A Guide to Risk Management

Transcription

1 A Guide t Risk Management July 2011

2 A Guide t Risk Management Financial Management Framewrk >> Overview Diagram The State f Queensland (Queensland Treasury) July 2011 Except where therwise nted yu are free t cpy, cmmunicate and adapt this wrk, as lng as yu attribute the authrs. This dcument is licensed under a Creative Cmmns Attributin 3.0 Australia licence. T view a cpy f this licence, visit T attribute this wrk, cite A Guide t Risk Management, The State f Queensland (Queensland Treasury) July 2011 The diagram n Page 10 has been reprduced with permissin frm SAI Glbal and is nt cvered by the CC BY license. Cntact the cpyright wner, SAI Glbal directly t request permissin t use this material. The Standard can be purchased via Acknwledgements This publicatin has been develped by the Financial Management Branch f Queensland Treasury, with assistance prvided by the Department f the Premier and Cabinet. We als wish t acknwledge the use f material prduced by ther jurisdictins in the develpment f this practical guide. This dcument and related infrmatin can be fund at

3 Financial Management Framewrk >> Overview Diagram A Guide t Risk Management MESSAGE FROM THE UNDER TREASURER The Financial Accuntability Act 2009 requires all accuntable fficers and statutry bdies t establish and maintain apprpriate systems f internal cntrl and risk management. In December 2007, the Department f the Premier and Cabinet and Queensland Treasury released the dcument Strategic Risk Management: Guidelines. The guidelines reflected and respnded t the findings set ut by the Auditr-General f Queensland Reprt t Parliament N. 6 fr 2007: Beynd Agency Risk and the Auditr-General s subsequent Better Practice Guide: Risk Management. In reviewing the previus guidelines, Queensland Treasury and the Department f the Premier and Cabinet have cllabrated t develp a new guide titled A Guide t Risk Management (the Guide), thus replacing the Strategic Risk Management: Guidelines. This Guide reflects the changes t the financial management legislatin in Queensland, as well as the release f a new Australia/New Zealand risk management standard. The key differences frm the previus guidelines are: the scpe f this Guide has been bradened t cnsider all risks emphasis is placed n hw agencies can practically integrate the risk management framewrk int existing gvernance prcesses, and assistance is prvided with risk identificatin at the agency, crss-agency and whle-f-gvernment levels. Effective risk management can deliver a range f benefits t agencies, including imprved results thrugh mre infrmed decisin making and imprved accuntability by demnstrating that levels f risk assciated with the agency are understd and that risk treatment strategies are apprpriate and csteffective. I cmmend A Guide t Risk Management t all Queensland public sectr management and staff. (G. Bradley) Under Treasurer Date: July 2011

4 A Guide t Risk Management Financial Managemen Table t Framewrk f Cntents Intrductin...5 >> Overview Diagram Purpse f the Guide...5 Scpe and applicatin...5 Australian/New Zealand standard...5 Terminlgy...6 Risk and risk management...7 Risk...7 Risk management...7 Risk management within the Queensland public sectr...9 Relatinship between risk management principles, framewrk and prcess...10 Principles f risk management...11 Risk management framewrk...12 Respnsibilities f agency fficers...12 Integratin f risk management...13 Mechanisms t review the risk management framewrk...15 Risk management prcess...17 Establishing the cntext...18 Risk identificatin...22 Risk analysis...24 Risk evaluatin...26 Risk treatment...27 Mnitring and review...29 Cmmunicatin and cnsultatin...30 Applicatin Guides...32 Applicatin Guide 1 - Glssary f terms...33 Applicatin Guide 2 - Risk management framewrk...35 Applicatin Guide 3 - Example f integrated risk management within an agency...37 Applicatin Guide 4 Establishing the cntext...38 Applicatin Guide 5 Risk identificatin...40 Applicatin Guide 6 - Ptential surces f risk...42 Applicatin Guide 7 Risk analysis...44 Applicatin Guide 8 Risk evaluatin...45 Applicatin Guide 9 Risk treatment...46 Applicatin Guide 10 Mnitring and review...48 Applicatin Guide 11 Cmmunicatin and cnsultatin...50 Applicatin Guide 12 - Ptential stakehlders...52 Useful resurces...54 July 2011 Page 4 f 55

5 Financia Intrductin l Managem ent Framewrk The Financial Accuntability Act 2009 (the Act) utlines a number f accuntable fficer and >> Overviestatutry w Diagram bdy functins, ne f which is the establishment and maintenance f an A Guide t Risk Management apprpriate system f risk management (sectin 61). The Financial and Perfrmance Management Standard 2009 (the Standard), sectin 28, prescribes that the agency s risk management system must prvide fr: mitigating the risk t the department r statutry bdy and the State frm unacceptable csts r lsses assciated with the peratins f the department r statutry bdy, and managing the risks that may affect the ability f the department r statutry bdy t cntinue t prvide gvernment services. Purpse f the Guide There is a significant amunt f cnceptual risk management guidance material available fr bth the public and private sectrs. The purpse f the Guide is t prvide an verview f the key cncepts f risk management, and guidance n hw the risk management prcess can be practically applied by any Queensland public sectr agency. Scpe and applicatin The Guide is intended t be an infrmatin reference and cntains the minimum principles and prcedures f a basic risk management prcess t assist departments and statutry bdies in adpting a cnsistent apprach t risk management. The Guide is nt mandatry hwever, applicatin f the Guide will encurage better practice and supprt accuntable fficers and statutry bdies in the implementatin f effective risk management practices at all levels within their agency. Agencies are encuraged t tailr cntent f the Guide t suit their individual circumstances and t prgressively develp mre sphisticated prcesses as their risk management maturity level increases. As risk management and its assciated prcesses are interrelated and dynamic, the separatin f the cmpnents f a risk management prcess in this Guide is intended t be illustrative nly. Agencies may cmbine r undertake activities in a different rder t that presented in this Guide. They may als find that certain activities verlap the individual cmpnents f the risk management prcess. Australian/New Zealand standard While nt mandated by legislatin, it is expected that, where apprpriate, agencies will apply the Australian/New Zealand Standard ISO 31000:2009 Risk management Principles and guidelines (AS/NZS ISO 31000). This guide is nt intended t replace AS/NZS ISO but shuld be read in cnjunctin with it. It is expected that applicatin f AS/NZS ISO and this Guide will lead t agencies imprving their risk management capability, resulting in risk being mre effectively and efficiently managed acrss the Queensland public sectr. Agencies are encuraged t btain a cpy f AS/NZS ISO frm Standards Australia. While this Guide is predminantly based n AS/NZS ISO 31000, agencies shuld be aware f additinal Standards that relate t risk such as, fr example, HB 266:2010 Guide fr managing risk in nt-fr-prfit rganisatins, HB 231:2004 Infrmatin security risk management guidelines, and HB 296:2007 Legal risk management. July 2011 Page 5 f 55

6 Financial Management Terminlgy Framewrk >> Overview Diagram A Guide t Risk Management There are many risk related terms used in this dcument. Definitins fr key terms are lcated in Applicatin Guide 1 - Glssary f Terms. While there is an abundance f risk terminlgy used tday, the terminlgy in this Guide is cnsistent with AS/NZS ISO Where the Guide refers t agencies, this includes bth departments and statutry bdies. Hwever, the specific use f the term departments indicates that the sectin des nt apply t statutry bdies. Practical Guidance Material Applicatin Guide 1 prvides definitins f key terms used thrughut the dcument. July 2011 Page 6 f 55

7 Financia Risk l Management and risk management Framewrk Risk >> Overview Diagram A Guide t Risk Management While there are many varied definitins f risk widely available, ften incrprating industry specific terminlgy, it is generally accepted that if we knw fr certain smething is ging t happen it has n risk attached t it. Shuld there be an element f uncertainty surrunding it, then risk exists. Fr the purpses f this Guide, risk encmpasses bth pssible threats and pprtunities and the ptential impact these may have n the ability f the agency t meet its bjectives. That is, risk relates t bth challenges t, and pprtunities fr, the agency. The Standard separates risk int tw types strategic risk and peratinal risk. Strategic risks relate directly t an agency s strategic planning and management prcesses. Strategic risks are thse which culd significantly impact n the achievement f the agency s visin and strategic bjectives as dcumented in the strategic plan. They are high level risks which require identificatin, treatment, mnitring and management by the agency s senir executives r bard. These risks may need t be managed by mre than ne agency fr the risk treatments t be effective. Operatinal risks are thse which culd have a significant impact n the achievement f: the agency s strategic bjectives (as dcumented in the strategic plan) frm the perspective f the actins undertaken by a particular divisin, branch r wrk unit, r the individual prgrams r prject management bjectives. Operatinal risks generally require management by the relevant senir fficer respnsible fr the divisin, branch r wrk unit, r by the relevant prgram r prject bard. In extreme instances, these risks may require escalatin t executive management. Risk management Risk management embdies an rganisatinal culture f prudent risk-taking within an agency. It is the prcess f identifying, assessing and respnding t risks, and cmmunicating the utcmes f these prcesses t the apprpriate parties in a timely manner. An effective risk management system: imprves planning prcesses by enabling the key fcus t remain n cre business and helping t ensure cntinuity f service delivery reduces the likelihd f ptentially cstly surprises and assists with preparing fr challenging and undesirable events and utcmes cntributes t imprved resurce allcatin by targeting resurces t the highest level risks imprves efficiency and general perfrmance cntributes t the develpment f a psitive rganisatinal culture, in which peple and agencies understand their purpse, rles and directin imprves accuntability, respnsibility, transparency and gvernance in relatin t bth decisin-making and utcmes. This is particularly imprtant fr public sectr agencies, which exist t deliver beneficial utcmes fr the Queensland Gvernment, industry and the cmmunity, and adds value as a key cmpnent f decisin-making, planning, plicy, perfrmance and resurce allcatin, when subject t cntinual imprvement. July 2011 Page 7 f 55

8 Financial Management Framewrk >> Ov A Guide t Risk Management Factrs that inhibit effective risk management can include: a lack f time and resurces allcated t risk management erview Diagram a lack f supprt fr a risk management culture frm executive management difficulty in identifying and assessing emerging risks, especially crss-agency risks a lack f independent assurance ver the effectiveness f the risk management framewrk a lack f clarity ver risk wnership and the respnsibility fr risk management ver- r under-treatment f risks, and unnecessarily cmplex risk dcumentatin. When risk management has cmmitment frm executive management by encuraging a strng rganisatinal culture and awareness f risk, an agency shuld be able t vercme the factrs which inhibit effective risk management. July 2011 Page 8 f 55

9 Financial Management Framewrk >> Overvie A Guide t Risk Management Risk management within the Queensland public sectr Sectin 61 f the Act requires agencies t establish and maintain apprpriate risk management w Diagram systems. There are many benefits f establishing rbust risk management systems t enable threats and pprtunities that face an agency t be apprpriately managed. Risk is an ever present element f public plicy and gvernment service delivery. Effective risk management enables agencies t have increased cnfidence that they can deliver the required services, manage risks and threats t an acceptable degree, and make infrmed decisins abut pprtunities and challenges they face. In the cntext f this Guide, risk management applies t the prcess f identifying, treating and managing risks acrss the entire Queensland public sectr. Risks that need t be identified and managed include: agency strategic and peratinal risks which are managed by individual agencies, but which may becme risks fr the State, due t their size r significance crss-agency risks, where a risk relates t mre than ne agency (fr example, cllabrative prjects) and requires treatment by multiple agencies t be effective, and whle-f-gvernment risks which are beynd the bundaries f any ne agency due t their magnitude and/r impact n service delivery, and which call fr a respnse acrss agencies, wuld require a c-rdinated apprach by a central agency r by a lead agency. 1 As whle-f-gvernment appraches t prject management are becming mre cmmn, there is an increased awareness f the need t manage risks at this level. All agencies need t be aware f and understand ptential significant risks at the whle-f-gvernment level. Identifying, treating and mnitring these risks are a shared respnsibility. 1 Based n Auditr-General f Victria (June 2007) Managing Risk Acrss the Public Sectr: Tward Gd Practice. July 2011 Page 9 f 55

10 A Guide t Risk Management Financial Management Framewrk Relatinship between risk management principles, framewrk and prcess The diagram belw is reprduced frm AS/NZS ISO (with the permissin f SAI Glbal Ltd) and depicts the relatinship between the underpinning principles f risk management, the risk management framewrk, and the risk management prcess. The remainder f the Guide will prvide further infrmatin and practical tips fr agencies t intrduce a rbust framewrk and risk management prcess. >> Overview Diagram Principles Framewrk Prcess a) Creates value b) Integral part f rganisatinal prcesses c) Part f decisin making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based n the best available infrmatin g) Tailred h) Takes human and cultural factrs int accunt i) Transparent and inclusive j) Dynamic, iterative and respnsive t change k) Facilitates cntinual imprvement and enhancement f the rganisatin Cntinual imprvement f the framewrk Mandate and cmmitment Design f framewrk fr managing risk Mnitring and review f the framewrk Implementing risk management Cmmunicatin and cnsultatin Establishing the cntext Risk assessment Risk identificatin Risk analysis Risk evaluatin Risk treatment Mnitring and review Surce: AS/NZS ISO (reprduced with permissin frm SAI Glbal) July 2011 Page 10 f 55

11 A Guide t Risk Management Financial Principles Management f risk management Framewrk >> Many factrs will cntribute t the success f risk management thrughut an agency. AS/NZS ISO prvides principles that shuld be adpted by any rganisatin t successfully manage their risks. Overview Diagram While the principles in AS/NZS ISO are relevant t Queensland gvernment agencies, the fllwing principles are cnsidered specific t Queensland gvernment agencies: risk management has a firm cmmitment frm the accuntable fficer r statutry bdy bard the risk management framewrk is integrated with ther agency gvernance prcesses, such as strategic planning, peratinal planning and executive management functins effective risk management is based n a strng rganisatinal culture and awareness f risk at all levels f the agency, which invlves encuraging a risk-infrmed wrkfrce and culture risk management is supprted by a prgram f educatin, training and develpment fr staff that is devted t risk management at key levels in the agency (fr example supervisr, manager, directr and executive) the risk management prcess designates clear wnership f risk accuntabilities, respnsibilities, duties and actins the risk management prcess is practive with crss-agency cmmunicatin f risks, and the risk management prcess draws n bth current experiences and lessns learned. July 2011 Page 11 f 55

12 Financial Risk Management management framewrk Framewrk >> A Guide t Risk Management Risk management is nt an islated functin that exists within the agency. Rather, it is an integral part f strategic planning, strategic management and the everyday activities f the agency. AS/NZS ISO prvides further guidance n develping a sund risk management framewrk. Overview Diagram Three specific areas: the respnsibilities f relevant fficers within an agency; the integratin f risk management int all areas f the agency; and the mechanisms in place t review the framewrk, are discussed in further detail belw: Respnsibilities f agency fficers It is fundamentally the rle f accuntable fficers and statutry bdies and their management teams t ensure that each agency has a rbust internal rganisatinal culture and prcess that is capable f identifying and managing its risks. As required by sectin 78 f the Act, the Head f Internal Audit as defined in the Act is charged with prviding assistance with risk management. Hwever, the respnsibility and accuntability fr implementatin f a risk management framewrk remains with the accuntable fficer r statutry bdy. Objectives and strategies fr risk management shuld be designed t cmplement the agency s existing visin and strategic bjectives. In establishing an verall risk management directin, a clear visin fr risk management shuld be articulated and supprted by plicies and perating principles. An up-t-date, plain English risk management framewrk will guide staff by: describing the risk management philsphy (why?) and prcess (hw?) prviding methds fr identifying, treating, mnitring, and reviewing risk establishing rles and respnsibilities fr effective management f risk (fr example, establishing a risk c-rdinatr rle t lead and manage the risk management prgram acrss the agency and assigning a risk wner t each risk) detailing an apprpriate prcess fr reprting n strategic and peratinal risks, and prviding fr nging cntinuus imprvement thrugh the evaluatin f the bjectives and results f the risk management prcess. The greater the awareness and understanding f the risk management framewrk by all staff, the mre likely it is that staff will wn and apply the risk management principles prmted by the agency and incrprate them in their day t day activities. It is essential that accuntable fficers and senir and executive management mdel all aspects f risk management and principles t prmte a rbust risk management culture within their agency. There is n ne size fits all risk management framewrk that can be applied acrss the varied types and sizes f Gvernment agencies. Executive management needs t cnsider the type f framewrk that will best integrate with its particular peratinal cntext and internal and external envirnment. Agencies shuld refer t existing plicies and prcedures such as the fllwing t assist with develping a framewrk: business peratins reprting mechanisms rganisatinal culture wrkfrce skills and capabilities planning and perfrmance management prcesses budget and resurcing July 2011 Page 12 f 55

13 supprting infrastructure Financial Managemen t Framewrk >> Overview A Guide t Risk Management standards, legislative and regulatry requirements rganisatinal and gvernance structure, and Diagram delegatins f authrity, respnsibility and accuntability. Integratin f risk management Risk management shuld be embedded r integrated int the agency s philsphy and rganisatinal culture (that is, the way we d things arund here ); existing gvernance plicies; and planning, reprting and decisin-making structures at bth the strategic and peratinal levels. Agencies that integrate risk management have a greater likelihd f achieving their strategic bjectives and delivering their services efficiently and effectively. Successful alignment f risk management and gvernance requires fur key factrs: 1. an agency fcus where there is an identifiable surce f risk management expertise in the agency and senir managers cme tgether n a regular basis t discuss risk management issues 2. an agency directin where a clear directin and strategy is established fr risk management, including articulating the agency s risk appetite and giving a clear mandate fr what cnstitutes effective risk management 3. decisin-making structures where risk management is nt a separate prcess, but a key cnsideratin at all parts f the decisin-making chain: being factred int strategic and peratinal planning; included as a cmmn cmpnent in all prject prpsals and business cases; and incrprated int advice t Ministers; and 4. agency capacity and capability where the agency s executive management invests time and resurces t build mmentum, capacity and capability, including: ensuring that there is a shared language f risk management; a cmmn understanding f the principles; training and develpment t build expertise; and established tls and prcesses fr risk management. Integrated risk management requires an nging assessment f ptential risks and pprtunities fr an agency at every level. The results shuld infrm agency level risks, facilitate pririty setting and imprve an agency s decisin making. Clear links shuld be established between risk management, Gvernment plicies and pririties, agency bjectives (vertical integratin), and agency plicy and peratins (hrizntal integratin). Vertical Integratin Vertical integratin invlves: integrating risk management with bjectives at all levels f the agency by prviding a framewrk that links an agency s strategic plan thrugh t its individual peratinal plans integrating risk management with evaluatin and reprting mechanisms, t ensure that risks and risk treatment strategies are mnitred, analysed, reviewed and updated embedding risk management cmpnents int existing strategic and peratinal planning prcesses cmmunicating executive management r bard decisins n acceptable levels f risk establishing escalatin prcesses t be fllwed where a risk is reviewed and falls utside the range f the accepted levels f risk appetite and tlerance, and imprving cntrl, gvernance and accuntability systems and prcesses t take int accunt risk management and results frm the assessment f ptential risks. July 2011 Page 13 f 55

14 Hrizntal Integratin Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Hrizntal integratin invlves integrating risk management int an agency s systems, prcesses and practices and, in particular, the planning and decisin-making prcesses at each level f the agency. When risk management is integrated int strategic and peratinal planning and regular reprting cycles, the additinal risk management infrmatin available shuld enable mre infrmed planning and decisin-making at the agency, crss-agency and whle-f-gvernment levels. Infrmatin shuld be shared thrughut an agency t ensure there is a crdinated apprach t identifying and treating risks. In cnsidering risk, business areas shuld take int accunt the ptential impact f risk treatment n ther business areas, and shuld be encuraged t share best practice/lessns learned with the rest f the agency and acrss agencies. Organisatinal Culture Effectively embedding risk management int the rganisatinal culture is key t achieving integrated risk management. A challenge fr all agencies is t deliver an apprpriate level f investment in strategic risk management bth in time and resurces and clearly cmmunicate the imprtance f risk management as a cre cmpnent f the agency s business. This can be accmplished in a number f ways, such as by: executive and senir managers champining and mdelling risk management prmting the view that all staff in the agency are managers f risk encuraging managers and staff t develp knwledge and skills in risk management, and training and supprting staff in incrprating risk management int their everyday rles and respnsibilities. Risk Management Champin Agencies may cnsider appinting a risk management champin t assist with integrating risk management int the rganisatinal culture. The risk management champin wuld generally reprt t the executive management f an agency; be a senir executive fficer with knwledge f risk management; have the visin, drive and determinatin t lead by example; and have the authrity, respnsibility and supprt t make things happen. In the early stages f implementing integrated risk management, the risk management champin will need t be able t demnstrate t executive management hw it will help them with meeting agency bjectives in the shrt term and better psitin the agency fr the future. The risk management champin wuld be respnsible fr driving risk management awareness, integratin, plicies and strategies. The risk management champin wuld prmte, acrss the agency, an rganisatinal culture that supprts: increased awareness f risk management techniques, practices and prcesses (fr example, identifying and implementing training and develpment pprtunities fr all agency staff) unifrm understanding f the agency s key strategic and peratinal risks and pprtunities (including crss-agency and whle-f-gvernment risks) management f risk fr business functins that have been utsurced frm the agency (fr example, payrll functin), as the agency maintains wnership f such risks staff in identifying and reprting risks t management in a safe, n-blame envirnment awareness f hw risk management can be applied t individual rles and hw it can guide advice t Ministers, and July 2011 Page 14 f 55

15 Financial Management and whle-f-gvernment Fra risks. mewrk >> Overview Diagram A Guide t Risk Management a brad understanding f the relatinship between the agency s risks, crss-agency risks Successful risk management requires invlvement by all agency staff. A supprtive rganisatinal culture, where expertise, learning and innvatin are rewarded, and where a n surprises rather than n risks philsphy is encuraged, shuld assist agencies in develping their risk management prcess. Agencies with a supprtive wrk envirnment tend t: prmte learning by encuraging staff t learn and t value knwledge, expertise, new ideas and innvatin learn frm experience by valuing experimentatin, sharing lessns frm past successes and failures and bringing this learning t planning and risk management, and demnstrate management and leadership by selecting leaders wh are gd caches and teachers, demnstrating cmmitment t staff by prviding tls, pprtunities and resurces and investing in the risk management prcess, including reviewing the prcess peridically. 2 Prviding the right risk management resurces, training and awareness prgrams fr staff is critical t building an effective rganisatinal culture. Mechanisms t review the risk management framewrk Risk management is nt just abut the review f risks themselves. Agencies need t review their risk management capability and gvernance systems t ensure they are delivering effective and rbust risk management that is fit fr the agency s purpse. Internal auditrs may assist in prviding assurance that an agency s risk management framewrk is perating effectively and may als assist with the develpment, maintenance and review f the framewrk, prvided care is taken t maintain independence and bjectivity. This may invlve internal audit being part f a risk prject team in an advisry capacity. Risks, risk prfile, risk management capability and systems, and the risk envirnment are all cnstantly changing and evlving. A regular review f a risk management framewrk will: prvide assurances t the executive management that the agency s risk prfile has been prperly identified, dcumented and assessed ensure the agency s prcedures and gvernance systems are wrking effectively, and ensure that risks are being effectively mnitred and treated t an agreed level. At a minimum, an annual review f the entire risk management prcess shuld be undertaken by the accuntable fficer r statutry bdy. It is imprtant t cnsider lessns learned, bth psitive and negative, and t use these t enhance current practices and prcesses. It is als imprtant t assess whether all elements f the risk management framewrk have been implemented effectively. Respnsibility fr reviewing the risk management framewrk may be allcated t a cmmittee t prvide supprt and advice t the accuntable fficer r statutry bdy. It may be a separate risk management cmmittee, r cmbined with the agency s audit cmmittee. While the cmmittee has n respnsibility fr managing the risks themselves, they may be respnsible fr regularly reviewing and evaluating the risk management framewrk and related gvernance systems t prvide assurance n their efficiency and relevance. It is gd practice fr the cmmittee t carry ut such reviews at least annually, t ensure the prcedures remain fit fr purpse and are up-t-date. The cmmittee shuld take care nt t cnfuse reviewing risk management prcedures with risk management itself. Reviewing the prcess is nt a substitute fr the active management and treatment f an agency s risks. 2 Treasury Bard f Canada Secretariat, Integrated Risk Management Framewrk July 2011 Page 15 f 55

16 Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Fr further infrmatin abut risk management and audit cmmittees, refer t the Audit Cmmittee Guidelines Imprving Accuntability and Perfrmance, December Practical Guidance Material Applicatin Guide 2 prvides pints t be cnsidered when develping a rbust risk management framewrk t assist with integrating and embedding a risk management rganisatinal culture int the agency s existing gvernance, reprting and decisin-making prcesses. Agencies are encuraged t develp a risk management framewrk apprpriate t their circumstances. Applicatin Guide 3 prvides an illustratin f hw risk management interacts with the brader respnsibilities and functins f an agency. July 2011 Page 16 f 55

17 A Guide t Risk Management Financial Risk Management management prcess Framewrk >> As shwn in AS/NZS ISO 31000, the risk management prcess cnsists f seven steps. Each step f the risk management prcess will be cnsidered in detail in this Guide, with practical examples prvided n hw t implement the prcess within agencies. Overview Diagram The seven steps f the risk management prcess are: establishing the cntext risk identificatin risk analysis risk evaluatin risk treatment cmmunicatin and cnsultatin, and mnitring and review While the steps are shwn separately within this prcess, agencies are reminded that the risk management prcess is cntinually ccurring. These prcesses can be undertaken in any sequence as agencies may find that sme prcesses verlap r fall in a different rder. Agencies are encuraged t develp a cmplete risk management prcess that suits their circumstances. Fr example, the sectins n risk identificatin, risk analysis and risk evaluatin can be encmpassed in the ne prcess knwn as risk assessment. The risk management prcess develped by an agency may require refinement after a review f the prcess has been undertaken. July 2011 Page 17 f 55

18 Financial >> A Guide t Risk Management Establishing the cntext Management Framewrk The purpse f establishing the cntext is t determine the bundaries within which the risk management framewrk will perate. It shuld nte the bundaries f the framewrk and the successfully address the risks that may be identified in the assessment phase f the risk management prcess. capacity f the agency t Overview Diagram In establishing the cntext, an agency shuld cnsider: the external and internal envirnment the risk prfile risk appetite and risk tlerance levels a risk matrix and respnsibilities, and the business cntinuity plan. The cntext f the agency shuld be reviewed n a regular basis t ensure any effects n an agency frm these areas are identified n a timely basis. External and internal envirnment Establishing the external and internal envirnment f the agency is the first step in the risk management prcess. It invlves cnsideratin f bth challenges and pprtunities in the cntext f the agency s visin and bjectives, perating envirnment and key stakehlders. The envirnment is imprtant as it sets the parameters within which risks are identified, assessed and managed. As such, it must be sufficiently bradly defined t include a wide range f trends, influences and time hrizns. Agencies will need t cllect infrmatin at bth the strategic and peratinal levels, and include bth the external and internal risks facing the agency. The primary influences n the external envirnment relate t the scial, cultural, plitical, legal, regulatry, financial, technlgical and ecnmic envirnments within which the agency perates. These external influences culd ccur at internatinal, natinal, state, reginal r lcal levels. Influences n the internal envirnment may include: the agency s bjectives and planned results plans established t ensure the agency achieves its bjectives and delivers its services individual prjects being undertaken by the agency the agency s gvernance and accuntability structures plicies established by the agency resurces available within the agency (fr example, infrmatin systems, staffing and funding), and existing risk management expertise and practices. The defined external and internal envirnments shuld be regularly and systematically examined t ensure that they remain apprpriate and desirable. Risk prfile There is a significant interrelatinship between develping a risk prfile and the strategic planning prcess. Risk management underlies all aspects f pririty setting, planning and resurce allcatin. In additin, the risk prfile, with tw-way linkages frm and int each f these areas, prvides a vehicle t integrate them at the whle-f-gvernment level. Thus, the risk prfile is infrmed by and shuld feed back int an agency s strategic planning dcuments and prcesses. In a mature practice f integrated risk management, a rbust July 2011 Page 18 f 55

19 Financial Management >> Overview Diagram A Guide t Risk Management Framewrk strategic and peratinal planning prcess shuld assimilate the risk prfile, eliminating the 3 need t present it separately. Risk appetite and risk tlerance While establishing the cntext, the agency shuld als cnsider its risk appetite, which is the amunt (r range) f risk which is cnsidered by the agency t be acceptable and justifiable. Acrss Gvernment, the risk appetite f individual agencies will differ depending upn the envirnment within which the agency perates. Risk appetite can be expressed as a series f bundaries apprpriately authrised by the agency s executive management. Different levels f staff within an agency shuld be given clear guidance by management n the limits f risk which they can accept. This invlves key discussins being held at varius levels within an agency and acrss agencies especially where there are interrelatinships r similarities. T identify the acceptable levels f risk it is expected that discussins wuld be held at executive level with central agencies t clearly cmmunicate, assess and prvide directin n what are acceptable levels f risk. Discussins wuld cncern plitical, ecnmic, scial, technlgical, legal, envirnmental and financial issues that impact n agencies and n the whle-f-gvernment. In develping the risk appetite fr an agency, cnsideratin may be given t: cmmitments r views previusly expressed by Parliament r Cabinet hw the agency s stakehlders (fr example, the public and Parliament) have reacted t past risk events and issues whether stakehlders have been cnsulted n risk tlerances and perfrmance targets (fr example, via special interest grups), and the agency s perfrmance expectatins, as expressed in its strategic plan and budget dcumentatin. The agency shuld cnsider its risk tlerance at this stage f the prcess. Risk tlerance can be defined as the acceptable variance frm the agency s risk appetite bundaries. Agencies shuld develp prcesses t determine acceptable limitatins and whether r nt they are negtiable. Within an agency, the risk appetite and risk tlerance will generally nt be static. Rather they will differ depending upn the particular challenge r pprtunity at the time. Individual prjects are an example f hw the risk appetite within an agency may differ. Agencies shuld als cnsider an apprpriate prcess where a risk falls marginally utside the desired risk tlerance, but a strng case exists as t why the risk shuld be accepted and managed. Determining an agency s risk appetite is nt a ne-ff event. Bth risk appetite and risk tlerances may change ver time as new infrmatin and utcmes becme available, and as stakehlder expectatins evlve. Risk matrix and respnsibilities A risk matrix shuld cmbine the likelihd f the risk ccurring, and the cnsequence shuld such a risk ccur, t result in the risk rating fr treating and/r mnitring the risk. Parameters shuld be set fr each likelihd and cnsequence in an agency s risk matrix. Fr example, the likelihd f a risk ccurring may be classified as unlikely n a simple matrix if it is expected t ccur less than 5% f the time, r nce in a year. Each pssibility within a matrix shuld be defined and the necessary actin and the relevant fficer respnsible fr the risk dcumented fr each pssibility. The matrix shuld be reviewed with the internal and external envirnments t determine the relevance t the risks 3 Based n Treasury Bard f Canada Secretariat, Integrated Risk Management Implementatin Guide July 2011 Page 19 f 55

20 Financial Management risk criteria. Framewrk >> Overview Diagram A Guide t Risk Management identified by an agency. An agency shuld ensure that all risks are analysed using the same Examples f risk matrices are prvided belw; hwever agencies are strngly encuraged t develp an apprpriate analysis system fr their individual circumstances. Simple risk matrix example CONSEQUENCE LIKELIHOOD Minr Mderate Significant Unlikely Lw Lw Medium Pssible Lw Medium High Likely Medium High High Where an agency cnsiders mre cmplex risk analysis is required (fr example, where a number f risks have been identified and mre detailed analysis is required t rank the risks fr implementatin f risk treatment (refer t Risk Analysis sectin)), then a mre detailed risk matrix shuld be used. Detailed risk matrix example CONSEQUENCE LIKELIHOOD Insignificant Minr Mderate Majr Critical Rare Unlikely Pssible Likely Almst Certain LOW Accept the risk Rutine management LOW Accept the risk Rutine management LOW Accept the risk Rutine management MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment LOW Accept the risk Rutine management LOW Accept the risk Rutine management MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment LOW Accept the risk Rutine management MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment HIGH Quarterly senir management review HIGH Quarterly senir management review MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment HIGH Quarterly senir management review HIGH Quarterly senir management review EXTREME Mnthly senir management review HIGH Quarterly senir management review HIGH Quarterly senir management review HIGH Quarterly senir management review EXTREME Mnthly senir management review EXTREME Mnthly senir management review Agencies may als cnsider develping a matrix fr each divisin, branch, wrk unit, prgram and/r prject. Alternatively, an agency may define the cnsequences int varius risk categries, such as financial risks, ccupatinal health and safety risks, plitical risks, and s n. The agency wuld then prvide a quantitative and/r qualitative descriptr fr each cnsequence. Fr example, a financial risk categry may define an extreme cnsequence as a financial lss greater than $1 millin, r the lss f a business peratin. It is imprtant that agencies determine the level f detail that will be apprpriate fr their circumstances and ensure they develp a risk management system that meets their needs and is within their capabilities. July 2011 Page 20 f 55

21 Business cntinuity plan Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Agencies must recgnise that sme risk is unavidable and it is nt within the ability f the agency t cmpletely manage all risks t a level cmmensurate t an agency s risk appetite. Fr example, agencies have limited cntrl ver risks assciated with terrrist activity r natural disasters. In these instances, the nly actin that can be taken by the agency is the preparatin f cntingency plans fr business cntinuity. A business cntinuity plan shuld include apprpriate crisis management plans that can be activated as required and these plans shuld be tested peridically t ensure their effectiveness. Practical Guidance Material Applicatin Guide 4 prvides elements an agency may need t cnsider when determining their risk criteria and their external and internal envirnment. July 2011 Page 21 f 55

22 Financial >> A Guide t Risk Management Risk identificatin Management Framewrk Once the envirnment within which the agency perates has been established (that is, the cntext), the next stage is the identificatin f individual risks. Overview Diagram The aim f this step is t generate a cmprehensive list f threats and pprtunities based n thse events that might create, enhance, prevent, degrade, accelerate r delay the achievement f the agency s strategic bjectives. Cmprehensive identificatin is crucial, because a risk that is nt identified at this stage will nt be included in further analysis. 4 Risk identificatin shuld include examinatin f the knck-n effects f particular cnsequences, including cascading and cumulative effects f actins. Envirnmental scanning A cmmn methd used by agencies t identify emerging risks is envirnmental scanning. An envirnmental scan is a pwerful risk management and strategic planning tl that entails careful mnitring f an agency s internal and external envirnments t detect early signs f challenges and pprtunities that may influence the agency s current and future plans. It invlves btaining bth factual and subjective infrmatin n the ptential challenges and pprtunities t increase the agency s awareness f the key risks it faces. Key cnsideratins fr agencies when undertaking envirnmental scanning include: the type f risk plitical, legal, ecnmic, envirnmental, sci-cultural, technlgical the surce f risk external (plitical, ecnmic, natural disasters) r internal (reputatin, security, knwledge management) the causes f the risk the impacts f the risk type f expsure (peple, reputatin, prgram results, pririties, funding, assets), and the level f cntrl the degree t which the agency can influence, affect r manage the risk. In undertaking the envirnmental scanning prcess, issues that an agency shuld cnsider include: the frequency f scanning depending n the agency s cntext, envirnmental scanning may be undertaken cntinuusly r peridically (fr example, mnthly r yearly) timeframe fr example, plicy develpment fficers may be interested in develpments ver the next twenty-five years, whilst scanning that supprts peratinal decisin making may be restricted t a six mnth timeframe scpe sme agencies may be fairly inward-lking in their risk identificatin prcesses if they perceive that the majr element f risk arises frm within the agency; thers may need t cnsider a much wider scpe (including internatinal, natinal r interstate) if they cnsider that they may face risks frm a wider envirnment pprtunity/challenge sme envirnmental scanning is cncerned mainly with sptting ptential challenges, but it can equally be used t scan fr pprtunities ( psitive risks ), and many challenges may be cnverted int pprtunities if identified early, and rigur/infrmality envirnmental scanning varies in the extent t which it is structured and supprted by technlgy, that is, sme agencies may use sphisticated assessment schemes and infrmatin search technlgies, while ther agencies will rely almst entirely n infrmal netwrks f cntacts and gd judgement. 5 4 Standards Australia, AS/NZS ISO 31000:2009 Risk management principles and guidelines 5 HM Treasury, The Orange Bk: Management f Risk Principles and Cncepts, Octber 2004 July 2011 Page 22 f 55

23 Financial Managemen t Framewrk >> Overview Diagram A Guide t Risk Management Other resurces r methds that can be adpted by agencies t identify risks include: agency dcuments, such as the strategic and peratinal plans, perfrmance reprts, budgets, and audit bservatins and recmmendatins Parliamentary prcesses and issues highlighted at Estimates Cmmittee hearings media reprts and cmmentary benchmarking the agency s perfrmance against that f ther agencies undertaking brainstrming activities preparing a strength-weakness-pprtunity-threat (SWOT) analysis what-if scenaris t seek reactin frm stakehlders, and the use f surveys and questinnaires. Irrespective f the methd used by the agency t identify the risks, it is vital that relevant and up-t-date infrmatin is used, and that peple with apprpriate knwledge are invlved in the risk identificatin prcess. Practical Guidance Material Applicatin Guide 5 prvides cnsideratin pints that relate t an agency s risk identificatin prcess and highlights ptential surces f risks. Applicatin Guide 6 utlines ptential surces f risk that may ccur at an agency, crss-agency and/r whle-f-gvernment level fr agencies t cnsider. July 2011 Page 23 f 55

24 Financial >> A Guide t Risk Management Risk analysis Management Framewrk Risk analysis invlves analysing the impact f the ptential tial challenge r pprtunity, starting with an assessment f the cnsequences as well as the likelihd f a risk ccurring. Overview Diagram A cmmn apprach fr analysing risk is thrugh the use f the risk matrix that the agency wuld have develped previusly refer t Establishing the cntext sectin. Where an agency cnsiders the risk analysis prcess t be relatively straight-frward (fr example, an agency with few external stakehlders may cnsider risk analysis simpler than fr an agency with cnsiderable public interest and scrutiny), then categrisatin f the risk as high, medium r lw may be cnsidered sufficient. The agency shuld use critical judgement t determine the level f analysis that is required based n what is apprpriate and reasnable. The prcess fr analysing risk will differ frm agency t agency; hwever, an individual agency shuld ensure all risks within its agency are assessed using the same methd. Where cllabratin between agencies is required, an agency may need t adpt a flexible apprach t risk analysis when assessing a crss-agency risk. Hwever, prvided practical, relevant and rbust prcesses are in place at all levels, risk analysis shuld infrm agency level risks and whle-f-gvernment risks. Once an agency s risks have been identified and analysed, management may use a simple table t summarise the assessment. Fr example: Risk Assessment Lw Medium High Tw step apprach t assessing risk Agencies may cnsider using a tw-step apprach t assessing risk. The first step invlves assessing challenges r pprtunities based n their inherent risk. This is the risk that exists prir t any internal cntrls being implemented t manage the risk. After inherent risk is assessed, agencies culd fcus n the residual risk, which is the risk which remains after actin has been taken t manage the risk (and assuming the actin is perating effectively). Advantages f using this tw-step analysis apprach include: assisting management with identificatin f excessive r ineffective cntrls, and ensuring management is aware f the agency s expsure if the cntrl fails. If the tw-step apprach is implemented, bth inherent and residual risk will need t be reassessed whenever cntrls are adjusted r envirnmental scanning indicates that circumstances may have changed. The fllwing is a simple example f dcumenting risk based n a tw-step apprach: Inherent assessment RISK Likelihd Cnsequence Residual assessment CONTROLS IN PLACE Likelihd Cnsequence ACTION PLANNED AND OWNER As can be seen frm the abve table, when a tw-step apprach is adpted, risk analysis, risk evaluatin and risk treatment are interrelated prcesses, which need t be cnsidered by the agency simultaneusly. July 2011 Page 24 f 55

25 Practical Guidance Material Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Applicatin Guide 7 prvides agencies with key cnsideratin pints when analysing risks. July 2011 Page 25 f 55

26 Financial >> A Guide t Risk Management Risk evaluatin Management Framewrk Once an agency has identified and analysed its risks, they shuld be evaluated t determine which risks are t be treated and the pririty fr treatment implementatin. This prcess is eatment ptins are utlined in the Risk treatment sectin. knwn as risk evaluatin. Tr Overview Diagram When evaluating risks agencies shuld cnsider: the external and internal envirnment the agency perates in (that is, the established agency cntext) this will largely invlve the verall strategic directin f the agency the risk appetite f the agency, as established earlier in the risk management prcess fr example, where the agency is invlved in speculative activities, high risk activities may nt always require pririty treatment the risk appetite f parties ther than the agency (that is, the stakehlders) fr example, sme high risk activities may be mre acceptable t the public than thers any legal, regulatry r ther requirements which may exist fr example, if the risk culd result in legal actin against the agency, this risk may be a high pririty if the prbability f ccurrence is high, and the cst/benefits f treating the risk. The highest pririty shuld be given t thse risks that are evaluated as being the least acceptable. High pririty risks shuld be given regular attentin, review and evaluatin. Over time, specific risks and risk pririties will change, and an agency will need t review and evaluate its priritisatin prcess. Further infrmatin is prvided in the sectin n Mnitring and review. Practical Guidance Material Applicatin Guide 8 utlines sme f the areas that shuld be cnsidered when evaluating and priritising risks within an agency. July 2011 Page 26 f 55