Avondale College Limited Enterprise Risk Management Framework

Transcription

1 Avondale College Limited Enterprise Risk Management Framework

2 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it. It is the process of considering the potential consequences of our actions or inactions, and the probability of those consequences occurring, and then making decisions accordingly. This framework, and its supporting documentation, provides guidance to all Avondale College of Higher Education staff on how to deal with risks in the work context. Effective risk management at all operational levels of the College will ensure that we are able to provide a high quality learning program for our students preparing them with the knowledge, skills and confidence to participate effectively in the community and economy and to achieve our mission: - Fostering a Christian higher education learning community that is dedicated to serving world needs. I therefore ask all staff to ensure that they familiarise themselves with this framework to effectively manage risks that arise in the course of delivering our services. Professor Ray Roennfeldt President Avondale College of Higher Education 2 P a g e

3 Contents Introduction 4 Purpose 4 What is risk management? 4 Our Policy 4 Risk management principles 5 Risk hierarchy 6 Risk governance and accountabilities 8 Risk system 9 Risk management process 9 Risk registers 10 Risk reporting 11 Risk capability 11 Implementing risk management 11 Monitoring, review and continual improvement of the Framework 13 Definitions 14 Acknowledgements 16 3 P a g e

4 Introduction Purpose The implementation of this framework will ensures that we embed risk management in our academic and business practices and that we manage risks effectively and efficiently to deliver our outcomes. What is risk management? Risk is the effect of uncertainty on business objectives. This effect can be either positive or negative. Risk management is the coordination of activities that direct and control Avondale with regard to risks. 1 Risk management involves managing these adverse effects as well as realising opportunities. Risk management refers to the deliberate actions that Avondale takes to identify, understand and deal with risks as we achieve our objectives. Our policy Risk management helps us to promote accountability through good governance and ethical decision making. We embed risk management into our culture, governance and accountability arrangements, planning, reporting, quality management, review and evaluation, and improvement processes. Avondale has a low risk appetite for risks relating to: The health, safety and wellbeing of our students, our staff and the community we interact with; The administration of our finances and the assets available to us, and Legislative and policy compliance. At the same time, Avondale may have a higher risk appetite for innovation and improving best practices including improvement of our service delivery and/or increased efficiencies, where these benefits outweigh the risks. Each administrator and business unit manager will determine and communicate to their staff, the business unit s risk appetite as part of their risk assessment process. They will also ensure that the business unit s risk appetite stays within the Enterprise Risk Appetite Framework as determined by the College Council. Our risk management approach is directed through: Compliance with legislation, policies and procedures; and Alignment with the provider standards and best practice. 1 AS/NZ ISO 31000:2009 Risk Management Principles and Guidelines 4 P a g e

5 Effective risk management practice is modelled by: Administrators and Senior Executives by demonstrating leadership managing risk; and Employees by identifying, analysing, evaluating, treating, monitoring and reviewing risk. All Avondale employees are responsible and accountable for risk management. Risk management principles 2 1. Creating value effective risk management contributes to the achievement of the Avondale s objectives and improves performance in corporate governance, project management, finance, work health safety of employees and customer satisfaction. 2. An integrated pat of organisational processes risk management is not something that is in isolation to the operations of the College and as such needs to be an integral part of the Avondale s governance and accountability arrangements, performance management, planning and reporting processes. 3. Part of decision-making risk management assists Avondale s decision makers by allowing them to make informed decisions, prioritise activities and identify the most effective and efficient courses of action. 4. Explicitly addresses uncertainty risk management assists College Council, Administrators and senior managers with the identification of uncertainty and how it can be addressed through a range of strategies such as sourcing risk assessment information and the implementation of risk controls. 5. Systematic structured and timely risk management contributes to Avondale being efficient and being able to produce consistent, comparable and reliable results. 6. Based on the best available information risk management should focus Avondale on drawing on diverse sources of historical data, expert judgement and stakeholder feedback to allow it to make evidence- based decisions. The College s decision makers should also be cognisant of the limitations of data, modelling and divergence amongst experts. 7. Tailored risk management aligns with the internal and external environment within which the College operates, such as the Australian corporation legislation, higher education standards framework and risk assessment framework, higher education legislation, privacy legislation and consumer guarantee legislation, labour legislation, work health safety legislation to mention a few and in the context of Avondale s risk profile. 2 AS/NZ ISO 31000:2009 Risk management Principles and guidelines 5 P a g e

6 8. Human and cultural factors taken into account risk management recognises that that capabilities, perceptions and aims of people both internal and external to the College can aid or hinder the achievement of the its objectives and strategies. 9. Transparent and inclusive risk management requires appropriate and timely involvement of the Avondale s stakeholders to ensure that it stays relevant and up to date. By involving stakeholders in decision making processes enables the Company to take diverse views into account when determining risk criteria. 10. Dynamic, iterative and responsive to change risk management allows the College to respond swiftly to both internal and external events such as changes to the environmental context and knowledge, the results of monitoring and reviewing activities engaged by the Avondale and the new risks that emerge and others that change or disappear. 11. Facilitates continual improvement and enhancement of the company risk management facilitates continuous improvement of the College s operations by developing and implementing strategies to improve risk management maturity. Risk hierarchy Risk management should be implemented by ensuring that the risk management process is applied to all relevant levels and functions of the organisation as part of its practices and process. 3 In the framework there are three levels of risk management strategic, corporate and operational. The risk hierarchy defines accountability for identifying, treating, monitoring, communicating and managing risks throughout the organisation. Plans Hierarchy of Risk Accountability Strategic Plan Strategic Risks College Council The strategic plan describes the common purpose and direction of Avondale, identifies key priorities and strategies to achieve objectives and sets the policy for the next three year planning cycle. Risks that may have a positive or negative impact on achieving the College s strategic purpose and objectives. This also includes wider organisational and sector risks. Risks at this level affect the decisions made around organisational 3 AS/NZ ISO 31000:2009 Risk management Principles and guidelines 6 P a g e

7 Enterprise Operational Plans Annual plans that identify the key accountabilities in implementing the strategic plan, key strategies and targets. Plans are developed through a process of environmental scanning and reviewing past performance and risks to determine upcoming challenges and new priorities. Other cascading Plans These include planning done by Faculties, Schools and business units as well as planning for projects. Individual Performance and & Development Plans Individual employee Performance Review, Planning and Professional Development (PRPPD) enables staff to identify how their work contributes to achieving their business unit objectives priorities, resource allocation and tolerance and acceptance of risk. Corporate Risks Risk or opportunities that may affect achieving the objectives of the planned outcomes of performance identified through the operational plans. Operational Risks Risks or opportunities that affect plans cascading from the enterprise operational plan and achieving the deliverables of projects. Risks at this level relate to the business unit s systems, resources and processes. Operational Risks When identifying their responsibilities or professional development requirements, employees also need to consider their responsibility in regard to risk management. President and Executive Committee Deans, Heads of School, Managers and Supervisors Individuals 7 P a g e

8 Risk governance and accountabilities Risk governance includes mechanisms that ensure accountability and authority for managing risk, implementing the risk management framework, and providing risk management assurance. The President has ultimate responsibility and accountability for implementing the risk management framework and encouraging a risk management culture. The College Council sets and reviews the strategic direction, priorities and performance objectives for the College. It is responsible for: o Championing a risk management culture and embedding risk into the Council s strategic discussion and analysis; and o Overseeing the management of strategic risks, including reviewing and approving controls and treatments established in the organisation. The Audit and Risk Committee provides the President and College Council with independent audit and risk management advice. The Academic Board ensures that there are controls in place to manage the risks associated with ensuring the quality and delivery of the academic program. The Executive Committee ensures that there are controls in place to manage the risk associated with with the operation the College. Vice Presidents (within their area of responsibility) are responsible for: o Ensuring that all employees are aware of and comply with the risk management framework, policy and procedures. o Ensuring risk management is integrated into planning, reviewing and reporting procedures; and o Reporting on corporate risks. Faculty Deans, Heads of School, managers and supervisors are responsible for: o Overseeing operational risks, including reviewing and approving controls and treatments; and o Escalating high or extreme operational risks to the Presidents and/or Vice Presidents and where applicable College Council. All employees are required to apply risk management processes within their work unit. The Control owner is responsible for the management of policy, procedures or process that has been identified as a control for a risk. The risk owner: o Ensures that the risks they own are managed appropriately; o Monitors progress against treatment plans; o Ensures that the risk review is timely; o Ensures the currency of the risk register and responds to actions that have been assigned to them; o Ensures treatment owners(s) are assigned; and o Accepts that risk escalation does not remove risk owner s responsibilities The Treatment owner: o Is responsible for treating risks; and 8 P a g e

9 o Reports to the risk owner about implementing treatments within specified timeframes. The Vice President Finance and Risk is responsible for developing, implementing, reviewing and continuously improving the Enterprise Risk Management Framework, Business Continuity Management Framework and associated policies and procedures. The Audit and Risk Committee provides the President and College Council with objective assurance on the effectiveness of risk management. Risk System As part of the Framework, the risk system consists of components which are intended to assist the College with getting risk management right. These components are: The Risk Management Process; Risk Registers; Risk Reporting; and Risk capacity. Risk management process The risk management process is designed to ensure a robust approach to informed decision-making, consistent assessments, and that a common language is used and understood across Avondale College. Consistent with AS/NZS ISO 31000, the risk management process consists of seven steps as outlined below. Steps in the risk management process Process Step Description Purpose Communication and Consultation Involving Stakeholders (internal and external and information sharing throughout the risk management process, vertically and horizontally across the College. Context is appropriately defined. Employees that are involved throughout the risk process understand the basis for decisions and actions required. Lessons learnt are shared and transferred to those who can benefit from them. Establish Context Understanding the College s objectives and defining the external and internal environment within which the College operates. Understand factors influencing the ability to achieve objectives Determine boundaries within which the risk management framework operates 9 P a g e

10 Risk Assessment Risk Identification Identifying risks, their sources, causes and potential consequences Risk Analysis Comprehending the nature of the risk and determining the level of risk exposure (likelihood and consequence). Risk Evaluation Comparing the risk analysis with the risk criteria to determine whether the risk is acceptable or tolerable Risk Treatment Selecting one or more options for modifying the risk. Reassessing the level of risks with controls and treatments in place. (residual risk) Monitoring and Review Determining whether the risk profile has changed and whether new risks have emerged. Checking control effectiveness and progress of the treatment plan. Define risk criteria to ensure risks are assessed in a consistent manner. Generate a comprehensive list of threats and opportunities based on those events that might enhance, prevent, degrade, accelerate or delay the achievement of objectives. Provide an understanding of the inherent (level of exposure should controls fail) and controlled risk (level of exposure with controls in place) Assist with identifying ineffective controls. Inform risk evaluation and guide risk treatment. Determine whether the controlled risk is acceptable. Determine if controlled risks need further treatment. Identify priority order in which individual risks should be treated. Identify treatments for risk that fall outside the College s risk tolerance Provide an understanding of the residual risk (level of risk with controls and treatments in place). Identify priority order in which individual risks should be treated monitored and reviewed. Provide currency of risk information Identify emerging risks. Provide feedback on control efficiency and effectiveness. Identify whether any further treatment is required. Provide a basis to reassess risk priorities. Capture lessons learnt from event failures, near misses and success. Risk registers The risk register enables Administrators, Managers and employees to document, manage, monitor, review and update strategic, corporate and operational risk information. Risk register reporting allows Council and management to monitor and review risks in alignment with the strategic plan, operational plans and other cascading plans. 10 P a g e

11 Information from the risk management process is recorded, reported and monitored using the College s risk register and/or the business unit s risk register. Risk Reporting Risk reports are to be tailored by the entity or business unit to support management decision making during the planning and review process. Risk reports draw information from the risk registers and may include the following: A demonstration of the link between objectives and risks; Priorities, based on the risk rating, accompanied by information on key controls and treatments needed to modify the risk; Risks that are getting worse, success of treatment plans and risks that require additional attention; New risks that may still need to be fully considered and understood; Main areas of exposure; Systemic control analysis; Untreated risks and risk treatments that are overdue; and Risk owners Building Risk Capacity Avondale has to build manager and employee awareness and develop skills in getting risk management right. This increased awareness and understanding provides managers and employees with greater self confidence and willingness to take responsibility for the management of risk across the College. To facilitate this Avondale is working on developing various training and development tools and products that business units will be able to access to improve their risk management capability. Implementing risk management Risk management should be implemented by ensuring that the risk management process is applied at all relevant levels and functions of the organisation as part of its practices and processes. 4 The risk management process for the College is articulated in the diagram below which provides an overview of how the steps in the College s Enterprise Risk Management Process integrate with the College s planning, reviewing and reporting cycle; risk governance components of the Framework; and the actions required from the risk monitoring and reviewing process. 4 Risk management Principles and guidelines (AS/NZS ISO 31000:2009) 11 P a g e

12 Communication and consultation Risk Assessment Monitor and review Risk Register Avondale College Risk Management Process Plans (Strategic, Operational, Cascading) Risk Management Process President Establish and maintain a suitable system of internal controls and risk management Audit & Risk Committee Provides independent audit and risk management advice College Council Sets and reviews the strategic direction, priorities and performance objectives of the College. Establish context Identify risks Analyse risks Evaluate risks Vice-Presidents and Managers Integrate risk management within areas of responsibility Comply with risk management framework and processes, including maintenance of a risk register Extreme High Medium Risk Monitoring and Review Undertake control evaluation Treatment plan required Immediate escalation to College Council Undertake control evaluation Treatment plan required Review by President and Vice- Presidents with escalation to College Council Monitor using routine procedures/appropriate internal controls Undertake control evaluation Treat risks Low Monitor at operational level using routine procedures / appropriate internal controls Performance Reviews Risk Reports (Strategic, Corporate, other specialty areas) 12 P a g e

13 The Enterprise Risk Management Process has been designed to provide the risk owner with the necessary resources to ensure that risk management decisions are based on a robust approach, assessments are conducted in a consistent manner and a common language is used and understood across the College. As part of the Enterprise Risk Management Process, the Risk Appetite Table provides risk owners with a tool for considering the severity of the consequences of risk The Risk Matrix expresses the College s tolerance for risk, by making a determination as to the level of risk that is acceptable, based on the combined likelihood of the risk occurring and potential consequences of the risk. The matrix will dictate the points at which risks need to be escalated. Monitoring, review and continual improvement of the Framework Risk management should support organisational performance through indicator based risk review, progress measurement against the risk management plan, risk framework appropriateness and effectiveness and risk reporting. Continual review of the framework should be based on results of monitoring and reviews, with decisions relating to how the framework, policy and plan can be improved to support management of risk and an improved risk management culture 5 Continuous improvement is strategically integrated within the College s corporate objectives to ensure that the College continues to evolve towards best practice. Governance, Strategy and Planning is responsible for continual improvement of the College s risk management which includes the Enterprise Risk Management Framework. Some of the processes that are designed to support continuous improvement and review of the Framework include: Regular assessment of the quality of risk management processes and evidence prepared by business units to identify opportunities for improvement A baseline and ongoing risk management culture survey data to inform improvement, communication and training requirements Regular benchmarking reviews of models, frameworks and standards used in other organisations and jurisdictions to ensure that Avondale s Framework continues to reflect best practice Ongoing training and development for Administrators and Managers to ensure that they are equipped with a sound knowledge and skills base Inclusion of, and measurement against, performance measures relating to the College s performance with regard to risk management and other key governance processes in Corporate Strategy and Performance operational plan. 5 Risk management Principles and guidelines (AS/NZS ISO 31000:2009) 13 P a g e

14 The Council will review the Framework annually to ensure that it continues to meet the College s demands as risk management coninuously matures and improves. Definitions Consequence Outcome of an event Control Any pre-existing process, policies, devices, practices or other actions which modify risk. Controls may not always exert the intended or assumed modifying effect. Controlled Risk Levels of risk, taking into account the adequacy and the effectiveness of controls in place. Control Owner The officer/position responsible for managing a policy, procedure, process or other action that has been identified as a control for a risk. Event Occurrence or change of a particular set of circumstances Environmental Scanning The careful monitoring of an organization's internal and external environments for detecting early signs of opportunities and threats that may influence its current and future plans. In comparison, surveillance is confined to a specific objective or a narrow sector. Inherent risk Level of risk without consideration of the effect of existing controls and treatments. Likelihood Chance of the risk occurring. Priority Risks Risks that are assessed as high or extreme after controls and treatments. Residual Risk Level of risk remaining after controls and treatment are taken into account. Risk Effect of uncertainty on the achievement of objectives. An effect is a deviation from the expected and can be positive and/or negative. Risk Appetite The willingness to accept risk in pursuit of outcomes. Risk Criteria Terms of reference against which the significance of a risk is evaluated. Risk Escalation Communicating risks requiring attention to the appropriate level of management for higher level involvement. Risk Level Expression of the effect of a risk, in terms of its likelihood of occurring, and the consequences if it were to occur. Risk levels are assessed at the inherent, controlled, and residual (after treatments have been applied) positions. Risk Management Coordinated activities to direct and control an organisation with regard to risk. Risk Management Framework Components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management. 14 P a g e

15 Risk Owner A person with accountability and authority to manage risk. Risk Profile Description of any set of risks. Risk Tolerance Readiness to bear the risk, after treatment, in order to achieve outcomes. Risk Treatment A process to modify risk. Treatment Owner Officer/position responsible for treating risks. 15 P a g e

16 Acknowledgements This Framework has been based on and adapted from: 1. State of Queensland (Department of Education Training and Environment), Enterprise Risk Management Framework State of Queensland (Department of Education Training and Environment), Enterprise Risk Management Framework Standards Australia, AS/NZS ISO 31000:2009 Risk management Principles and guidelines. 4. The State of Queensland (Queensland Treasury) A Guide to Risk Management, July The State of Queensland Department of the Premier and Cabinet, Risk Management Guide, May Victorian Managed Insurance Authority, Risk Management: Developing & Implementing a Risk Management Framework, March Department of Treasury and Finance (Vic), Victorian Government Risk Management Framework, March HM Treasury, The Orange Book: Management of Risk Principles and Concepts, October HS Government, Risk: Good Practice in Government, March P a g e