1 RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004
4 Risk Management Guidance CONTENTS Pages List of guidelines on risk management 3 1. Introduction Initiating Risk Management and sustaining it Risk Management Structures Risk Identification Risk Assessment Mitigating Risk Risk Monitoring and Reporting Appendices 1) Extracts from the Mullarkey Report relevant to risk management 2) Questions designed to test the extent to which risk management has been embedded in an organisation 3) Sample risk register 4) Risk Management models and standards
5 GUIDELINES ON RISK MANAGEMENT 1. Each Department 1 is to initiate risk management as an integral and ongoing part of its management process and it is the MAC that should put in place effective mechanisms to carry out risk management accordingly. 2. The risk management process should be kept as simple and straightforward as possible, and existing structures should be used, as far as possible. 3. Each Department should have clearly defined risk management structures and responsibilities. 4. Departments should repeat the process of risk identification at least once a year. 5. Departments should assess identified risks at least once a year. 6. When risks have been identified and assessed, Departments should determine an appropriate method for addressing them. 7. Departments risk management systems should provide for monitoring and reporting at various levels of management. 1 Throughout this document Department(s) should be read as Department(s)/Office(s)
7 1 INTRODUCTION 1.1 Purpose of this guidance. This document has three purposes: First it provides an introduction to the concept of risk management. Second it outlines the roles and responsibilities of managers and staff in establishing and maintaining a robust organisation-wide approach to managing risk and provides a number of specific guidelines that Departments should follow in this regard. Third it describes a number of techniques that can be employed to develop a structured and systematic approach to managing risk. 1.2 Mullarkey Report recommendations on risk management The Report of the Working Group on the Accountability of Secretaries General and Accounting Officers (the Mullarkey Report), endorsed by the Government and published in January 2003, inter alia, recommended that risk assessment and management should be integrated into the management processes of Departments within two years of the publication of the Report. The Report recommended that the risk management system should concentrate on the principal risks to the organisation as well as the principal risks arising from its relationship with other organisations. The risk assessment and management process should be integrated into existing management systems and should be kept as simple and straightforward as possible. In introducing a risk management programme full use should be made of existing systems, processes, procedures and reporting structures. Risk management should feature on the agenda of divisional meetings and of the meetings of the Management Advisory Committee. It should also be integrated with the business planning cycle. The Report also recommended that central guidance on the development of a risk strategy appropriate to Government Departments should be prepared by the Department of Finance. This Guidance Note aims to fulfill the Department of Finance s role in the process. Appendix 1 contains all the text of the Mullarkey Report relevant to risk management.
8 1.3 What is risk and why is it important to manage it? Risk can be thought of as a possible loss or other adverse consequence that has the potential to interfere with a Department s ability to achieve its objectives and fulfill its mission. Risks to the achievement of objectives can be due to both internal and external events. Effective risk management offers Departments a means of improving their strategic, operational and financial management. It can also help to minimise financial losses, service disruption, adverse publicity, and threats to public health or compensation claims. 1.4 What is risk management? Risk management is a process of clearly defined steps which support better decisionmaking by contributing a greater insight into risks and their impacts. Risk management is not a stand-alone activity that requires special skills and resources that add to the administrative burden. The focus should be on successfully managing risk rather than on the system of risk management. Therefore Departments should integrate risk management practices into existing corporate frameworks, rather than advancing risk management as an isolated operation. Staff should be encouraged to manage risks systematically and this should lead to the development of a risk management culture in Departments rather than a standalone risk management function. Perhaps the position of risk management can be summed up in three key messages: risk management is the concern of everyone in the Department; risk management is part of normal day-to-day business; the process of managing risk is logical and systematic and ideally should become second nature. 1.5 Benefits of risk management By identifying risks and implementing an action plan to address them in a systematic way, Departments can protect their ability to provide public services. By including risk management in strategic planning processes, Departments can make decisions on services with a greater degree of safety. Of course, risk management will become standard practice only if there is a clear understanding of what it entails and the benefits that it can secure for the achievement of key objectives. Departments will therefore need to consider how the benefits of risk
9 management should be achieved e.g. by considering what specific staff training might be required. Appendix 2 lists a number of questions designed to test the extent to which risk management has been embedded. 1.6 Risk Management Cycle The process of risk management involves a cycle of identifying risks, evaluating their potential consequences and determining the most effective methods of responding to them (i.e. of reducing the chances of them occurring and reducing the impact if they do occur). The cycle is completed by a system of regular monitoring and reporting. Figure 1 The Risk Management Cycle Risk Identification Risk Reporting Risk Assessment Risk Monitoring Risk Mitigation Sections 4 to 7 deal with each stage of the risk management cycle.
11 2 INITIATING RISK MANAGEMENT AND SUSTAINING IT Guideline Each Department is to initiate risk management as an integral and ongoing part of its management process and it is the MAC that should put in place effective mechanisms to carry out risk management accordingly. Initiating Risk Management The responsibility for risk management within an organization clearly lies with the board (or equivalent) who should be responsible for setting the strategy and senior management who should be responsible for implementing the strategy, although it is clear that everyone within an organization bears some risk management responsibility [The Institute of Internal Auditors UK and Ireland - Position Statement] Risk Management is a very important management process. Its importance requires that MAC be seen to initiate it and attach proper weight to it, and also that MAC be seen to put in place effective mechanisms to ensure that the Department s risks are properly identified, and assessed and managed, and regularly reviewed and reported on. The approach to risk management should be driven by a Department s objectives as detailed in its Statement of Strategy. Risk management strategies and programmes should focus on those items that could prevent the achievement of the objectives specified in the Statement of Strategy. There is a need to start sensibly and build from a solid base. Departments may choose to concentrate initially on a small number of high impact and likelihood risks. Alternatively only a small number of risks could be initially identified for each Division. Sustaining it The MAC decision should make clear who is to do what as regards risk management, and should set a clear timeframe for completion of a first round of risk identification, assessment and mitigation and the submission of a report to it on the outcome. The MAC decision should also make clear that:
12 risk management is to be an ongoing process by laying down a rota preferably annual according to which risks are to be identified and assessed, and accompanying control measures are identified and put in place, and a report made to MAC, risk management is to be a regular agenda item at Divisional meetings and where relevant risk management responsibilities are to be included on PMDS forms. Finally, risk management is to be an ongoing feature of Departmental management from now on, so it can be improved as time goes on. There should be regular review and reporting to management on risk management and on the integration of risk management into business planning. The crucial thing at the beginning is to get a sensible, practical process going that produces results. The process can always be perfected over time.
13 3 RISK MANAGEMENT STRUCTURES Guideline Each Department should have clearly defined risk management structures and responsibilities. Guideline The risk management process should be kept as simple and straightforward as possible, and existing structures should be used, as far as possible. 3.1 Risk management will have a better chance of becoming embedded in a Department if it is operated on the basis of clearly-defined structures and responsibilities. The structures or framework a Department chooses will depend on the business and size of the Department. In all cases the risk structure should be integrated into existing management structures and there should be a role for internal audit. In many cases, particularly in large Departments, there may be a need for dedicated structures to co-ordinate management of risk. It is a matter for each Department to decide on the structures it will use. However, as the Mullarkey Report emphasises, the risk management process should be kept as simple and straightforward as possible and should be integrated into existing management systems. In smaller Departments it may be possible to combine the roles of certain of the structures outlined below e.g. the roles of the risk committee and audit committee or the roles of the risk management team and the MAC. The following paragraphs describe different management structures in Departments and the sort of role each could play in the risk management process. 3.2 Existing Management Structures (i) The MAC (Management Advisory Committee) MAC should initiate risk management and direct the overall process. MAC should receive reports on the operation of the risk management system and demand actions. It is the responsibility of the MAC and senior management in a Department to ensure that there is a robust risk management process in place.
14 (ii) Heads of Division with their senior managers, should be responsible for: Implementing the Department s risk management process in their Division; Identifying, evaluating and signing off on risks at Divisional level; Owning and managing the risks within the Division s organisational or functional remit on a day to day basis; Ensuring clear roles and responsibilities for risk identification, management and reporting are defined within their areas using PMDS and business planning; Ensuring compliance with the formal risk reporting requirements on an ongoing basis; Ensuring risk management awareness throughout the Division. (iii) Staff: individual members of staff should be made responsible for Operating and monitoring the system of internal control; Proactively identifying risk issues and bringing these to the attention of management; Ensuring that all risks are identified and reported in a timely and effective manner. 3.3 Audit Structures (i) Audit Committee Audit Committees should be responsible for reviewing and agreeing the processes for managing risk in the Department. The Audit Committee should have a standing agenda item on risk at its meetings and should receive feedback from the head of Internal Audit and the Department s management on the implementation and performance of the risk management process. Such feedback should include the five key areas of identifying, assessing, mitigating and reviewing and reporting on risks.
15 (ii) Internal Audit Unit Internal audit has a central role in advising Accounting Officers on the state of a Department s risk management processes. Internal audit should regularly review risk management to ensure that it is robust. When deciding the most appropriate role for it to play in a Department, internal audit should assess the extent to which it can add value to the process of risk management. Of course, internal audit always needs to heed the professional requirement for independence and objectivity. Primary responsibility for risk management lies with line management. Internal Audit s involvement should stop short of responsibility and accountability for risk management across the organization and of managing risks on management s behalf. However, in order to add value, it is often beneficial for internal audit to give proactive advice or to coach management on embedding risk management processes into business activities. [From Institute of Internal Auditors UK and Ireland: Position Statement on the Role of Internal Audit in Risk Management] 3. 4 Dedicated Risk Structures (i) Risk Register Departments will need to maintain centralised records about their risks in a risk database or register. The register will be a primary tool for risk tracking, containing the overall system of risks and the status of any risk mitigation actions. There are a number of IT-based risk tracking solutions that Departments may wish to explore. Typically such database systems provide for the inputting of risks; and for the assessing of them; and contain a reports module allowing different reports and analyses to be generated at various levels e.g. Divisional and Departmental, plus an incident reporting module that allows for reports on specific incidents as they occur. A mock-up of an extract from a risk register is shown at Appendix 3. (ii) Risk Committee Existing structures should be used to the greatest extent possible. Most Departments will want to assign this function to an existing committee of management. Where this is not possible, Departments should establish dedicated risk structures such as risk
16 committees and risk teams. Risk committees are representative of different functional areas (technical, specialist as well as policy) and would have the responsibility of coordinating the efforts of the MAC and Line Divisions. A risk committee would also report to the MAC on the lessons learned from risk occurrences. Typical responsibilities of an existing committee of management assigned the risk function or a dedicated Risk Management Committee would be to: Oversee the implementation of the Department s Risk Management; Define and review on a regular basis, the Department s risk policy, methodology and standards; Create awareness, across the Department, of the need to identify and manage risk effectively; Monitor the management of risk throughout the Department and report on a regular basis to the Department s MAC and Audit Committee. As far as possible, the Risk Management Committee should be an existing management committee of the Department, either the MAC itself, or, where they exist, the Assistant Secretary or PO Group. (iii) Risk Management Team In some cases, particularly in the larger Departments, there may be a need for a dedicated risk management team. The volume of its resources which a Department will commit to such a team will vary depending on needs. A typical role for such a team would be: Assisting the Risk Management Committee with development of risk management policy and the supporting framework; Assisting and providing guidance to divisions of the Department on the management of risk; Coordinating the management of risk for business processes that may cross the boundaries of business areas, divisions and locations ( cross cutting issues);
17 Providing an analysis of risk findings on a regular basis for the Risk Management Committee; Maintaining the risk management reporting system.
19 4 RISK IDENTIFICATION Guideline Departments should repeat the process of risk identification at least once a year. The process of identifying risk exposures is key to the success of a risk management process as all other elements of the process flow from this initial step. It is crucial therefore that a thorough job of risk identification is accomplished on a regular basis, but at least annually. Risk identification attempts to identify an organisation s exposure to uncertainty. This requires a detailed knowledge of the organisation, the legal, social, political and cultural environment in which it operates, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. The process of drawing up statements of strategy should ensure that these elements are in place. It will be a matter for every Department to identify for itself the risks it faces as an organisation. The Mullarkey Report identifies four main categories of risk. These, and other categories likely to be relevant to a Government Department, are set out below and could be used as a starting point to identify a Department s areas of risk: (i) Four risk categories identified by Mullarkey: Strategic risks (risks that may be external to the organisation such as the economic climate, including factors such as interest rates, exchange rates and inflation). Operational risks (relating to the procedures/technologies etc. employed to achieve particular objectives). Financial risks (relating to the procedures/systems/accounting records in place to ensure that the organisation is not exposed to avoidable financial risks, including risks to assets). Reputation risks (involving risks to the public reputation of the organisation and their effects).
20 (ii) Other risks to be considered Commercial risks; Litigation risks; Economic/market risks; Legal and regulatory risks; Organisational management / human factors risks; Political / societal factors; Environmental factors / force majeure ( Acts of God ); Technical / operational/ infrastructural issues. As regards how to identify risks, examples of risk identification techniques include: Listing the obvious risks to continuity of service Brainstorming (When, where, why and how are risks likely to arise?) Questionnaires (e.g. to heads of divisions) Workshops (perhaps facilitated jointly by management and internal audit) Incident investigations Audits and inspections Cost-benefit analysis SWOT analysis Sensitivity analysis Cash flow analysis Decision trees
21 5 - RISK ASSESSMENT Guideline Departments should assess identified risks at least once a year. When the important risks facing a Department have been identified, the next step is to assess them. Two approaches to risk analysis are outlined below to assist Departments to structure their own approach to risk analysis. These approaches are only examples and Departments may find that other approaches or variants of those illustrated may be more appropriate to their circumstances. (i) The Risk Map Risk mapping is a simple and useful method for assessing risks identified. It involves plotting them on a matrix or map against relevant criteria. The assessment is usually carried out on the basis of two criteria; significance/impact and likelihood. Having identified risks, they are recorded in the appropriate quadrant of the map. Figure 2 shows such a risk map. Risks located in the upper right hand side of the matrix i.e. those of both high impact and likelihood will require the close attention of management. Figure 2 Classic Risk Map Higher Upper Left Quadrant (high severity/low likelihood risks) Upper Right Quadrant (high severity/high likelihood risks) Significant risks that are unlikely to happen Risks that threaten business objectives Significance Lower Left Quadrant (Low severity/low likelihood risks) Lower Right Quadrant (Low severity/high likelihood risks) Relatively low risks Risks that arise from day to day Lower Lower Likelihood Higher
22 (ii) Risk Criteria Another method of assessment is to evaluate risks on the basis of specific critieria. The example below demonstrates how risk could be assessed on the basis of three criteria; Impact, Likelihood and Effectiveness of Existing Controls. Departments could opt for a variation on this structure or different scoring system, for example scoring only on the basis of Impact and Likelihood. Impact on the Department: The impact on the Department if the risk actually happens is estimated using a scale of 1 to 5, where 1 is equivalent to having no significant impact and 5 is equivalent to having an extremely detrimental impact. Likelihood of occurrence: The likelihood of occurrence is estimated again on a scale of 1 to 5 where 1 is rarely, if ever and 5 is almost unavoidable/already happening. Effectiveness of existing controls: The effectiveness of existing controls is estimated using a scale of 1 to 3 where 1 is highly effective and 3 is no controls/controls ineffective. A risk score is determined by multiplying the risk impact by the risk likelihood. This risk score is then multiplied by 1, 2 or 3 depending on the control effectiveness to determine the risk reporting level. Possible Risk Reporting Level: 0 12 Green Amber 25+ Red Under this method, the risk scores are defined as follows: Impact Likelihood 1 = No significant impact 1 = Rarely, if ever 2= Minor impact 2 = Possible 3 = Significant but containable impact 3 = Likely 4 = High Impact 4 = Very likely 5 = Extremely detrimental effect 5=Almost unavoidable/ already occurring
23 Control Effectiveness 1 = Controls highly effective 2 = Controls could be improved 3 = No controls / controls are ineffective Risk Colours Red: Issues that require immediate attention of senior management. Amber: Issues that need constant monitoring by senior management. Green: Issues that need to be reviewed from time to time.
25 6 - MITIGATING RISKS Guideline When risks have been identified and assessed, Departments should determine an appropriate method for addressing them. Before considering which method is most appropriate to a particular risk, Departments will firstly need to consider the adequacy and appropriateness of any existing controls. The most important way of responding to risks is risk reduction: Risk Reduction The majority of risks will be addressed under this heading. The objective is not to prevent the risk totally, but to contain it to an acceptable level. Risk reduction strategies aim to minimise the frequency or severity of the negative impacts of a risk. An example of a risk reduction strategy is the preparation of contingency plans to expedite recovery from losses. There are alternative approaches to dealing with risks but these are less likely to be used in the Civil Service: Risk Avoidance i.e. deciding not to undertake an activity or programme etc., while clearly a very effective way of controlling risks, is not often a practical option for a Government Department. Risk Transfer: The scope for transferring risk in the context of a Government Department may be limited. In the private sector for example, risk transfer might be achieved through such things as normal insurance cover or contracting out of services. Departments should ensure that the costs of controls to mitigate risk are not disproportionate to the potential impact of a risk being managed. Departments should also bear in mind that business continuity management is an essential element towards mitigating the effects of risks on the key activities of a Department.
27 7 - RISK MONITORING AND REPORTING Guideline Departments risk management systems should provide for monitoring and reporting at various levels of management. MAC The risk analysis will identify the risks that would have the greatest potential for negative impact and high likelihood. Using the risk analysis examples in section 5 these would be risks positioned in the upper right hand quadrant of a risk map or the risks identified as red. These risks perhaps representing only 20% of risk but having perhaps 80% of potential impact should become the focus for particular attention from the MAC. Divisions should: be aware of the significant risks that come within their area of responsibility; the possible impacts those risks could have on other areas of the department and the consequences other Divisions risks might have on them report systematically and promptly to senior management about risk management, in particular about perceived new risks or failures of existing controls. Staff Individual members of staff should: understand their accountability for risks report systematically and promptly to senior management on any perceived new risks or failures of existing controls. MAC, and in particular the Accounting Officer, should be assured that the risk management processes are working effectively and MAC should know how the Department will manage a crisis. This will require regular testing of contingency plans to deal with risks identified.
28 The retention of records is an important element of a good risk management system. Records document the fact that risks have been identified and remedies considered. Management may be reluctant to release such records for sensitivity reasons and because they would highlight weaknesses detrimental to the effective management of the organisation. Departments should ensure that they achieve a consistent approach to FOI requests relating to risk management records and should have regard to any guidance in this area issued by the FOI Central Policy Unit, Department of Finance.
31 APPENDIX 1 EXTRACTS FROM THE MULLARKEY REPORT RELEVANT TO RISK MANAGEMENT From the Executive Summary to the Report 46. Historically, Government Departments have had procedures in place to manage financial risks particularly in so far as they relate to the stewardship of public funds. Systematic risk management across a range of risks (strategic, operational, financial and reputational) is becoming recognised as an increasingly important part of the internal control framework as the identification and management of risk is seen as necessary to maximize the achievement of desired outcomes. [ ] 47. The Group considers that risk assessment and management are important elements in a robust system of internal control which should be integrated into the management processes of Departments. It recommends that the following approach be adopted in introducing a formalised risk management system: Central guidance on the development of a risk strategy, appropriate to Government Departments, should be prepared by the Department of Finance. This should address the principal elements of the risk identification and management process. Within Departments the risk management system should concentrate on the principal risks to the organisation as well as the principal risks arising from its relationship with other organisations. The risk assessment and management process should be integrated into existing management systems and should be kept as simple and straightforward as possible. In introducing a risk management programme full use should be made of existing systems, processes and procedures. For example, Audit Committees could advise on Departmental risk management strategies. Risk assessment should also be formalised into the processes for the preparation of the Strategy Statement, business plans, PMDS and annual reports. Risk management should feature on the agenda of divisional meetings and of the meetings of the Management Advisory Committee. [6.32] From Chapter 6 of the Report Risk Management 6.29 Systematic risk assessment and management is becoming an increasingly important part of internal control as its identification and management is seen as necessary to maximise the likelihood of achieving desired outcomes. As part of this process formalised risk management is becoming an increasingly important element of the internal control framework in Central Government in the UK and internationally. 2 The Canadians, for example, are placing greater 2 Adapting the requirements of the Turnbull Report UK Departments, executive agencies, executive Non-Departmental Public Bodies, are required to sign a statement on Internal Control (which has a
32 emphasis on risk management as part of their programme to modernise comptrollership (i.e. a set of principles and processes that underpin how management carry out their stewardship responsibilities). The risks to be addressed as part of a risk assessment and management programme are wideranging and include strategic, operational, financial and reputational risk. A risk strategy does not mean that sensible risks should not be taken, but that they should be properly assessed and managed The Group considers that risk assessment and management are key elements in a robust system of internal control. As stated above, because of the relevance of a sound system of internal control to all the activities of the Department, measures taken to assess and manage risks should work to support the Secretary General as civil service head of the Department (including in his/her Accounting Officer capacity) Risks fall into a variety of categories, some of the most common of which include Strategic risks (risks that may be external to the organisation such as the economic climate, including factors such as interest rates, exchange rates and inflation). Operational risks (relating to the procedures/technologies etc. employed to achieve particular objectives). Financial risks (relating to the procedures/systems/accounting records in place to ensure that the organisation is not exposed to avoidable financial risks, including risks to assets). Reputation risks (involving risks to the public reputation of the organisation and their effects) Historically, Government Departments have had procedures in place to manage financial risks particularly in so far as they relate to the stewardship of public funds. Risk assessment and management, in the wider sense referred to above, is also carried out informally in Departments but formal risk management strategies are not, in general, in place. The Group considers that there is strong case for integrating them formally into the management processes of the Department and it recommends that this be done. The Group is aware, in proposing greater formalisation of the risk management process, of the pressure on Departments arising from the modernisation agenda and other initiatives. It is also aware that particular difficulties arise for smaller Departments and Offices in implementing new initiatives. For that reason it recommends that the following approach be adopted in introducing a formalised risk management system: strong emphasis on risk assessment and management) in respect of the first financial period after 1 January 2001.
33 Central guidance on the development of a risk strategy, appropriate to Government Departments, should be prepared by the Department of Finance. This should address the principal elements of the risk identification and management process. 3 Within Departments the risk management system should concentrate on the principal risks to the organisation as well as the principal risks arising from its relationship with other organisations. The risk assessment and management process should be integrated into existing management systems and should be kept as simple and straightforward as possible. In introducing a risk management programme full use should be made of existing systems, processes and procedures. For example, Audit Committees could advise on Departmental risk management strategies. Risk assessment should also be formalised into the processes for the preparation of the Strategy Statement, business plans, PMDS and annual reports. 4 Risk management should feature on the agenda of divisional meetings and of meetings of the Management Advisory Committee. From Chapter 8 of the Report 4. Central guidance on the development of a risk strategy appropriate to Government Departments/Offices [para 6.32] should be prepared by the Department of Finance within twelve months. 5. Formal Risk Management Strategies should be introduced into the management processes of Departments/Offices [para 6.32]. This should be done within 2 years. 3 There is already a substantial amount of literature available which should facilitate the preparation of such guidance. 4 This is already being done in some Departments. For example the Department of Agriculture, Food and Rural Development, in the context of the business planning process, has asked each Division to include an assessment of the key risks it faced - strategic, operational, financial and reputational. The Department will draw up a Risk Management Programme drawing on appropriate external expertise.
35 APPENDIX 2 The UK National Audit Office publication, Supporting Innovation: Managing Risks in Government Departments, includes a series of questions designed to test the extent to which risk management has been embedded in an organisation. The questions are grouped under a number of key headings and can be summarised as follows: Question Source of supporting evidence Does the Management Board support and promote the risk management system? Does the organisation s culture support well thought through risk taking and innovation? Are risk management policies and the benefits of effective risk management clearly communicated to all staff? Is risk management fully embedded in the organisation s management processes? Are the risks associated with working with other organisations assessed and managed? Such questions could form the basis of internal surveys in Departments to assess progress in embedding risk management on an annual basis.
37 Mock up of an extract from a risk register. DESCRIPTION DIVISION STRATEGY STATEMENT OBJECTIVE NO. CONSEQUENCES MEASURES TO ADDRESS APPENDIX 3 ADDITIONAL ACTION OWNER RISK NO. LIKELIHOOD IMPACT CONTROL EFFECTIVENESS RATING 2/04 Impact of an increase in BSE cases in ROI Beef Division RED 3/04.. 4/04 -Fall in public confidence in beef. -Financial consequences for livestock industry -. -Develop communications strategy Review efficacy of control measures Head of Beef Division
39 APPENDIX 4 Risk management models and standards As noted in the Mullarkey Report, there are several risk management models and standards available, e.g. Risk Management [AS/NZS 4360:1999] published jointly by Standards Australia/Standards New Zealand. That standard offers a very comprehensive model for enterprise wide risk management. Standards Australia/Standards New Zealand have also released a number of other risk standards focused on particular sectors including Guidelines for Environmental Risk Management [HB203:2000] and Guidelines for managing risk in healthcare [HB228:2001]. The UK Treasury has also issued a number of risk management guidance documents notably Management of Risk; A Strategic Overview commonly known as the Orange Book. In addition, professional bodies such as the Institute of Internal Auditors - UK and Ireland (IIA) and the Chartered Institute of Public Finance and Accountability (CIPFA) have issued risk management guidance
Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...
Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management
A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management
Corporate Governance Risk Management Policy Approved by the Council of Ministers, May 2006 1. Background The Isle of Man Government is working to promote better risk management, with emphasis on the importance
Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction
Integrated Management Policy Document reference number Document developed by Quality and Patient Safety Directorate Revision number 4 Document approved by Quality and Patient Safety Directorate Approval
Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including
Risk Management Framework Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 TRIM CON: 12/1132 Administered by: Governance Coordinator Last Review Date: 2013 Next Review
IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT Revised: Page 1 of 8 Introduction The importance to strong corporate governance of managing risk has been increasingly
Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation
Guidance notes: Financial Planning & Managing Risk This guidance note is particularly for governors on the audit or finance committee, but will be of interest to all governors. What is the governing body
MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till
106 LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012 Leicestershire County Council believes that managing current and future risk, both opportunity and threat, is increasingly vital
Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.
Risk Analysis toolkit MMU has a corporate Risk Management framework that describes the standard for risk management within the university. However projects are different from business as usual activities,
2015 Draft Corporate Governance Standard for Central Government Departments FOR PUBLIC CONSULTATION CONTENTS About this Standard... 1 Governance Principles... 3 Part 2 - Governance Framework... 7 Chapter
ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page
Business Continuity Management Policy May 2009 Document Document drafted by Office of Quality and Risk Reference Number OQR032 Document approved by Ms. E. Dunne, Head of Quality and Risk Revision Number
Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version
FINANCIAL REPORTING COUNCIL INTERNAL CONTROL REVISED GUIDANCE FOR DIRECTORS ON THE COMBINED CODE OCTOBER 2005 FINANCIAL REPORTING COUNCIL INTERNAL CONTROL REVISED GUIDANCE FOR DIRECTORS ON THE COMBINED
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
Policy and Procedure Statement SUBJECT: Enterprise Risk CATEGORY: General Administration NO. 502-G PREAMBLE Risk exists in all activities and cannot be avoided, nor can it always be eliminated. However,
4 November 2013 Performance and Resources Board 15 To consider Risk Management Framework Issue 1 To consider a draft revised Risk Management Framework as requested by Council at its meeting on 7 February
AGENDA ITEM 9 TRANSPORT FOR LONDON SAFETY, HEALTH AND ENVIRONMENT ASSURANCE COMMITTEE SUBJECT: REVIEW OF TFL RESILIENCE MANAGEMENT POLICY FRAMEWORK DATE: 20 JULY 2010 1 PURPOSE AND DECISION REQUIRED 1.1
Risk Management in the HSE; An Information Handbook Document reference number Revision number OQR011 Revision date October 2011 Review date Document developed by 5 Document approved by October 2013 Responsibility
The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute
Risk Management Policy DOCUMENT CONTROL Developed by: Date: Origination: Quality, Systems & Shared s March 2014 Authorised by: Colette Kelleher April 2014 DOCUMENT REVIEW HISTORY Original Circulation date:
Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE
APPENDIX 5 POLICY : CORPORATE RISK MANAGEMENT 1 Scope This is a Service wide policy. 2 Aims and Objectives Lancashire Combined Fire Authority provides services to a diverse range of people and organisations,
Risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal risks that
the role of the head of internal audit in public service organisations 2010 CIPFA Statement on the role of the Head of Internal Audit in public service organisations The Head of Internal Audit in a public
Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
What Every Director Should Know How to get the most from your internal audit Endorsed by Foreword This is the second edition of our flagship governance guide What every director should know. Since we published
UNIVERSITY OF LONDON RISK MANAGEMENT POLICY Introduction 2 Guide to Risk Management 2 Underlying approach to Risk Management 2 Components of the Risk Management Framework 3 Role and Responsibilities of
09 May 2016 Following up recommendations/management actions Chartered Institute of Internal Auditors At the conclusion of an audit, findings and proposed recommendations are discussed with management and
Business Plan 2015 Published January 2015 BUSINESS PLAN 2015 CONTENTS Contents... 2 Introduction... 2 Commission Strategy Statement... 3 How the Commission sets its priorities... 5 Our major priorities
Item 6.5a Action Plan against the Recommendations Made in the Review of Risk Management Arrangements by PM Governance, November 2014 Key: PM Governance Paul Moore, Risk Consultant ADCA Associate Director
Risk Management Policy Adopted by: Infigen Energy Limited Infigen Energy (Bermuda) Limited Infigen Energy RE Limited in its capacity as Responsible Entity of Infigen Energy Trust Adopted: 17 December 2009
Merthyr Tydfil County Borough Council DRAFT Risk Management Policy & Strategy April 2014 Prepared by: Kerry O Donovan Page 1 of 47 Contents Page Numbers Foreword 3 Merthyr Tydfil County Borough Council
Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian
Business Continuity Policy Version.0 January 206 Contents Contents Version control Foreword Policy. Scope.2 Aim and objectives.3 Methods and standards.4 Responsibilities.5 Governance.6 Training and exercises
Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction The purpose of this paper is to help financial institutions, in particular their senior management, address business
BUSINESS CONTINUITY STRATEGY January 2009 CONTENTS Page BACKGROUND 1 OVERVIEW 1 AIM AND OBJECTIVES 1 CORE BUSINESS OF THE COUNCIL 2 ORGANISATION STRUCTURE 2 RISK IDENTIFICATION AND MITIGATION STRATEGIES
TRUST SECURITY MANAGEMENT POLICY EXECUTIVE SUMMARY The Board recognises that security management is an integral part of good, effective and efficient risk management practise and to be effective should
Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016
Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st
Risk Management Plan 2012-2015 This controlled document shall not be copied in part or whole without the express permission of the author or the author s representative. Revision Date Previous Revision
Islamic Relief Worldwide Financial Business Partner BASE LOCATION: REPORTING TO: LINE MANAGEMENT RESPONSIBILITIES: London, UK Senior Financial Accounting manager None PURPOSE OF DIVISION: The Finance and
Public sector November 2007 Improving information to support decision making: standards for better quality data A framework to support improvement in data quality in the public sector Improving information
House of Commons Corporate Governance Framework What is Corporate Governance? 1. Good corporate governance is fundamental to any effective organisation and is the hallmark of any well-managed corporate
Performance Management Development System (PMDS) for all Staff at NUI Galway PMDS.doc 1 1. Introduction The Performance and Development Review System (PMDS) for NUI Galway has its foundation in Sustaining
DATA QUALITY STRATEGY If you or anybody you know requires this or any other council information in another language, please contact us and we will do our best to provide this for you. Braille, Audio tape
CONSTRUCTION PROCUREMENT BEST PRACTICE GUIDELINE #A5 Construction Industry Development Board Pretoria - Head Office Tel: 012 482 7200 Fraudline: 0800 11 24 32 Call Centre: 0860 103 353 E-mail: email@example.com
BUSINESS CONTINUITY MANAGEMENT POLICY AUTHORISED BY: DATE: Andy Buck Chief Executive March 2011 Ratifying Committee: NHS Rotherham Board Date Agreed: Issue No: NEXT REVIEW DATE: 2013 1 Lead Director John
Internal Audit Standards Department of Public Expenditure & Reform November 2012 Copyright in material supplied by third parties remains with the authors. This includes: - the Definition of Internal Auditing
Risk Assessment Tool and Guidance (Including guidance on application) Document reference number Revision number OQR012 Document developed by 5 Document approved by Revision date October 2011 Responsibility
Principal risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal
RISK MANAGEMENT POLICY Version 3 Version: Version 3 Version 3 Authors: Liz Hollman, Mary Klaus, Sarah Langan-Hart Approved by: Healthcare Governance Committee Trust Board Approved date: May 2009 Review
Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose
Railway Management Maturity Model (RM 3 ) (Version 1.02) March 2011 Published by the Office of Rail Regulation 1 Contents Introduction... 1 Excellence in safety management systems... 3 Governance, policy
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
POLICY CG01 RISK MANAGEMENT Document Control Statement This Policy is maintained by the Governance and Organisational Strategy. Any printed copy may not be up to date and you are advised to check the electronic