The Lowitja Institute Risk Management Plan



Similar documents
Risk Management Policy and Framework

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT POLICY

Managing Risk in Procurement Guideline

Compliance Management Framework. Managing Compliance at the University

Council Meeting Agenda 27/07/15

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Avondale College Limited Enterprise Risk Management Framework

Core Infrastructure Risk Management Plan

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

PROCEDURES RISK MANAGEMENT FRAMEWORK AND GUIDELINES PURPOSE INTRODUCTION. 1 What is Risk?

SAI GLOBAL LIMITED Risk Management Policy

Risk Management. Policy

ERM Program. Enterprise Risk Management Guideline

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy

Risk Management Policy Adopted by:

Enterprise Risk Management Framework Strengthening our commitment to risk management

A guide for members APES 325 Risk Management for Firms

Hazard Identification, Risk Assessment and Control Management

Risk Management Framework

The Risk Management strategy sets out the framework that the Council has established.

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

Analyzing Risks in Healthcare. February 12, 2014

Shepway District Council Risk Management Policy

Title: OHS Risk Management Procedure

Risk Management Policy and Process Guide

SOUTHERN RURAL WATER POLICY RISK MANAGEMENT POLICY

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

Risk Management The International Standard

ENTERPRISE RISK M A NAGEMENT POLICY

Risk Management Policy

Discipline: Technical Services Category: Procedure. Risk Management RM Applicability. ARTC Network Wide. Interstate Network.

A Risk Management Standard

POLICY. Number: Title: Enterprise Risk Management. Authorization

RISK MANAGEMENT FRAMEWORK

State Records Guideline No 25. Managing Information Risk

6. Risk management plans for high risk activities and special events

University of New England Compliance Management Framework and Procedures

Victorian Government Risk Management Framework. March 2015

Bedford Group of Drainage Boards

Risk Management Procedure

Risk Management Guide

APPENDIX 4. Risk Tables

Risk Management Within an Organisation

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Integrated Risk Management Policy

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

Procurement of Goods, Services and Works Policy

Confident in our Future, Risk Management Policy Statement and Strategy

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

Insurance management policy and guidelines. for general government sector, September 2007

Revised Risk Management Policy and Framework. Report by Head of Finance

13 ENVIRONMENTAL AND SOCIAL MANAGEMENT SYSTEM

Project Risk Management. Presented by Stephen Smith

Policy and Procedure Statement

Risk Management Strategy

RISK MANAGEMENT STRATEGY

Risk Management - Enterprise-Wide Risk Management Policy and Framework NSW Health

RISK MANAGEMENT. Authors: Phil McNaull / Lorraine Loy Approved By: PME and Court Date: December 2008 Version: 4.0 1

ENTERPRISE RISK MANAGEMENT POLICY

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES

RISK MANAGEMENT FOR INFRASTRUCTURE

V1.0 - Eurojuris ISO 9001:2008 Certified

RISK MANAGEMENT TOOLKIT

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Xavier Catholic College Risk Management - Policy & Procedure

Risk Management Framework

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM

ENTERPRISE RISK MANAGEMENT NARACOORTE LUCINDALE COUNCIL GUIDELINES

APPENDIX 50. Enterprise risk management - Risk management overview

Version: 3.0. Effective From: 19/06/2014

Health, Safety and Environment Management System

Risk assessment. made simple

Risk management framework

Project Risk Analysis toolkit

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

CONTROLLED DOCUMENT. Number: Version Number: 4. On: 25 July 2013 Review Date: June 2016 Distribution: Essential Reading for: Information for:

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

MANAGING LEGAL RISK IN AN INTEGRATED GRC FRAMEWORK A BRIEFING PAPER.

London Legacy Development Corporation s Statement of Risk Appetite September 2015

Compliance Policy AGL Energy Limited

How To Ensure That Sovini Is A Successful Business

1.20 Appendix A Generic Risk Management Process and Tasks

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control

PROCESS FOR RISK ASSESSMENT

Risk Management Policy

Title: Rio Tinto management system

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

Managing construction procurement risks

Risk Management in the HSE; An Information Handbook

Transcription:

The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute (the Institute). The risk management process is cyclical and is linked to the Institute A risk management process which provides a rigorous and systematic framework for understanding the likelihood of risks associated with opportunities for optimising outcomes is essential. It is a tool which identifies threats to the Lowitja Institute objectives and enables the development of strategies to mitigate adverse consequences. In a time when there is increasing pressure on the private, public and not for profit sectors to display better governance, an appropriately framed risk management methodology is critical to maintain and enhance the performance of the Institute. This Plan contains the requirements for establishing and maintaining an enterprise risk management framework for the Institute which is integral to sound management practice. It sets a common approach and outlines the responsibilities of management and staff to systematically manage risk consistent with Australian Standard on Risk Management (AS/NZS ISO 31000:2009). 2. SCOPE This Plan apply to all Institute employees, including permanent employees, those under employment contract, term appointments (including secondments) or temporary arrangements, volunteers, contractors and consultants. It applies to all Institute business and project management processes including strategic planning, business planning, policy development, program administration and decision making at the strategic and operational levels. 3. DEFINITIONS (ISO 31000) Consequence: outcome of an event affecting objectives Hazard: a source of potential harm Inherent risk: a subjective measure of the level of a risk without considering the effectiveness of controls Likelihood: chance of something happening Residual risk: a subjective measure of the risk remaining after risk treatment. Risk analysis: process to comprehend the nature of risk and to determine the level of risk Risk owner: the person or entity with the accountability and authority to manage a risk (i.e. is responsible for managing the identified risk including implementing and monitoring the effectiveness of mitigation strategies, and reporting as needed on the status of the risk to the Chief Executive Officer or Board) Risk treatment: process to modify risk (Note: risk treatments that deal with negative consequences are sometimes referred to as risk mitigation strategies, risk elimination strategies, risk reduction strategies, risk prevention strategies and/or risk control) Risk: the effect of uncertainty on objectives THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 1 OF 17

4. ROLES AND RESPONSIBILITIES The following provides a high level overview of the roles and responsibilities: The Lowitja Institute Board Overall responsibility for risk management Chief Executive Officer Compliance with Institute Risk Management Policy and Institute Risk Management Plan Chief Operations Officer Monitoring of compliance with the risk framework and process All Staff Active management of risk in accordance with the Lowitja Institute Risk Management Policy and this Risk Management Plan. 5. PLAN OVERVIEW Introduction The Institute will work within its Enterprise Risk Management (ERM) framework to minimise the effect of uncertainty on its business and project objectives. The Institute recognises that whilst risk is inherent in all its activities, the management of risk is good business practice, creates value, is integral to sound corporate governance and in some instances, a mandatory legal requirement. In particular, effective risk management can lead to better decision making and planning as well as better identification of opportunities and threats. Risk Appetite The Institute risk appetite statement (Attachment F), its descriptions of consequence and likelihood, its matrix for rating risk and its risk register. ERM ERM is a structured, consistent and continuous process used across The Institute at the strategic/corporate level, the operational level and the common operational areas. It is used for identifying, assessing, deciding on, responding to and reporting on opportunities and threats that affect the achievement of the Institute corporate and business objectives (see Figure 1). The Institute risk management activities fit within all quadrants. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 2 OF 17

Figure 1: The Institute Enterprise Risk Management Structure Corporate/Strategic Enterprise Level Operational Business Unit Level Significant & High Risks Common Operational Areas Functional / Specific Reviews Cross Business Unit Major Projects Major Contracts a. Corporate/Strategic This level relates to the strategic risks associated with the Institute carrying out its business objectives as articulated in The Institute Business Plan. b. Operational This area relates to the management of risks associated with the Institute Business Units meeting their specific objectives. c. Common Operational Areas These areas support both the Corporate/Strategic and Operational management of risk. This includes OHS risk and hazard management d. Cross Divisional&/or Major Projects, Major Contracts This area relates to major initiatives of the Institute either through its business units or through cross business unit processes. For major projects a full risk register will be developed, utilising the risk categories set out in Attachment C. The Institute Board reporting The Institute Risk Register, including mitigation strategies, will be assessed and reported against to the Board annually in Quarter 3 (May) of each financial year. Monitoring and review of the Institute Risk Register The Institute Risk Register will be reviewed on a quarterly basis by the Chief Executive Officer, with presentation to a quarterly meeting of Senior Managers. On an annual basis a full reassessment of risks, controls and strategies will be conducted and presented to the Board. The Board should be regularly apprised of significant risk mitigation activities and provided with assurance that Risk Management Plans are in place for each Organisational Level risk and that satisfactory risk mitigation is being undertaken for Operational risks. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 3 OF 17

Monitoring and review of the Institute Major Projects Risk Register The Lowitja Institute Board should be regularly apprised of significant risk mitigation activities and provided with assurance that Risk Management Plans are in place for each Project Level risk. Monitoring and review of risk framework The Institute risk management framework will be reviewed on an annual basis as part of the continual improvement process set out in AS/NZS ISO 31000. Documentation, communication and evaluation Documentation of each step of the risk management process will be undertaken. Appropriate documentation demonstrates accountability and provides a record against which it can be determined that the process has been carried out correctly and enables decisions and/or processes to be reviewed. Communications The Chief Executive Officer is responsible for the development of a communication plan to ensure that all relevant people are kept informed of the risk management framework and its implementation. Linkages The outcomes and outputs of the risk management processes will form inputs to the Institute internal audit, compliance and assurance activities and vice versa. Risk management integration The approach to managing risk is to be embedded within the Institute decision-making structures and operational procedures. 6. THE INSTITUTE RISK WHEEL The Institute has identified a number of key risk areas (listed at Attachment A). These areas or spo provide a framework for identifying risks. This is consistent with the Institute ERM approach which is structured to ensure that all risks in the Institute, particularly those ranked as high or above, are identified and effectively managed. 7. USING THE RISK MANAGEMENT FRAMEWORK The steps outlined below are based on the Australian/New Zealand Standard - Risk Management AS/NZ ISO 31000:2009 (See Figure 1). The Institute is to follow this process in completing the risk register template (refer to Attachment B). THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 4 OF 17

Figure 1: The Risk Management Process (AS/NZS/ISO 31000:2009) Communicate and Consult Establish the Context Identify risks Analyse risks Evaluate risks Treat risks Monitor and Review Stage 1: Establish the Context This step involves establishing the context in which the rest of the process will take place. The objectives, strategies and scope of the activity, or part of the Institute to which the risk management process is being applied, should be established. A key step in the Institute risk process is the need to identify and evaluate risks in relation to how they affect the Institute y to deliver the results, outcomes and strategies identified in the Institute Business Plan. Stage 2: Identify risks and risk owner (see columns 1, 2, 3, 4, 5 and 6 of Attachment B) This step seeks to identify the risks that need to be managed. The aim is to generate a list of risks that might have an impact on the achievement of the Institute outcomes/objectives. These risks might prevent, degrade, delay or enhance the achievement of those objectives. Given the experience of staff in the Institute, it is intended that risks are identified using judgements based on experience and existing risk registers, and through brainstorming workshops. Descriptions of identified risks consider source and impact, what the risk is, whom it impacts upon and what the impact is. Identifying the risk and risk owner involves the following steps: Describe the nature of the risk (Column 3). The Risk Categories in Attachment A provide a link to issues that may be considered when identifying possible risks Link the risk to the most relevant the Institute Risk Category (Column 1). Allocate a the Institute risk number (Column 2) Identify a risk owner (Column 4) Identify the causes of the risk (Column 5) Provide a brief description of the impact/consequence of the risk (Column 6). In assessing the impact/consequences, consideration may be given to a range of issues including business management, political, commercial & legal, finance and human resources. A detailed Consequence Table is included as Attachment D. Stage 3: Analyse risks Analysing the risks involves the following steps to determine the inherent risk rating and residual risk rating. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 5 OF 17

3(a) Inherent risk rating (Columns 7, 8 and 9 of Attachment B) I. Rate the consequence of the risk should it occur, and the likelihood of the risk occurring using the descriptors provided in Tables 1 and 2 below (Columns 7 and 8). To determine the inherent risk rating, it is important that the consequence and likelihood of each risk is rated without considering the existing controls and mitigation strategies. This produces a score that indicates worse-case exposure in the event that there are no controls in place or the controls fail to take effect during a risk event. II. Now consider the matrix for assessing risks (see matrix at Table 3). Using this matrix, identify the risk rating as Very High, High, Moderate, Low (Column 9). 3(b) Residual risk rating (Columns 10, 11, 12, and 13 of Attachment B) I. Consider what is currently being done to mitigate/manage the risk, i.e. what controls are in place? Are there already some mitigation strategies in place to manage the risk? Briefly list the controls and mitigation strategies (Column 10) II. Rate the consequence of the risk should it occur, and the likelihood of the risk occurring using the descriptors provided in Tables 1 and 2 below (Columns 11 and 12). It is important that the consequence and likelihood of each risk is rated in the context of existing controls and mitigation strategies. III. Now consider the matrix for assessing risks (see matrix at Table 3). Using this matrix, identify the risk rating as Very High, High, Moderate, Low (Column 13). Table 1 Consequence of risk occurring (Attachment E) CONSEQUENCE TABLE 5 (V) Severe 4 (IV) Major 3 (III) Moderate 2 (II) Minor 1 (I) Negligible Table 2 Likelihood of risk occurring 5 Almost certain Likelihood The event is expected to occur in most circumstances (e.g. monthly to several times a year) 4 Likely The event will probably occur in most circumstances (e.g. least once per year 3 Possible The event might occur at some time over (e.g. within next two years) 2 Unlikely The event could occur at some time (e.g. every two to five years) 1 Rare The event may occur only in exceptional circumstances (e.g. every five to ten years) THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 6 OF 17

LIKELIHOOD TABLE Level Descriptor 1 (E) Rare 2 (D) Unlikely 3 (C) Possible 4 (B) Likely 5 (A) Almost Certain Table 3 - Matrix for Rating Risks Legend And Actions Required Very High High Moderate Low Immediate action required Senior Management attention needed Management responsibility must be specified Manage by routine procedures. Stage 4: Evaluate and treat risks (i.e. decide on further actions (Columns 14 and 15 of Attachment B)) Based on the analysis of the risks, it is necessary to decide whether any further actions are necessary and appropriate to further mitigate the risk. This will require consideration of the following: I. Can additional controls and/or mitigation strategies be identified that can help with better managing the risk? If that is the case, provide a brief description in Column 14. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 7 OF 17

Note: A key priority for identifying additional controls and mitigation strategies should be High or risk. For other lower ranked risks the option may be simply ongoing monitoring and reporting on the status of the risk. The selected option should be the most appropriate and practicable, with the objective of reducing the level of risk to a tolerable level. Options may include the following: o o o o Likelihood reduction aimed at eliminating sources of risk or substantially reducing the likelihood of their occurrence Risk avoidance a particular case of likelihood reduction, where undesired events are avoided by undertaking a different course of action Impact mitigation aimed at minimising the consequences of the risk Risk transfer aims at shifting responsibility of the risk to another party (also called risk sharing because risks can rarely be transferred or shed entirely). II. On the other hand there may be sufficient controls and mitigation strategies in place. For instance it may be impractical and/or inappropriate to consider further controls to mitigate the risk. If this is the case, place No further action in Column 14. This option is referred to as risk retention, i.e. risks cannot be further reduced or avoided, or the costs of doing so would be too high. Risks can also be regarded as opportunities if they are retained and dealt with appropriately. III. Finally, consider whether it would be beneficial to include this area of risk on The Institute internal audit program. For example, an audit of the area may provide confidence that the controls and mitigation strategies in place are working adequately; an audit may also help by suggesting additional controls and mitigation actions that may not have been Column 15. IV. As appropriate, a Risk action Plan may be developed for specific risks (Attachment D). Stage 5: Monitor and Review Reporting is to be carried out throughout the Institute reporting process so that the Chef Executive Officer and Chief Operating Officer can monitor progress in achieving risk treatment objectives and management of identified risks. The Institute Executive Team will report to the Board at each Board meeting on risk. This allows the Institute to demonstrate the effectiveness of the risk management process on an ongoing basis. It also allows for a thorough review of its risk register, and, in particular assists in identifying and monitoring any risks of Board nature. The identified risks and the effectiveness of mitigation strategies will be reviewed to reflect changing circumstances and priorities. Stage 6: Communicate and Consult The premise underlying this Plan is that the Institute will consistently consult and communicate with stakeholders and all relevant parties involved. This is to be undertaken at all times in a fair, timely and transparent manner. 8. COMPLIANCE AND CONTINUOUS IMPROVEMENT The steps outlined below are based on the Australian/New Zealand Standard - Risk Management AS/NZ ISO 31000:2009 (See Figure 2). The Institute will ensure that its processes follow the requirements of ISO 31000:2009 as follows. Mandate and commitment is evidenced by this Plan. The framework and implementation processes are as described in this Plan. Monitoring and reviewing of this Plan will be undertaken annually THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 8 OF 17

Annual reviews will evidence continual improvement. Figure 2: AS/NZS ISO 31000 5.2 Mandate & Commitment 5.3 Designing The Framework 5.6 Continual Improvement of the Framework 5.4 Implementing Risk Management Risk Management Process Clause 6 5.5 Monitoring & Reviewing The Framework Related attachments Attachment A The Institute Risk Wheel Attachment B The Institute Risk Register Template Attachment C The Institute Major Projects Risk Wheel Attachment D The Institute Risk Action Plan Template Attachment E The Institute Detailed Consequence Table Attachment E The Institute Risk Appetite Statement Legislation N/A Related policies The Institute Risk Management Policy Other related documents The Institute Business Plan AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines Revision history Version Date issued Notes By 1 31/05/2012 Initial Draft Chief Operations Officer Review date April 2013 Contact Chief Operations Officer THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 9 OF 17

ATTACHMENT A The Institute Risk Wheel Business Development & Competition Infrastructure & Information Technology Governance & Stakeholders THE LOWITJA INSTITUTE Compliance & Legal Operations Human Resources Finance Research THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 10 OF 17

ATTACHMENT B The Institute Risk Register Template ERM LEVEL: DATE: INHERENT RISK RESIDUAL RISK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 The Institute Risk Category The Institute Risk No Nature of Risk to The Institute (Risk Name & Description) Risk Owner Risk Factors/Causes of Risk Effects for The Institute if Risk Eventuates Consequence Likelihood Risk Rating (VH, H, M, L) Mitigation Strategies to Control Risks (Current Controls/Existing Mitigation Strategies) Consequence Likelihood Risk Rating (VH, H, M, L) Future Risk Treatment (Proposed Controls/ Mitigation Strategies) Audit Recommended (Y/N) THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 11 OF 17

ATTACHMENT C The Institute Major Projects Risk Wheel Budget allocation Reputational ATI image Harm to environment Financial Environmental Lowitja Institute Major Projects Safety Programme Harm to people or property Deliverables Dates VET operations Operational Technical Stakeholders Subcontractors Interface Technical and performance requirements THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 12 OF 17

ATTACHMENT D The Institute Risk Action Plan Template Risk and Risk Owner: Strategy: Actions: Expected Outcomes: Performance Measures: Milestones/Deliverables: Budget & Resourcing: Responsibilities: Review Processes: Consultation: Review Date: Comments: THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 13 OF 17

Attachment E The Institute Detailed Consequence Table Severity Level Severity (Likely Consequence) Retained Funds Reduction Health & Safety Natural Environment Social/Cultural Heritage Community/Government Reputation/Media Legal 5 (Severe) 4 (Major) TBC TBC Multiple fatalities, or significant irreversible effects to >50 persons. Single fatality and/or severe irreversible disability (>30%) to one or more persons. Very serious longterm environmental impairment of ecosystem functions. On-going serious social issues. Significant damage to structures/items of cultural significance Serious public or media outcry (international coverage). Significant prosecution and fines. Very serious litigation including class actions. Major breach of regulation. Major litigation 3 (Moderate) TBC Moderate irreversible disability or impairment (<30%) to one or more persons. Serious medium term environmental effects. Significant adverse national media/public/ngo attention. Serious breach of regulation with investigation or report to authority with prosecution and/or moderate fine possible. 2 (Minor) 1 (Negligible) TBC TBC Objective but reversible disability requiring hospitalisation. No medical treatment required. Moderate, short term effects but not affecting ecosystem functions. Minor effects on biological or physical environment. On-going social issues. Permanent damage to items of cultural significance Minor medium-term social impacts on local population. Mostly repairable. Attention from media and/or heightened concern by local community. Criticism by NGOs. Minor, adverse local public or medical attention or complaints. Minor legal issues, noncompliances and breaches or regulation. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 14 OF 17

Attachment F The Institute Risk Appetite Statement Introduction This document sets out the Institute Risk appetite, at the Institute organisational level, is the amount of risk exposure, or potential adverse impact from an event, that the organisation is willing to accept/retain in pursuit of its objectives. Once the risk appetite threshold has been breached, risk management treatments and business controls are to be implemented to bring the exposure level back within the accepted range The establishment of the Institute statement on risk appetite is intended to guide employees, volunteers and contractors in their actions and ability to accept and manage risks. Through the risk management framework and its risk appetite statement, the Institute formally establishes and communicates its risk appetite. Risk appetite can be expressed in terms of a continuum. Assessment Description High Risk Appetite 5 Moderate Risk Appetite 4 Modest Risk Appetite 3 Low Risk Appetite 2 Zero Risk Appetite 1 The Institute accepts opportunities that have an inherent high risk that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is not willing to accept risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. The Institute is not willing to accept risks under any circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff, volunteers and contractors. In general, the Institute Board, staff, volunteers and contractors and its stakeholders. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 15 OF 17

Risk Appetite Statement The statements below indicate the Institute Staff, Volunteers and Contractors Risk Appetite 2 We will continue to engage and retain staff, volunteers and contractors that meet the high standards of The Institute. General Reputation Risk Appetite 2 The Institute will continue to foster an environment of exemplary behaviour. It accepts that this impacts how the institution is viewed externally Financial Resources Risk Appetite 2 Securing adequate financial resources supports the Institute The Institute will maintain its high financial stewardship standards and will continue to ensure that financial commitments do not exceed available resources. Information Management Risk Appetite 2 The Institute will maintain the security, integrity and availability of information systems. The Institute will maintain controls to prevent unauthorised systems access with the ability to alter or create data. The Institute will strive to provide adequate hardware and bandwidth. OHSE Risk Appetite 1 The Institute will take corrective action to address known occupational health, safety, environment and volunteer/employee/contractor well-being exposures. Zero harm is the Institute THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 16 OF 17

Regulatory Environment Risk Appetite 1 The Institute will respond in accordance with established policy, procedure and agreements to any regulatory breach. Stakeholder Relationships Risk Appetite 2 The Institute will continue to maintain good relationships with critical stakeholders. Operations Risk Appetite 1 The Institute will not tolerate operational breaches and will pursue any persons responsible for fraud to the full extent of the law. Contagion Risk Appetite 2 The Institute will ensure that the risk of contagion from other indigenous organisations is minimised. Multiple contagion paths can materialise, financial or other. Business Development Risk Appetite 3 The Institute will accept a moderate level of risk to grow the business. Retained Funds Risk Appetite 1 The Institute will ensure retained funds are fully protected. THE LOWITJA INSTITUTE RISK MANAGEMENT PLAN FINAL 2012-09-20 PAGE 17 OF 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information