1 RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004
4 Risk Management Guidance CONTENTS Pages List of guidelines on risk management 3 1. Introduction Initiating Risk Management and sustaining it Risk Management Structures Risk Identification Risk Assessment Mitigating Risk Risk Monitoring and Reporting Appendices 1) Extracts from the Mullarkey Report relevant to risk management 2) Questions designed to test the extent to which risk management has been embedded in an organisation 3) Sample risk register 4) Risk Management models and standards
5 GUIDELINES ON RISK MANAGEMENT 1. Each Department 1 is to initiate risk management as an integral and ongoing part of its management process and it is the MAC that should put in place effective mechanisms to carry out risk management accordingly. 2. The risk management process should be kept as simple and straightforward as possible, and existing structures should be used, as far as possible. 3. Each Department should have clearly defined risk management structures and responsibilities. 4. Departments should repeat the process of risk identification at least once a year. 5. Departments should assess identified risks at least once a year. 6. When risks have been identified and assessed, Departments should determine an appropriate method for addressing them. 7. Departments risk management systems should provide for monitoring and reporting at various levels of management. 1 Throughout this document Department(s) should be read as Department(s)/Office(s)
7 1 INTRODUCTION 1.1 Purpose of this guidance. This document has three purposes: First it provides an introduction to the concept of risk management. Second it outlines the roles and responsibilities of managers and staff in establishing and maintaining a robust organisation-wide approach to managing risk and provides a number of specific guidelines that Departments should follow in this regard. Third it describes a number of techniques that can be employed to develop a structured and systematic approach to managing risk. 1.2 Mullarkey Report recommendations on risk management The Report of the Working Group on the Accountability of Secretaries General and Accounting Officers (the Mullarkey Report), endorsed by the Government and published in January 2003, inter alia, recommended that risk assessment and management should be integrated into the management processes of Departments within two years of the publication of the Report. The Report recommended that the risk management system should concentrate on the principal risks to the organisation as well as the principal risks arising from its relationship with other organisations. The risk assessment and management process should be integrated into existing management systems and should be kept as simple and straightforward as possible. In introducing a risk management programme full use should be made of existing systems, processes, procedures and reporting structures. Risk management should feature on the agenda of divisional meetings and of the meetings of the Management Advisory Committee. It should also be integrated with the business planning cycle. The Report also recommended that central guidance on the development of a risk strategy appropriate to Government Departments should be prepared by the Department of Finance. This Guidance Note aims to fulfill the Department of Finance s role in the process. Appendix 1 contains all the text of the Mullarkey Report relevant to risk management.
8 1.3 What is risk and why is it important to manage it? Risk can be thought of as a possible loss or other adverse consequence that has the potential to interfere with a Department s ability to achieve its objectives and fulfill its mission. Risks to the achievement of objectives can be due to both internal and external events. Effective risk management offers Departments a means of improving their strategic, operational and financial management. It can also help to minimise financial losses, service disruption, adverse publicity, and threats to public health or compensation claims. 1.4 What is risk management? Risk management is a process of clearly defined steps which support better decisionmaking by contributing a greater insight into risks and their impacts. Risk management is not a stand-alone activity that requires special skills and resources that add to the administrative burden. The focus should be on successfully managing risk rather than on the system of risk management. Therefore Departments should integrate risk management practices into existing corporate frameworks, rather than advancing risk management as an isolated operation. Staff should be encouraged to manage risks systematically and this should lead to the development of a risk management culture in Departments rather than a standalone risk management function. Perhaps the position of risk management can be summed up in three key messages: risk management is the concern of everyone in the Department; risk management is part of normal day-to-day business; the process of managing risk is logical and systematic and ideally should become second nature. 1.5 Benefits of risk management By identifying risks and implementing an action plan to address them in a systematic way, Departments can protect their ability to provide public services. By including risk management in strategic planning processes, Departments can make decisions on services with a greater degree of safety. Of course, risk management will become standard practice only if there is a clear understanding of what it entails and the benefits that it can secure for the achievement of key objectives. Departments will therefore need to consider how the benefits of risk
9 management should be achieved e.g. by considering what specific staff training might be required. Appendix 2 lists a number of questions designed to test the extent to which risk management has been embedded. 1.6 Risk Management Cycle The process of risk management involves a cycle of identifying risks, evaluating their potential consequences and determining the most effective methods of responding to them (i.e. of reducing the chances of them occurring and reducing the impact if they do occur). The cycle is completed by a system of regular monitoring and reporting. Figure 1 The Risk Management Cycle Risk Identification Risk Reporting Risk Assessment Risk Monitoring Risk Mitigation Sections 4 to 7 deal with each stage of the risk management cycle.
11 2 INITIATING RISK MANAGEMENT AND SUSTAINING IT Guideline Each Department is to initiate risk management as an integral and ongoing part of its management process and it is the MAC that should put in place effective mechanisms to carry out risk management accordingly. Initiating Risk Management The responsibility for risk management within an organization clearly lies with the board (or equivalent) who should be responsible for setting the strategy and senior management who should be responsible for implementing the strategy, although it is clear that everyone within an organization bears some risk management responsibility [The Institute of Internal Auditors UK and Ireland - Position Statement] Risk Management is a very important management process. Its importance requires that MAC be seen to initiate it and attach proper weight to it, and also that MAC be seen to put in place effective mechanisms to ensure that the Department s risks are properly identified, and assessed and managed, and regularly reviewed and reported on. The approach to risk management should be driven by a Department s objectives as detailed in its Statement of Strategy. Risk management strategies and programmes should focus on those items that could prevent the achievement of the objectives specified in the Statement of Strategy. There is a need to start sensibly and build from a solid base. Departments may choose to concentrate initially on a small number of high impact and likelihood risks. Alternatively only a small number of risks could be initially identified for each Division. Sustaining it The MAC decision should make clear who is to do what as regards risk management, and should set a clear timeframe for completion of a first round of risk identification, assessment and mitigation and the submission of a report to it on the outcome. The MAC decision should also make clear that:
12 risk management is to be an ongoing process by laying down a rota preferably annual according to which risks are to be identified and assessed, and accompanying control measures are identified and put in place, and a report made to MAC, risk management is to be a regular agenda item at Divisional meetings and where relevant risk management responsibilities are to be included on PMDS forms. Finally, risk management is to be an ongoing feature of Departmental management from now on, so it can be improved as time goes on. There should be regular review and reporting to management on risk management and on the integration of risk management into business planning. The crucial thing at the beginning is to get a sensible, practical process going that produces results. The process can always be perfected over time.
13 3 RISK MANAGEMENT STRUCTURES Guideline Each Department should have clearly defined risk management structures and responsibilities. Guideline The risk management process should be kept as simple and straightforward as possible, and existing structures should be used, as far as possible. 3.1 Risk management will have a better chance of becoming embedded in a Department if it is operated on the basis of clearly-defined structures and responsibilities. The structures or framework a Department chooses will depend on the business and size of the Department. In all cases the risk structure should be integrated into existing management structures and there should be a role for internal audit. In many cases, particularly in large Departments, there may be a need for dedicated structures to co-ordinate management of risk. It is a matter for each Department to decide on the structures it will use. However, as the Mullarkey Report emphasises, the risk management process should be kept as simple and straightforward as possible and should be integrated into existing management systems. In smaller Departments it may be possible to combine the roles of certain of the structures outlined below e.g. the roles of the risk committee and audit committee or the roles of the risk management team and the MAC. The following paragraphs describe different management structures in Departments and the sort of role each could play in the risk management process. 3.2 Existing Management Structures (i) The MAC (Management Advisory Committee) MAC should initiate risk management and direct the overall process. MAC should receive reports on the operation of the risk management system and demand actions. It is the responsibility of the MAC and senior management in a Department to ensure that there is a robust risk management process in place.
14 (ii) Heads of Division with their senior managers, should be responsible for: Implementing the Department s risk management process in their Division; Identifying, evaluating and signing off on risks at Divisional level; Owning and managing the risks within the Division s organisational or functional remit on a day to day basis; Ensuring clear roles and responsibilities for risk identification, management and reporting are defined within their areas using PMDS and business planning; Ensuring compliance with the formal risk reporting requirements on an ongoing basis; Ensuring risk management awareness throughout the Division. (iii) Staff: individual members of staff should be made responsible for Operating and monitoring the system of internal control; Proactively identifying risk issues and bringing these to the attention of management; Ensuring that all risks are identified and reported in a timely and effective manner. 3.3 Audit Structures (i) Audit Committee Audit Committees should be responsible for reviewing and agreeing the processes for managing risk in the Department. The Audit Committee should have a standing agenda item on risk at its meetings and should receive feedback from the head of Internal Audit and the Department s management on the implementation and performance of the risk management process. Such feedback should include the five key areas of identifying, assessing, mitigating and reviewing and reporting on risks.
15 (ii) Internal Audit Unit Internal audit has a central role in advising Accounting Officers on the state of a Department s risk management processes. Internal audit should regularly review risk management to ensure that it is robust. When deciding the most appropriate role for it to play in a Department, internal audit should assess the extent to which it can add value to the process of risk management. Of course, internal audit always needs to heed the professional requirement for independence and objectivity. Primary responsibility for risk management lies with line management. Internal Audit s involvement should stop short of responsibility and accountability for risk management across the organization and of managing risks on management s behalf. However, in order to add value, it is often beneficial for internal audit to give proactive advice or to coach management on embedding risk management processes into business activities. [From Institute of Internal Auditors UK and Ireland: Position Statement on the Role of Internal Audit in Risk Management] 3. 4 Dedicated Risk Structures (i) Risk Register Departments will need to maintain centralised records about their risks in a risk database or register. The register will be a primary tool for risk tracking, containing the overall system of risks and the status of any risk mitigation actions. There are a number of IT-based risk tracking solutions that Departments may wish to explore. Typically such database systems provide for the inputting of risks; and for the assessing of them; and contain a reports module allowing different reports and analyses to be generated at various levels e.g. Divisional and Departmental, plus an incident reporting module that allows for reports on specific incidents as they occur. A mock-up of an extract from a risk register is shown at Appendix 3. (ii) Risk Committee Existing structures should be used to the greatest extent possible. Most Departments will want to assign this function to an existing committee of management. Where this is not possible, Departments should establish dedicated risk structures such as risk
16 committees and risk teams. Risk committees are representative of different functional areas (technical, specialist as well as policy) and would have the responsibility of coordinating the efforts of the MAC and Line Divisions. A risk committee would also report to the MAC on the lessons learned from risk occurrences. Typical responsibilities of an existing committee of management assigned the risk function or a dedicated Risk Management Committee would be to: Oversee the implementation of the Department s Risk Management; Define and review on a regular basis, the Department s risk policy, methodology and standards; Create awareness, across the Department, of the need to identify and manage risk effectively; Monitor the management of risk throughout the Department and report on a regular basis to the Department s MAC and Audit Committee. As far as possible, the Risk Management Committee should be an existing management committee of the Department, either the MAC itself, or, where they exist, the Assistant Secretary or PO Group. (iii) Risk Management Team In some cases, particularly in the larger Departments, there may be a need for a dedicated risk management team. The volume of its resources which a Department will commit to such a team will vary depending on needs. A typical role for such a team would be: Assisting the Risk Management Committee with development of risk management policy and the supporting framework; Assisting and providing guidance to divisions of the Department on the management of risk; Coordinating the management of risk for business processes that may cross the boundaries of business areas, divisions and locations ( cross cutting issues);
17 Providing an analysis of risk findings on a regular basis for the Risk Management Committee; Maintaining the risk management reporting system.
19 4 RISK IDENTIFICATION Guideline Departments should repeat the process of risk identification at least once a year. The process of identifying risk exposures is key to the success of a risk management process as all other elements of the process flow from this initial step. It is crucial therefore that a thorough job of risk identification is accomplished on a regular basis, but at least annually. Risk identification attempts to identify an organisation s exposure to uncertainty. This requires a detailed knowledge of the organisation, the legal, social, political and cultural environment in which it operates, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. The process of drawing up statements of strategy should ensure that these elements are in place. It will be a matter for every Department to identify for itself the risks it faces as an organisation. The Mullarkey Report identifies four main categories of risk. These, and other categories likely to be relevant to a Government Department, are set out below and could be used as a starting point to identify a Department s areas of risk: (i) Four risk categories identified by Mullarkey: Strategic risks (risks that may be external to the organisation such as the economic climate, including factors such as interest rates, exchange rates and inflation). Operational risks (relating to the procedures/technologies etc. employed to achieve particular objectives). Financial risks (relating to the procedures/systems/accounting records in place to ensure that the organisation is not exposed to avoidable financial risks, including risks to assets). Reputation risks (involving risks to the public reputation of the organisation and their effects).
20 (ii) Other risks to be considered Commercial risks; Litigation risks; Economic/market risks; Legal and regulatory risks; Organisational management / human factors risks; Political / societal factors; Environmental factors / force majeure ( Acts of God ); Technical / operational/ infrastructural issues. As regards how to identify risks, examples of risk identification techniques include: Listing the obvious risks to continuity of service Brainstorming (When, where, why and how are risks likely to arise?) Questionnaires (e.g. to heads of divisions) Workshops (perhaps facilitated jointly by management and internal audit) Incident investigations Audits and inspections Cost-benefit analysis SWOT analysis Sensitivity analysis Cash flow analysis Decision trees
21 5 - RISK ASSESSMENT Guideline Departments should assess identified risks at least once a year. When the important risks facing a Department have been identified, the next step is to assess them. Two approaches to risk analysis are outlined below to assist Departments to structure their own approach to risk analysis. These approaches are only examples and Departments may find that other approaches or variants of those illustrated may be more appropriate to their circumstances. (i) The Risk Map Risk mapping is a simple and useful method for assessing risks identified. It involves plotting them on a matrix or map against relevant criteria. The assessment is usually carried out on the basis of two criteria; significance/impact and likelihood. Having identified risks, they are recorded in the appropriate quadrant of the map. Figure 2 shows such a risk map. Risks located in the upper right hand side of the matrix i.e. those of both high impact and likelihood will require the close attention of management. Figure 2 Classic Risk Map Higher Upper Left Quadrant (high severity/low likelihood risks) Upper Right Quadrant (high severity/high likelihood risks) Significant risks that are unlikely to happen Risks that threaten business objectives Significance Lower Left Quadrant (Low severity/low likelihood risks) Lower Right Quadrant (Low severity/high likelihood risks) Relatively low risks Risks that arise from day to day Lower Lower Likelihood Higher
22 (ii) Risk Criteria Another method of assessment is to evaluate risks on the basis of specific critieria. The example below demonstrates how risk could be assessed on the basis of three criteria; Impact, Likelihood and Effectiveness of Existing Controls. Departments could opt for a variation on this structure or different scoring system, for example scoring only on the basis of Impact and Likelihood. Impact on the Department: The impact on the Department if the risk actually happens is estimated using a scale of 1 to 5, where 1 is equivalent to having no significant impact and 5 is equivalent to having an extremely detrimental impact. Likelihood of occurrence: The likelihood of occurrence is estimated again on a scale of 1 to 5 where 1 is rarely, if ever and 5 is almost unavoidable/already happening. Effectiveness of existing controls: The effectiveness of existing controls is estimated using a scale of 1 to 3 where 1 is highly effective and 3 is no controls/controls ineffective. A risk score is determined by multiplying the risk impact by the risk likelihood. This risk score is then multiplied by 1, 2 or 3 depending on the control effectiveness to determine the risk reporting level. Possible Risk Reporting Level: 0 12 Green Amber 25+ Red Under this method, the risk scores are defined as follows: Impact Likelihood 1 = No significant impact 1 = Rarely, if ever 2= Minor impact 2 = Possible 3 = Significant but containable impact 3 = Likely 4 = High Impact 4 = Very likely 5 = Extremely detrimental effect 5=Almost unavoidable/ already occurring
23 Control Effectiveness 1 = Controls highly effective 2 = Controls could be improved 3 = No controls / controls are ineffective Risk Colours Red: Issues that require immediate attention of senior management. Amber: Issues that need constant monitoring by senior management. Green: Issues that need to be reviewed from time to time.
25 6 - MITIGATING RISKS Guideline When risks have been identified and assessed, Departments should determine an appropriate method for addressing them. Before considering which method is most appropriate to a particular risk, Departments will firstly need to consider the adequacy and appropriateness of any existing controls. The most important way of responding to risks is risk reduction: Risk Reduction The majority of risks will be addressed under this heading. The objective is not to prevent the risk totally, but to contain it to an acceptable level. Risk reduction strategies aim to minimise the frequency or severity of the negative impacts of a risk. An example of a risk reduction strategy is the preparation of contingency plans to expedite recovery from losses. There are alternative approaches to dealing with risks but these are less likely to be used in the Civil Service: Risk Avoidance i.e. deciding not to undertake an activity or programme etc., while clearly a very effective way of controlling risks, is not often a practical option for a Government Department. Risk Transfer: The scope for transferring risk in the context of a Government Department may be limited. In the private sector for example, risk transfer might be achieved through such things as normal insurance cover or contracting out of services. Departments should ensure that the costs of controls to mitigate risk are not disproportionate to the potential impact of a risk being managed. Departments should also bear in mind that business continuity management is an essential element towards mitigating the effects of risks on the key activities of a Department.
27 7 - RISK MONITORING AND REPORTING Guideline Departments risk management systems should provide for monitoring and reporting at various levels of management. MAC The risk analysis will identify the risks that would have the greatest potential for negative impact and high likelihood. Using the risk analysis examples in section 5 these would be risks positioned in the upper right hand quadrant of a risk map or the risks identified as red. These risks perhaps representing only 20% of risk but having perhaps 80% of potential impact should become the focus for particular attention from the MAC. Divisions should: be aware of the significant risks that come within their area of responsibility; the possible impacts those risks could have on other areas of the department and the consequences other Divisions risks might have on them report systematically and promptly to senior management about risk management, in particular about perceived new risks or failures of existing controls. Staff Individual members of staff should: understand their accountability for risks report systematically and promptly to senior management on any perceived new risks or failures of existing controls. MAC, and in particular the Accounting Officer, should be assured that the risk management processes are working effectively and MAC should know how the Department will manage a crisis. This will require regular testing of contingency plans to deal with risks identified.
28 The retention of records is an important element of a good risk management system. Records document the fact that risks have been identified and remedies considered. Management may be reluctant to release such records for sensitivity reasons and because they would highlight weaknesses detrimental to the effective management of the organisation. Departments should ensure that they achieve a consistent approach to FOI requests relating to risk management records and should have regard to any guidance in this area issued by the FOI Central Policy Unit, Department of Finance.
31 APPENDIX 1 EXTRACTS FROM THE MULLARKEY REPORT RELEVANT TO RISK MANAGEMENT From the Executive Summary to the Report 46. Historically, Government Departments have had procedures in place to manage financial risks particularly in so far as they relate to the stewardship of public funds. Systematic risk management across a range of risks (strategic, operational, financial and reputational) is becoming recognised as an increasingly important part of the internal control framework as the identification and management of risk is seen as necessary to maximize the achievement of desired outcomes. [ ] 47. The Group considers that risk assessment and management are important elements in a robust system of internal control which should be integrated into the management processes of Departments. It recommends that the following approach be adopted in introducing a formalised risk management system: Central guidance on the development of a risk strategy, appropriate to Government Departments, should be prepared by the Department of Finance. This should address the principal elements of the risk identification and management process. Within Departments the risk management system should concentrate on the principal risks to the organisation as well as the principal risks arising from its relationship with other organisations. The risk assessment and management process should be integrated into existing management systems and should be kept as simple and straightforward as possible. In introducing a risk management programme full use should be made of existing systems, processes and procedures. For example, Audit Committees could advise on Departmental risk management strategies. Risk assessment should also be formalised into the processes for the preparation of the Strategy Statement, business plans, PMDS and annual reports. Risk management should feature on the agenda of divisional meetings and of the meetings of the Management Advisory Committee. [6.32] From Chapter 6 of the Report Risk Management 6.29 Systematic risk assessment and management is becoming an increasingly important part of internal control as its identification and management is seen as necessary to maximise the likelihood of achieving desired outcomes. As part of this process formalised risk management is becoming an increasingly important element of the internal control framework in Central Government in the UK and internationally. 2 The Canadians, for example, are placing greater 2 Adapting the requirements of the Turnbull Report UK Departments, executive agencies, executive Non-Departmental Public Bodies, are required to sign a statement on Internal Control (which has a
32 emphasis on risk management as part of their programme to modernise comptrollership (i.e. a set of principles and processes that underpin how management carry out their stewardship responsibilities). The risks to be addressed as part of a risk assessment and management programme are wideranging and include strategic, operational, financial and reputational risk. A risk strategy does not mean that sensible risks should not be taken, but that they should be properly assessed and managed The Group considers that risk assessment and management are key elements in a robust system of internal control. As stated above, because of the relevance of a sound system of internal control to all the activities of the Department, measures taken to assess and manage risks should work to support the Secretary General as civil service head of the Department (including in his/her Accounting Officer capacity) Risks fall into a variety of categories, some of the most common of which include Strategic risks (risks that may be external to the organisation such as the economic climate, including factors such as interest rates, exchange rates and inflation). Operational risks (relating to the procedures/technologies etc. employed to achieve particular objectives). Financial risks (relating to the procedures/systems/accounting records in place to ensure that the organisation is not exposed to avoidable financial risks, including risks to assets). Reputation risks (involving risks to the public reputation of the organisation and their effects) Historically, Government Departments have had procedures in place to manage financial risks particularly in so far as they relate to the stewardship of public funds. Risk assessment and management, in the wider sense referred to above, is also carried out informally in Departments but formal risk management strategies are not, in general, in place. The Group considers that there is strong case for integrating them formally into the management processes of the Department and it recommends that this be done. The Group is aware, in proposing greater formalisation of the risk management process, of the pressure on Departments arising from the modernisation agenda and other initiatives. It is also aware that particular difficulties arise for smaller Departments and Offices in implementing new initiatives. For that reason it recommends that the following approach be adopted in introducing a formalised risk management system: strong emphasis on risk assessment and management) in respect of the first financial period after 1 January 2001.
33 Central guidance on the development of a risk strategy, appropriate to Government Departments, should be prepared by the Department of Finance. This should address the principal elements of the risk identification and management process. 3 Within Departments the risk management system should concentrate on the principal risks to the organisation as well as the principal risks arising from its relationship with other organisations. The risk assessment and management process should be integrated into existing management systems and should be kept as simple and straightforward as possible. In introducing a risk management programme full use should be made of existing systems, processes and procedures. For example, Audit Committees could advise on Departmental risk management strategies. Risk assessment should also be formalised into the processes for the preparation of the Strategy Statement, business plans, PMDS and annual reports. 4 Risk management should feature on the agenda of divisional meetings and of meetings of the Management Advisory Committee. From Chapter 8 of the Report 4. Central guidance on the development of a risk strategy appropriate to Government Departments/Offices [para 6.32] should be prepared by the Department of Finance within twelve months. 5. Formal Risk Management Strategies should be introduced into the management processes of Departments/Offices [para 6.32]. This should be done within 2 years. 3 There is already a substantial amount of literature available which should facilitate the preparation of such guidance. 4 This is already being done in some Departments. For example the Department of Agriculture, Food and Rural Development, in the context of the business planning process, has asked each Division to include an assessment of the key risks it faced - strategic, operational, financial and reputational. The Department will draw up a Risk Management Programme drawing on appropriate external expertise.
35 APPENDIX 2 The UK National Audit Office publication, Supporting Innovation: Managing Risks in Government Departments, includes a series of questions designed to test the extent to which risk management has been embedded in an organisation. The questions are grouped under a number of key headings and can be summarised as follows: Question Source of supporting evidence Does the Management Board support and promote the risk management system? Does the organisation s culture support well thought through risk taking and innovation? Are risk management policies and the benefits of effective risk management clearly communicated to all staff? Is risk management fully embedded in the organisation s management processes? Are the risks associated with working with other organisations assessed and managed? Such questions could form the basis of internal surveys in Departments to assess progress in embedding risk management on an annual basis.
37 Mock up of an extract from a risk register. DESCRIPTION DIVISION STRATEGY STATEMENT OBJECTIVE NO. CONSEQUENCES MEASURES TO ADDRESS APPENDIX 3 ADDITIONAL ACTION OWNER RISK NO. LIKELIHOOD IMPACT CONTROL EFFECTIVENESS RATING 2/04 Impact of an increase in BSE cases in ROI Beef Division RED 3/04.. 4/04 -Fall in public confidence in beef. -Financial consequences for livestock industry -. -Develop communications strategy Review efficacy of control measures Head of Beef Division
39 APPENDIX 4 Risk management models and standards As noted in the Mullarkey Report, there are several risk management models and standards available, e.g. Risk Management [AS/NZS 4360:1999] published jointly by Standards Australia/Standards New Zealand. That standard offers a very comprehensive model for enterprise wide risk management. Standards Australia/Standards New Zealand have also released a number of other risk standards focused on particular sectors including Guidelines for Environmental Risk Management [HB203:2000] and Guidelines for managing risk in healthcare [HB228:2001]. The UK Treasury has also issued a number of risk management guidance documents notably Management of Risk; A Strategic Overview commonly known as the Orange Book. In addition, professional bodies such as the Institute of Internal Auditors - UK and Ireland (IIA) and the Chartered Institute of Public Finance and Accountability (CIPFA) have issued risk management guidance.