The Lowitja Institute Risk Management Plan

Transcription

1 The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute (the Institute). The risk management process is cyclical and is linked to the Institute A risk management process which provides a rigorous and systematic framework for understanding the likelihood of risks associated with opportunities for optimising outcomes is essential. It is a tool which identifies threats to the Lowitja Institute objectives and enables the development of strategies to mitigate adverse consequences. In a time when there is increasing pressure on the private, public and not for profit sectors to display better governance, an appropriately framed risk management methodology is critical to maintain and enhance the performance of the Institute. This Plan contains the requirements for establishing and maintaining an enterprise risk management framework for the Institute which is integral to sound management practice. It sets a common approach and outlines the responsibilities of management and staff to systematically manage risk consistent with Australian Standard on Risk Management (AS/NZS ISO 31000:2009). 2. SCOPE This Plan apply to all Institute employees, including permanent employees, those under employment contract, term appointments (including secondments) or temporary arrangements, volunteers, contractors and consultants. It applies to all Institute business and project management processes including strategic planning, business planning, policy development, program administration and decision making at the strategic and operational levels. 3. DEFINITIONS (ISO 31000) Consequence: outcome of an event affecting objectives Hazard: a source of potential harm Inherent risk: a subjective measure of the level of a risk without considering the effectiveness of controls Likelihood: chance of something happening Residual risk: a subjective measure of the risk remaining after risk treatment. Risk analysis: process to comprehend the nature of risk and to determine the level of risk Risk owner: the person or entity with the accountability and authority to manage a risk (i.e. is responsible for managing the identified risk including implementing and monitoring the effectiveness of mitigation strategies, and reporting as needed on the status of the risk to the Chief Executive Officer or Board) Risk treatment: process to modify risk (Note: risk treatments that deal with negative consequences are sometimes referred to as risk mitigation strategies, risk elimination strategies, risk reduction strategies, risk prevention strategies and/or risk control) Risk: the effect of uncertainty on objectives THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 1 OF 17

2 4. ROLES AND RESPONSIBILITIES The following provides a high level overview of the roles and responsibilities: The Lowitja Institute Board Overall responsibility for risk management Chief Executive Officer Compliance with Institute Risk Management Policy and Institute Risk Management Plan Chief Operations Officer Monitoring of compliance with the risk framework and process All Staff Active management of risk in accordance with the Lowitja Institute Risk Management Policy and this Risk Management Plan. 5. PLAN OVERVIEW Introduction The Institute will work within its Enterprise Risk Management (ERM) framework to minimise the effect of uncertainty on its business and project objectives. The Institute recognises that whilst risk is inherent in all its activities, the management of risk is good business practice, creates value, is integral to sound corporate governance and in some instances, a mandatory legal requirement. In particular, effective risk management can lead to better decision making and planning as well as better identification of opportunities and threats. Risk Appetite The Institute risk appetite statement (Attachment F), its descriptions of consequence and likelihood, its matrix for rating risk and its risk register. ERM ERM is a structured, consistent and continuous process used across The Institute at the strategic/corporate level, the operational level and the common operational areas. It is used for identifying, assessing, deciding on, responding to and reporting on opportunities and threats that affect the achievement of the Institute corporate and business objectives (see Figure 1). The Institute risk management activities fit within all quadrants. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 2 OF 17

3 Figure 1: The Institute Enterprise Risk Management Structure Corporate/Strategic Enterprise Level Operational Business Unit Level Significant & High Risks Common Operational Areas Functional / Specific Reviews Cross Business Unit Major Projects Major Contracts a. Corporate/Strategic This level relates to the strategic risks associated with the Institute carrying out its business objectives as articulated in The Institute Business Plan. b. Operational This area relates to the management of risks associated with the Institute Business Units meeting their specific objectives. c. Common Operational Areas These areas support both the Corporate/Strategic and Operational management of risk. This includes OHS risk and hazard management d. Cross Divisional&/or Major Projects, Major Contracts This area relates to major initiatives of the Institute either through its business units or through cross business unit processes. For major projects a full risk register will be developed, utilising the risk categories set out in Attachment C. The Institute Board reporting The Institute Risk Register, including mitigation strategies, will be assessed and reported against to the Board annually in Quarter 3 (May) of each financial year. Monitoring and review of the Institute Risk Register The Institute Risk Register will be reviewed on a quarterly basis by the Chief Executive Officer, with presentation to a quarterly meeting of Senior Managers. On an annual basis a full reassessment of risks, controls and strategies will be conducted and presented to the Board. The Board should be regularly apprised of significant risk mitigation activities and provided with assurance that Risk Management Plans are in place for each Organisational Level risk and that satisfactory risk mitigation is being undertaken for Operational risks. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 3 OF 17

4 Monitoring and review of the Institute Major Projects Risk Register The Lowitja Institute Board should be regularly apprised of significant risk mitigation activities and provided with assurance that Risk Management Plans are in place for each Project Level risk. Monitoring and review of risk framework The Institute risk management framework will be reviewed on an annual basis as part of the continual improvement process set out in AS/NZS ISO Documentation, communication and evaluation Documentation of each step of the risk management process will be undertaken. Appropriate documentation demonstrates accountability and provides a record against which it can be determined that the process has been carried out correctly and enables decisions and/or processes to be reviewed. Communications The Chief Executive Officer is responsible for the development of a communication plan to ensure that all relevant people are kept informed of the risk management framework and its implementation. Linkages The outcomes and outputs of the risk management processes will form inputs to the Institute internal audit, compliance and assurance activities and vice versa. Risk management integration The approach to managing risk is to be embedded within the Institute decision-making structures and operational procedures. 6. THE INSTITUTE RISK WHEEL The Institute has identified a number of key risk areas (listed at Attachment A). These areas or spo provide a framework for identifying risks. This is consistent with the Institute ERM approach which is structured to ensure that all risks in the Institute, particularly those ranked as high or above, are identified and effectively managed. 7. USING THE RISK MANAGEMENT FRAMEWORK The steps outlined below are based on the Australian/New Zealand Standard - Risk Management AS/NZ ISO 31000:2009 (See Figure 1). The Institute is to follow this process in completing the risk register template (refer to Attachment B). THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 4 OF 17

5 Figure 1: The Risk Management Process (AS/NZS/ISO 31000:2009) Communicate and Consult Establish the Context Identify risks Analyse risks Evaluate risks Treat risks Monitor and Review Stage 1: Establish the Context This step involves establishing the context in which the rest of the process will take place. The objectives, strategies and scope of the activity, or part of the Institute to which the risk management process is being applied, should be established. A key step in the Institute risk process is the need to identify and evaluate risks in relation to how they affect the Institute y to deliver the results, outcomes and strategies identified in the Institute Business Plan. Stage 2: Identify risks and risk owner (see columns 1, 2, 3, 4, 5 and 6 of Attachment B) This step seeks to identify the risks that need to be managed. The aim is to generate a list of risks that might have an impact on the achievement of the Institute outcomes/objectives. These risks might prevent, degrade, delay or enhance the achievement of those objectives. Given the experience of staff in the Institute, it is intended that risks are identified using judgements based on experience and existing risk registers, and through brainstorming workshops. Descriptions of identified risks consider source and impact, what the risk is, whom it impacts upon and what the impact is. Identifying the risk and risk owner involves the following steps: Describe the nature of the risk (Column 3). The Risk Categories in Attachment A provide a link to issues that may be considered when identifying possible risks Link the risk to the most relevant the Institute Risk Category (Column 1). Allocate a the Institute risk number (Column 2) Identify a risk owner (Column 4) Identify the causes of the risk (Column 5) Provide a brief description of the impact/consequence of the risk (Column 6). In assessing the impact/consequences, consideration may be given to a range of issues including business management, political, commercial & legal, finance and human resources. A detailed Consequence Table is included as Attachment D. Stage 3: Analyse risks Analysing the risks involves the following steps to determine the inherent risk rating and residual risk rating. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 5 OF 17

6 3(a) Inherent risk rating (Columns 7, 8 and 9 of Attachment B) I. Rate the consequence of the risk should it occur, and the likelihood of the risk occurring using the descriptors provided in Tables 1 and 2 below (Columns 7 and 8). To determine the inherent risk rating, it is important that the consequence and likelihood of each risk is rated without considering the existing controls and mitigation strategies. This produces a score that indicates worse-case exposure in the event that there are no controls in place or the controls fail to take effect during a risk event. II. Now consider the matrix for assessing risks (see matrix at Table 3). Using this matrix, identify the risk rating as Very High, High, Moderate, Low (Column 9). 3(b) Residual risk rating (Columns 10, 11, 12, and 13 of Attachment B) I. Consider what is currently being done to mitigate/manage the risk, i.e. what controls are in place? Are there already some mitigation strategies in place to manage the risk? Briefly list the controls and mitigation strategies (Column 10) II. Rate the consequence of the risk should it occur, and the likelihood of the risk occurring using the descriptors provided in Tables 1 and 2 below (Columns 11 and 12). It is important that the consequence and likelihood of each risk is rated in the context of existing controls and mitigation strategies. III. Now consider the matrix for assessing risks (see matrix at Table 3). Using this matrix, identify the risk rating as Very High, High, Moderate, Low (Column 13). Table 1 Consequence of risk occurring (Attachment E) CONSEQUENCE TABLE 5 (V) Severe 4 (IV) Major 3 (III) Moderate 2 (II) Minor 1 (I) Negligible Table 2 Likelihood of risk occurring 5 Almost certain Likelihood The event is expected to occur in most circumstances (e.g. monthly to several times a year) 4 Likely The event will probably occur in most circumstances (e.g. least once per year 3 Possible The event might occur at some time over (e.g. within next two years) 2 Unlikely The event could occur at some time (e.g. every two to five years) 1 Rare The event may occur only in exceptional circumstances (e.g. every five to ten years) THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 6 OF 17

7 LIKELIHOOD TABLE Level Descriptor 1 (E) Rare 2 (D) Unlikely 3 (C) Possible 4 (B) Likely 5 (A) Almost Certain Table 3 - Matrix for Rating Risks Legend And Actions Required Very High High Moderate Low Immediate action required Senior Management attention needed Management responsibility must be specified Manage by routine procedures. Stage 4: Evaluate and treat risks (i.e. decide on further actions (Columns 14 and 15 of Attachment B)) Based on the analysis of the risks, it is necessary to decide whether any further actions are necessary and appropriate to further mitigate the risk. This will require consideration of the following: I. Can additional controls and/or mitigation strategies be identified that can help with better managing the risk? If that is the case, provide a brief description in Column 14. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 7 OF 17

8 Note: A key priority for identifying additional controls and mitigation strategies should be High or risk. For other lower ranked risks the option may be simply ongoing monitoring and reporting on the status of the risk. The selected option should be the most appropriate and practicable, with the objective of reducing the level of risk to a tolerable level. Options may include the following: o o o o Likelihood reduction aimed at eliminating sources of risk or substantially reducing the likelihood of their occurrence Risk avoidance a particular case of likelihood reduction, where undesired events are avoided by undertaking a different course of action Impact mitigation aimed at minimising the consequences of the risk Risk transfer aims at shifting responsibility of the risk to another party (also called risk sharing because risks can rarely be transferred or shed entirely). II. On the other hand there may be sufficient controls and mitigation strategies in place. For instance it may be impractical and/or inappropriate to consider further controls to mitigate the risk. If this is the case, place No further action in Column 14. This option is referred to as risk retention, i.e. risks cannot be further reduced or avoided, or the costs of doing so would be too high. Risks can also be regarded as opportunities if they are retained and dealt with appropriately. III. Finally, consider whether it would be beneficial to include this area of risk on The Institute internal audit program. For example, an audit of the area may provide confidence that the controls and mitigation strategies in place are working adequately; an audit may also help by suggesting additional controls and mitigation actions that may not have been Column 15. IV. As appropriate, a Risk action Plan may be developed for specific risks (Attachment D). Stage 5: Monitor and Review Reporting is to be carried out throughout the Institute reporting process so that the Chef Executive Officer and Chief Operating Officer can monitor progress in achieving risk treatment objectives and management of identified risks. The Institute Executive Team will report to the Board at each Board meeting on risk. This allows the Institute to demonstrate the effectiveness of the risk management process on an ongoing basis. It also allows for a thorough review of its risk register, and, in particular assists in identifying and monitoring any risks of Board nature. The identified risks and the effectiveness of mitigation strategies will be reviewed to reflect changing circumstances and priorities. Stage 6: Communicate and Consult The premise underlying this Plan is that the Institute will consistently consult and communicate with stakeholders and all relevant parties involved. This is to be undertaken at all times in a fair, timely and transparent manner. 8. COMPLIANCE AND CONTINUOUS IMPROVEMENT The steps outlined below are based on the Australian/New Zealand Standard - Risk Management AS/NZ ISO 31000:2009 (See Figure 2). The Institute will ensure that its processes follow the requirements of ISO 31000:2009 as follows. Mandate and commitment is evidenced by this Plan. The framework and implementation processes are as described in this Plan. Monitoring and reviewing of this Plan will be undertaken annually THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 8 OF 17

9 Annual reviews will evidence continual improvement. Figure 2: AS/NZS ISO Mandate & Commitment 5.3 Designing The Framework 5.6 Continual Improvement of the Framework 5.4 Implementing Risk Management Risk Management Process Clause Monitoring & Reviewing The Framework Related attachments Attachment A The Institute Risk Wheel Attachment B The Institute Risk Register Template Attachment C The Institute Major Projects Risk Wheel Attachment D The Institute Risk Action Plan Template Attachment E The Institute Detailed Consequence Table Attachment E The Institute Risk Appetite Statement Legislation N/A Related policies The Institute Risk Management Policy Other related documents The Institute Business Plan AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines Revision history Version Date issued Notes By 1 31/05/2012 Initial Draft Chief Operations Officer Review date April 2013 Contact Chief Operations Officer THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 9 OF 17

10 ATTACHMENT A The Institute Risk Wheel Business Development & Competition Infrastructure & Information Technology Governance & Stakeholders THE LOWITJA INSTITUTE Compliance & Legal Operations Human Resources Finance Research THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 10 OF 17

11 ATTACHMENT B The Institute Risk Register Template ERM LEVEL: DATE: INHERENT RISK RESIDUAL RISK The Institute Risk Category The Institute Risk No Nature of Risk to The Institute (Risk Name & Description) Risk Owner Risk Factors/Causes of Risk Effects for The Institute if Risk Eventuates Consequence Likelihood Risk Rating (VH, H, M, L) Mitigation Strategies to Control Risks (Current Controls/Existing Mitigation Strategies) Consequence Likelihood Risk Rating (VH, H, M, L) Future Risk Treatment (Proposed Controls/ Mitigation Strategies) Audit Recommended (Y/N) THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 11 OF 17

12 ATTACHMENT C The Institute Major Projects Risk Wheel Budget allocation Reputational ATI image Harm to environment Financial Environmental Lowitja Institute Major Projects Safety Programme Harm to people or property Deliverables Dates VET operations Operational Technical Stakeholders Subcontractors Interface Technical and performance requirements THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 12 OF 17

13 ATTACHMENT D The Institute Risk Action Plan Template Risk and Risk Owner: Strategy: Actions: Expected Outcomes: Performance Measures: Milestones/Deliverables: Budget & Resourcing: Responsibilities: Review Processes: Consultation: Review Date: Comments: THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 13 OF 17

14 Attachment E The Institute Detailed Consequence Table Severity Level Severity (Likely Consequence) Retained Funds Reduction Health & Safety Natural Environment Social/Cultural Heritage Community/Government Reputation/Media Legal 5 (Severe) 4 (Major) TBC TBC Multiple fatalities, or significant irreversible effects to >50 persons. Single fatality and/or severe irreversible disability (>30%) to one or more persons. Very serious longterm environmental impairment of ecosystem functions. On-going serious social issues. Significant damage to structures/items of cultural significance Serious public or media outcry (international coverage). Significant prosecution and fines. Very serious litigation including class actions. Major breach of regulation. Major litigation 3 (Moderate) TBC Moderate irreversible disability or impairment (<30%) to one or more persons. Serious medium term environmental effects. Significant adverse national media/public/ngo attention. Serious breach of regulation with investigation or report to authority with prosecution and/or moderate fine possible. 2 (Minor) 1 (Negligible) TBC TBC Objective but reversible disability requiring hospitalisation. No medical treatment required. Moderate, short term effects but not affecting ecosystem functions. Minor effects on biological or physical environment. On-going social issues. Permanent damage to items of cultural significance Minor medium-term social impacts on local population. Mostly repairable. Attention from media and/or heightened concern by local community. Criticism by NGOs. Minor, adverse local public or medical attention or complaints. Minor legal issues, noncompliances and breaches or regulation. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 14 OF 17

15 Attachment F The Institute Risk Appetite Statement Introduction This document sets out the Institute Risk appetite, at the Institute organisational level, is the amount of risk exposure, or potential adverse impact from an event, that the organisation is willing to accept/retain in pursuit of its objectives. Once the risk appetite threshold has been breached, risk management treatments and business controls are to be implemented to bring the exposure level back within the accepted range The establishment of the Institute statement on risk appetite is intended to guide employees, volunteers and contractors in their actions and ability to accept and manage risks. Through the risk management framework and its risk appetite statement, the Institute formally establishes and communicates its risk appetite. Risk appetite can be expressed in terms of a continuum. Assessment Description High Risk Appetite 5 Moderate Risk Appetite 4 Modest Risk Appetite 3 Low Risk Appetite 2 Zero Risk Appetite 1 The Institute accepts opportunities that have an inherent high risk that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is not willing to accept risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is not willing to accept risks under any circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. In general, the Institute Board, staff, volunteers and contractors and its stakeholders. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 15 OF 17

16 Risk Appetite Statement The statements below indicate the Institute Staff, Volunteers and Contractors Risk Appetite 2 We will continue to engage and retain staff, volunteers and contractors that meet the high standards of The Institute. General Reputation Risk Appetite 2 The Institute will continue to foster an environment of exemplary behaviour. It accepts that this impacts how the institution is viewed externally Financial Resources Risk Appetite 2 Securing adequate financial resources supports the Institute The Institute will maintain its high financial stewardship standards and will continue to ensure that financial commitments do not exceed available resources. Information Management Risk Appetite 2 The Institute will maintain the security, integrity and availability of information systems. The Institute will maintain controls to prevent unauthorised systems access with the ability to alter or create data. The Institute will strive to provide adequate hardware and bandwidth. OHSE Risk Appetite 1 The Institute will take corrective action to address known occupational health, safety, environment and volunteer/employee/contractor well-being exposures. Zero harm is the Institute THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 16 OF 17

17 Regulatory Environment Risk Appetite 1 The Institute will respond in accordance with established policy, procedure and agreements to any regulatory breach. Stakeholder Relationships Risk Appetite 2 The Institute will continue to maintain good relationships with critical stakeholders. Operations Risk Appetite 1 The Institute will not tolerate operational breaches and will pursue any persons responsible for fraud to the full extent of the law. Contagion Risk Appetite 2 The Institute will ensure that the risk of contagion from other indigenous organisations is minimised. Multiple contagion paths can materialise, financial or other. Business Development Risk Appetite 3 The Institute will accept a moderate level of risk to grow the business. Retained Funds Risk Appetite 1 The Institute will ensure retained funds are fully protected. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL PAGE 17 OF 17