risk Management, Queensland Treasury and Trade Beyond Agency Risk Auditor-General of Queensland Report to Parliament No 6 for 2007 Better Practice Guide Risk Management Queensland Audit Office Financial Accountability Handbook Queensland Treasury and Trade Queensland Government Project and Program Management methodologies DSITI documents Business continuity and community resilience framework Business continuity and community resilience policy Page 15 of 18

16 Strategic Transformation and Performance Security classification: PUBLIC Fraud and corruption prevention guideline Fraud and corruption prevention policy Risk management policy Risk management process guideline Risk register template Strategic risk management process and guidelines (under development) Work health and safety policy Other documents Risk Management Toolkit for the NSW Public Sector 7 Licence The Risk management framework by The State of Queensland, Department of Science, Information Technology and Innovation is licensed under a Creative Commons Attribution 4.0 International licence. To view a copy of this licence, visit Page 16 of 18

17 Security classification: UNCLASSIFIED Risk management framework Attachment 1: DSITI risk assessment matrix Consequence level Severe Major Moderate Minor DSITI Consequence Description Threatens the department s ability to meet government priorities, deliver public value or achieve strategic objectives. Financial Long term impact on departmental finances. Losses not recoverable beyond the next financial budget jeopardising critical business functionality and services. Or, exposure of >$500k to unfunded financial commitments 2. Service Delivery Disruption to multiple critical deliverables 3. Causes acute and protracted problems for clients and stakeholders. Reputation Affects the department s long term credibility with clients and stakeholders. Loss of public trust. Severe political consequences that incur Parliamentary enquiries or prolonged public scrutiny / media attention. People/WHS Reduced workforce capability/capacity threatens long term service delivery. Death or permanent disablement. Environmental Permanent damage to the environment. Financial Medium term impact on departmental finances. Losses not recoverable within current financial budget. Or, exposure of between $100-$500k to unfunded financial commitments 2. Service Delivery Disruption to a critical deliverable 3. Threaten the completion of strategic program/project and business case benefits. Causes problems for clients and stakeholders in fulfilling their obligations. Reputation Have a detrimental effect on the department s short term credibility with clients and stakeholders. Political consequences for the department, incurring independent enquiry or short term public scrutiny / media attention. People/WHS Reduced workforce capability/capacity unable to support key services. Serious injury or work caused illness. Environmental Long term detrimental impact on the environment. Financial Short term impact on departmental finances. Losses recoverable within the current financial budget. Or, exposure of <$100k to unfunded financial commitments 2. Service Delivery Interruption to essential support deliverables and associated service performance targets. Threatens the realisation of some program or project benefits. Reputation Cause client and stakeholder dissatisfaction, and has a detrimental affect on the business area s credibility and stakeholder relations. Incur significant review or change manner of delivery. People/WHS Reduced workforce capability/capacity affects service quality. Injury/illness requires medical treatment. Environmental Short term impact on the environment. Able to be contained with specialist assistance. Financial Minimal impact on departmental finances. Losses recoverable within the current financial budget. It would have some minor financial implications requiring a review of financial internal controls. Service Delivery Minor interruption to a service/s and associated service performance targets. It would be detrimental for some aspects of the program or project. Reputation It would cause some client or stakeholder complaints requiring additional management. People/WHS Reduced workforce capability/capacity affects operational processes. Localised first aid required. Environmental Minimal detrimental impact on the environment. Unlikely Occurrence is conceivable, but not expected to occur. A < 30% chance of this risk eventuating Likelihood level Possible The event may occur at some time A 30-60% chance of this risk eventuating Likely The event may occur at least once over the coming year A 61-90% chance of risk eventuating Almost certain Can probably expect it to occur in most circumstances. A >90% chance of this risk eventuating Medium High Extreme Extreme Medium High High Extreme Low Medium High High Low Low Medium Medium 2 The $ value is a guide. Where necessary, advice should be sought from DSITI Finance, Procurement and Business Services to estimate materiality consequences 3 Definitions have been taken from the Business continuity and community resilience policy and framework. Page 17 of 18

18 Strategic Transformation and Performance Security classification: UNCLASSIFIED Attachment 2: DSITI risk rating responses Risk rating Extreme High Medium Low Response Reported to Director-General via DDG/ADG and existing management structures within 48 hours of identification. Risk owner assigned. Risk target established and risk treatment actions developed including contingency plan. BoM/Governance committees to be made aware and provide guidance. Progress regularly reported to BoM. Reported to Director-General via DDG/ADG and existing management structures. Risk owner assigned. Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan (where relevant). Progress reported to BoM, DDG/ADG or Functional Heads. Reported to General Manager/ Executive Director/Director via existing management structures. Risk owner assigned. Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan, (where relevant). Progress reported regularly to GM/ ED/ Director or Functional Heads. Monitor the risk. Should be managed via routine procedures and internal reporting mechanisms Risk owner assigned. Risk acceptability Unacceptable Unacceptable Risk eventuation may be tolerable under certain circumstances Acceptable Page 18 of 18