A Guide t Risk Management July 2011
A Guide t Risk Management Financial Management Framewrk >> Overview Diagram The State f Queensland (Queensland Treasury) July 2011 Except where therwise nted yu are free t cpy, cmmunicate and adapt this wrk, as lng as yu attribute the authrs. This dcument is licensed under a Creative Cmmns Attributin 3.0 Australia licence. T view a cpy f this licence, visit http://creativecmmns.rg/licenses/by/3.0/au T attribute this wrk, cite A Guide t Risk Management, The State f Queensland (Queensland Treasury) July 2011 The diagram n Page 10 has been reprduced with permissin frm SAI Glbal and is nt cvered by the CC BY license. Cntact the cpyright wner, SAI Glbal directly t request permissin t use this material. The Standard can be purchased via http://www.saiglbal.cm Acknwledgements This publicatin has been develped by the Financial Management Branch f Queensland Treasury, with assistance prvided by the Department f the Premier and Cabinet. We als wish t acknwledge the use f material prduced by ther jurisdictins in the develpment f this practical guide. This dcument and related infrmatin can be fund at www.treasury.qld.gv.au.
Financial Management Framewrk >> Overview Diagram A Guide t Risk Management MESSAGE FROM THE UNDER TREASURER The Financial Accuntability Act 2009 requires all accuntable fficers and statutry bdies t establish and maintain apprpriate systems f internal cntrl and risk management. In December 2007, the Department f the Premier and Cabinet and Queensland Treasury released the dcument Strategic Risk Management: Guidelines. The guidelines reflected and respnded t the findings set ut by the Auditr-General f Queensland Reprt t Parliament N. 6 fr 2007: Beynd Agency Risk and the Auditr-General s subsequent Better Practice Guide: Risk Management. In reviewing the previus guidelines, Queensland Treasury and the Department f the Premier and Cabinet have cllabrated t develp a new guide titled A Guide t Risk Management (the Guide), thus replacing the Strategic Risk Management: Guidelines. This Guide reflects the changes t the financial management legislatin in Queensland, as well as the release f a new Australia/New Zealand risk management standard. The key differences frm the previus guidelines are: the scpe f this Guide has been bradened t cnsider all risks emphasis is placed n hw agencies can practically integrate the risk management framewrk int existing gvernance prcesses, and assistance is prvided with risk identificatin at the agency, crss-agency and whle-f-gvernment levels. Effective risk management can deliver a range f benefits t agencies, including imprved results thrugh mre infrmed decisin making and imprved accuntability by demnstrating that levels f risk assciated with the agency are understd and that risk treatment strategies are apprpriate and csteffective. I cmmend A Guide t Risk Management t all Queensland public sectr management and staff. (G. Bradley) Under Treasurer Date: July 2011
A Guide t Risk Management Financial Managemen Table t Framewrk f Cntents Intrductin...5 >> Overview Diagram Purpse f the Guide...5 Scpe and applicatin...5 Australian/New Zealand standard...5 Terminlgy...6 Risk and risk management...7 Risk...7 Risk management...7 Risk management within the Queensland public sectr...9 Relatinship between risk management principles, framewrk and prcess...10 Principles f risk management...11 Risk management framewrk...12 Respnsibilities f agency fficers...12 Integratin f risk management...13 Mechanisms t review the risk management framewrk...15 Risk management prcess...17 Establishing the cntext...18 Risk identificatin...22 Risk analysis...24 Risk evaluatin...26 Risk treatment...27 Mnitring and review...29 Cmmunicatin and cnsultatin...30 Applicatin Guides...32 Applicatin Guide 1 - Glssary f terms...33 Applicatin Guide 2 - Risk management framewrk...35 Applicatin Guide 3 - Example f integrated risk management within an agency...37 Applicatin Guide 4 Establishing the cntext...38 Applicatin Guide 5 Risk identificatin...40 Applicatin Guide 6 - Ptential surces f risk...42 Applicatin Guide 7 Risk analysis...44 Applicatin Guide 8 Risk evaluatin...45 Applicatin Guide 9 Risk treatment...46 Applicatin Guide 10 Mnitring and review...48 Applicatin Guide 11 Cmmunicatin and cnsultatin...50 Applicatin Guide 12 - Ptential stakehlders...52 Useful resurces...54 July 2011 Page 4 f 55
Financia Intrductin l Managem ent Framewrk The Financial Accuntability Act 2009 (the Act) utlines a number f accuntable fficer and >> Overviestatutry w Diagram bdy functins, ne f which is the establishment and maintenance f an A Guide t Risk Management apprpriate system f risk management (sectin 61). The Financial and Perfrmance Management Standard 2009 (the Standard), sectin 28, prescribes that the agency s risk management system must prvide fr: mitigating the risk t the department r statutry bdy and the State frm unacceptable csts r lsses assciated with the peratins f the department r statutry bdy, and managing the risks that may affect the ability f the department r statutry bdy t cntinue t prvide gvernment services. Purpse f the Guide There is a significant amunt f cnceptual risk management guidance material available fr bth the public and private sectrs. The purpse f the Guide is t prvide an verview f the key cncepts f risk management, and guidance n hw the risk management prcess can be practically applied by any Queensland public sectr agency. Scpe and applicatin The Guide is intended t be an infrmatin reference and cntains the minimum principles and prcedures f a basic risk management prcess t assist departments and statutry bdies in adpting a cnsistent apprach t risk management. The Guide is nt mandatry hwever, applicatin f the Guide will encurage better practice and supprt accuntable fficers and statutry bdies in the implementatin f effective risk management practices at all levels within their agency. Agencies are encuraged t tailr cntent f the Guide t suit their individual circumstances and t prgressively develp mre sphisticated prcesses as their risk management maturity level increases. As risk management and its assciated prcesses are interrelated and dynamic, the separatin f the cmpnents f a risk management prcess in this Guide is intended t be illustrative nly. Agencies may cmbine r undertake activities in a different rder t that presented in this Guide. They may als find that certain activities verlap the individual cmpnents f the risk management prcess. Australian/New Zealand standard While nt mandated by legislatin, it is expected that, where apprpriate, agencies will apply the Australian/New Zealand Standard ISO 31000:2009 Risk management Principles and guidelines (AS/NZS ISO 31000). This guide is nt intended t replace AS/NZS ISO 31000 but shuld be read in cnjunctin with it. It is expected that applicatin f AS/NZS ISO 31000 and this Guide will lead t agencies imprving their risk management capability, resulting in risk being mre effectively and efficiently managed acrss the Queensland public sectr. Agencies are encuraged t btain a cpy f AS/NZS ISO 31000 frm Standards Australia. While this Guide is predminantly based n AS/NZS ISO 31000, agencies shuld be aware f additinal Standards that relate t risk such as, fr example, HB 266:2010 Guide fr managing risk in nt-fr-prfit rganisatins, HB 231:2004 Infrmatin security risk management guidelines, and HB 296:2007 Legal risk management. July 2011 Page 5 f 55
Financial Management Terminlgy Framewrk >> Overview Diagram A Guide t Risk Management There are many risk related terms used in this dcument. Definitins fr key terms are lcated in Applicatin Guide 1 - Glssary f Terms. While there is an abundance f risk terminlgy used tday, the terminlgy in this Guide is cnsistent with AS/NZS ISO 31000. Where the Guide refers t agencies, this includes bth departments and statutry bdies. Hwever, the specific use f the term departments indicates that the sectin des nt apply t statutry bdies. Practical Guidance Material Applicatin Guide 1 prvides definitins f key terms used thrughut the dcument. July 2011 Page 6 f 55
Financia Risk l Management and risk management Framewrk Risk >> Overview Diagram A Guide t Risk Management While there are many varied definitins f risk widely available, ften incrprating industry specific terminlgy, it is generally accepted that if we knw fr certain smething is ging t happen it has n risk attached t it. Shuld there be an element f uncertainty surrunding it, then risk exists. Fr the purpses f this Guide, risk encmpasses bth pssible threats and pprtunities and the ptential impact these may have n the ability f the agency t meet its bjectives. That is, risk relates t bth challenges t, and pprtunities fr, the agency. The Standard separates risk int tw types strategic risk and peratinal risk. Strategic risks relate directly t an agency s strategic planning and management prcesses. Strategic risks are thse which culd significantly impact n the achievement f the agency s visin and strategic bjectives as dcumented in the strategic plan. They are high level risks which require identificatin, treatment, mnitring and management by the agency s senir executives r bard. These risks may need t be managed by mre than ne agency fr the risk treatments t be effective. Operatinal risks are thse which culd have a significant impact n the achievement f: the agency s strategic bjectives (as dcumented in the strategic plan) frm the perspective f the actins undertaken by a particular divisin, branch r wrk unit, r the individual prgrams r prject management bjectives. Operatinal risks generally require management by the relevant senir fficer respnsible fr the divisin, branch r wrk unit, r by the relevant prgram r prject bard. In extreme instances, these risks may require escalatin t executive management. Risk management Risk management embdies an rganisatinal culture f prudent risk-taking within an agency. It is the prcess f identifying, assessing and respnding t risks, and cmmunicating the utcmes f these prcesses t the apprpriate parties in a timely manner. An effective risk management system: imprves planning prcesses by enabling the key fcus t remain n cre business and helping t ensure cntinuity f service delivery reduces the likelihd f ptentially cstly surprises and assists with preparing fr challenging and undesirable events and utcmes cntributes t imprved resurce allcatin by targeting resurces t the highest level risks imprves efficiency and general perfrmance cntributes t the develpment f a psitive rganisatinal culture, in which peple and agencies understand their purpse, rles and directin imprves accuntability, respnsibility, transparency and gvernance in relatin t bth decisin-making and utcmes. This is particularly imprtant fr public sectr agencies, which exist t deliver beneficial utcmes fr the Queensland Gvernment, industry and the cmmunity, and adds value as a key cmpnent f decisin-making, planning, plicy, perfrmance and resurce allcatin, when subject t cntinual imprvement. July 2011 Page 7 f 55
Financial Management Framewrk >> Ov A Guide t Risk Management Factrs that inhibit effective risk management can include: a lack f time and resurces allcated t risk management erview Diagram a lack f supprt fr a risk management culture frm executive management difficulty in identifying and assessing emerging risks, especially crss-agency risks a lack f independent assurance ver the effectiveness f the risk management framewrk a lack f clarity ver risk wnership and the respnsibility fr risk management ver- r under-treatment f risks, and unnecessarily cmplex risk dcumentatin. When risk management has cmmitment frm executive management by encuraging a strng rganisatinal culture and awareness f risk, an agency shuld be able t vercme the factrs which inhibit effective risk management. July 2011 Page 8 f 55
Financial Management Framewrk >> Overvie A Guide t Risk Management Risk management within the Queensland public sectr Sectin 61 f the Act requires agencies t establish and maintain apprpriate risk management w Diagram systems. There are many benefits f establishing rbust risk management systems t enable threats and pprtunities that face an agency t be apprpriately managed. Risk is an ever present element f public plicy and gvernment service delivery. Effective risk management enables agencies t have increased cnfidence that they can deliver the required services, manage risks and threats t an acceptable degree, and make infrmed decisins abut pprtunities and challenges they face. In the cntext f this Guide, risk management applies t the prcess f identifying, treating and managing risks acrss the entire Queensland public sectr. Risks that need t be identified and managed include: agency strategic and peratinal risks which are managed by individual agencies, but which may becme risks fr the State, due t their size r significance crss-agency risks, where a risk relates t mre than ne agency (fr example, cllabrative prjects) and requires treatment by multiple agencies t be effective, and whle-f-gvernment risks which are beynd the bundaries f any ne agency due t their magnitude and/r impact n service delivery, and which call fr a respnse acrss agencies, wuld require a c-rdinated apprach by a central agency r by a lead agency. 1 As whle-f-gvernment appraches t prject management are becming mre cmmn, there is an increased awareness f the need t manage risks at this level. All agencies need t be aware f and understand ptential significant risks at the whle-f-gvernment level. Identifying, treating and mnitring these risks are a shared respnsibility. 1 Based n Auditr-General f Victria (June 2007) Managing Risk Acrss the Public Sectr: Tward Gd Practice. July 2011 Page 9 f 55
A Guide t Risk Management Financial Management Framewrk Relatinship between risk management principles, framewrk and prcess The diagram belw is reprduced frm AS/NZS ISO 31000 (with the permissin f SAI Glbal Ltd) and depicts the relatinship between the underpinning principles f risk management, the risk management framewrk, and the risk management prcess. The remainder f the Guide will prvide further infrmatin and practical tips fr agencies t intrduce a rbust framewrk and risk management prcess. >> Overview Diagram Principles Framewrk Prcess a) Creates value b) Integral part f rganisatinal prcesses c) Part f decisin making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based n the best available infrmatin g) Tailred h) Takes human and cultural factrs int accunt i) Transparent and inclusive j) Dynamic, iterative and respnsive t change k) Facilitates cntinual imprvement and enhancement f the rganisatin Cntinual imprvement f the framewrk Mandate and cmmitment Design f framewrk fr managing risk Mnitring and review f the framewrk Implementing risk management Cmmunicatin and cnsultatin Establishing the cntext Risk assessment Risk identificatin Risk analysis Risk evaluatin Risk treatment Mnitring and review Surce: AS/NZS ISO 31000 (reprduced with permissin frm SAI Glbal) July 2011 Page 10 f 55
A Guide t Risk Management Financial Principles Management f risk management Framewrk >> Many factrs will cntribute t the success f risk management thrughut an agency. AS/NZS ISO 31000 prvides principles that shuld be adpted by any rganisatin t successfully manage their risks. Overview Diagram While the principles in AS/NZS ISO 31000 are relevant t Queensland gvernment agencies, the fllwing principles are cnsidered specific t Queensland gvernment agencies: risk management has a firm cmmitment frm the accuntable fficer r statutry bdy bard the risk management framewrk is integrated with ther agency gvernance prcesses, such as strategic planning, peratinal planning and executive management functins effective risk management is based n a strng rganisatinal culture and awareness f risk at all levels f the agency, which invlves encuraging a risk-infrmed wrkfrce and culture risk management is supprted by a prgram f educatin, training and develpment fr staff that is devted t risk management at key levels in the agency (fr example supervisr, manager, directr and executive) the risk management prcess designates clear wnership f risk accuntabilities, respnsibilities, duties and actins the risk management prcess is practive with crss-agency cmmunicatin f risks, and the risk management prcess draws n bth current experiences and lessns learned. July 2011 Page 11 f 55
Financial Risk Management management framewrk Framewrk >> A Guide t Risk Management Risk management is nt an islated functin that exists within the agency. Rather, it is an integral part f strategic planning, strategic management and the everyday activities f the agency. AS/NZS ISO 31000 prvides further guidance n develping a sund risk management framewrk. Overview Diagram Three specific areas: the respnsibilities f relevant fficers within an agency; the integratin f risk management int all areas f the agency; and the mechanisms in place t review the framewrk, are discussed in further detail belw: Respnsibilities f agency fficers It is fundamentally the rle f accuntable fficers and statutry bdies and their management teams t ensure that each agency has a rbust internal rganisatinal culture and prcess that is capable f identifying and managing its risks. As required by sectin 78 f the Act, the Head f Internal Audit as defined in the Act is charged with prviding assistance with risk management. Hwever, the respnsibility and accuntability fr implementatin f a risk management framewrk remains with the accuntable fficer r statutry bdy. Objectives and strategies fr risk management shuld be designed t cmplement the agency s existing visin and strategic bjectives. In establishing an verall risk management directin, a clear visin fr risk management shuld be articulated and supprted by plicies and perating principles. An up-t-date, plain English risk management framewrk will guide staff by: describing the risk management philsphy (why?) and prcess (hw?) prviding methds fr identifying, treating, mnitring, and reviewing risk establishing rles and respnsibilities fr effective management f risk (fr example, establishing a risk c-rdinatr rle t lead and manage the risk management prgram acrss the agency and assigning a risk wner t each risk) detailing an apprpriate prcess fr reprting n strategic and peratinal risks, and prviding fr nging cntinuus imprvement thrugh the evaluatin f the bjectives and results f the risk management prcess. The greater the awareness and understanding f the risk management framewrk by all staff, the mre likely it is that staff will wn and apply the risk management principles prmted by the agency and incrprate them in their day t day activities. It is essential that accuntable fficers and senir and executive management mdel all aspects f risk management and principles t prmte a rbust risk management culture within their agency. There is n ne size fits all risk management framewrk that can be applied acrss the varied types and sizes f Gvernment agencies. Executive management needs t cnsider the type f framewrk that will best integrate with its particular peratinal cntext and internal and external envirnment. Agencies shuld refer t existing plicies and prcedures such as the fllwing t assist with develping a framewrk: business peratins reprting mechanisms rganisatinal culture wrkfrce skills and capabilities planning and perfrmance management prcesses budget and resurcing July 2011 Page 12 f 55
supprting infrastructure Financial Managemen t Framewrk >> Overview A Guide t Risk Management standards, legislative and regulatry requirements rganisatinal and gvernance structure, and Diagram delegatins f authrity, respnsibility and accuntability. Integratin f risk management Risk management shuld be embedded r integrated int the agency s philsphy and rganisatinal culture (that is, the way we d things arund here ); existing gvernance plicies; and planning, reprting and decisin-making structures at bth the strategic and peratinal levels. Agencies that integrate risk management have a greater likelihd f achieving their strategic bjectives and delivering their services efficiently and effectively. Successful alignment f risk management and gvernance requires fur key factrs: 1. an agency fcus where there is an identifiable surce f risk management expertise in the agency and senir managers cme tgether n a regular basis t discuss risk management issues 2. an agency directin where a clear directin and strategy is established fr risk management, including articulating the agency s risk appetite and giving a clear mandate fr what cnstitutes effective risk management 3. decisin-making structures where risk management is nt a separate prcess, but a key cnsideratin at all parts f the decisin-making chain: being factred int strategic and peratinal planning; included as a cmmn cmpnent in all prject prpsals and business cases; and incrprated int advice t Ministers; and 4. agency capacity and capability where the agency s executive management invests time and resurces t build mmentum, capacity and capability, including: ensuring that there is a shared language f risk management; a cmmn understanding f the principles; training and develpment t build expertise; and established tls and prcesses fr risk management. Integrated risk management requires an nging assessment f ptential risks and pprtunities fr an agency at every level. The results shuld infrm agency level risks, facilitate pririty setting and imprve an agency s decisin making. Clear links shuld be established between risk management, Gvernment plicies and pririties, agency bjectives (vertical integratin), and agency plicy and peratins (hrizntal integratin). Vertical Integratin Vertical integratin invlves: integrating risk management with bjectives at all levels f the agency by prviding a framewrk that links an agency s strategic plan thrugh t its individual peratinal plans integrating risk management with evaluatin and reprting mechanisms, t ensure that risks and risk treatment strategies are mnitred, analysed, reviewed and updated embedding risk management cmpnents int existing strategic and peratinal planning prcesses cmmunicating executive management r bard decisins n acceptable levels f risk establishing escalatin prcesses t be fllwed where a risk is reviewed and falls utside the range f the accepted levels f risk appetite and tlerance, and imprving cntrl, gvernance and accuntability systems and prcesses t take int accunt risk management and results frm the assessment f ptential risks. July 2011 Page 13 f 55
Hrizntal Integratin Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Hrizntal integratin invlves integrating risk management int an agency s systems, prcesses and practices and, in particular, the planning and decisin-making prcesses at each level f the agency. When risk management is integrated int strategic and peratinal planning and regular reprting cycles, the additinal risk management infrmatin available shuld enable mre infrmed planning and decisin-making at the agency, crss-agency and whle-f-gvernment levels. Infrmatin shuld be shared thrughut an agency t ensure there is a crdinated apprach t identifying and treating risks. In cnsidering risk, business areas shuld take int accunt the ptential impact f risk treatment n ther business areas, and shuld be encuraged t share best practice/lessns learned with the rest f the agency and acrss agencies. Organisatinal Culture Effectively embedding risk management int the rganisatinal culture is key t achieving integrated risk management. A challenge fr all agencies is t deliver an apprpriate level f investment in strategic risk management bth in time and resurces and clearly cmmunicate the imprtance f risk management as a cre cmpnent f the agency s business. This can be accmplished in a number f ways, such as by: executive and senir managers champining and mdelling risk management prmting the view that all staff in the agency are managers f risk encuraging managers and staff t develp knwledge and skills in risk management, and training and supprting staff in incrprating risk management int their everyday rles and respnsibilities. Risk Management Champin Agencies may cnsider appinting a risk management champin t assist with integrating risk management int the rganisatinal culture. The risk management champin wuld generally reprt t the executive management f an agency; be a senir executive fficer with knwledge f risk management; have the visin, drive and determinatin t lead by example; and have the authrity, respnsibility and supprt t make things happen. In the early stages f implementing integrated risk management, the risk management champin will need t be able t demnstrate t executive management hw it will help them with meeting agency bjectives in the shrt term and better psitin the agency fr the future. The risk management champin wuld be respnsible fr driving risk management awareness, integratin, plicies and strategies. The risk management champin wuld prmte, acrss the agency, an rganisatinal culture that supprts: increased awareness f risk management techniques, practices and prcesses (fr example, identifying and implementing training and develpment pprtunities fr all agency staff) unifrm understanding f the agency s key strategic and peratinal risks and pprtunities (including crss-agency and whle-f-gvernment risks) management f risk fr business functins that have been utsurced frm the agency (fr example, payrll functin), as the agency maintains wnership f such risks staff in identifying and reprting risks t management in a safe, n-blame envirnment awareness f hw risk management can be applied t individual rles and hw it can guide advice t Ministers, and July 2011 Page 14 f 55
Financial Management and whle-f-gvernment Fra risks. mewrk >> Overview Diagram A Guide t Risk Management a brad understanding f the relatinship between the agency s risks, crss-agency risks Successful risk management requires invlvement by all agency staff. A supprtive rganisatinal culture, where expertise, learning and innvatin are rewarded, and where a n surprises rather than n risks philsphy is encuraged, shuld assist agencies in develping their risk management prcess. Agencies with a supprtive wrk envirnment tend t: prmte learning by encuraging staff t learn and t value knwledge, expertise, new ideas and innvatin learn frm experience by valuing experimentatin, sharing lessns frm past successes and failures and bringing this learning t planning and risk management, and demnstrate management and leadership by selecting leaders wh are gd caches and teachers, demnstrating cmmitment t staff by prviding tls, pprtunities and resurces and investing in the risk management prcess, including reviewing the prcess peridically. 2 Prviding the right risk management resurces, training and awareness prgrams fr staff is critical t building an effective rganisatinal culture. Mechanisms t review the risk management framewrk Risk management is nt just abut the review f risks themselves. Agencies need t review their risk management capability and gvernance systems t ensure they are delivering effective and rbust risk management that is fit fr the agency s purpse. Internal auditrs may assist in prviding assurance that an agency s risk management framewrk is perating effectively and may als assist with the develpment, maintenance and review f the framewrk, prvided care is taken t maintain independence and bjectivity. This may invlve internal audit being part f a risk prject team in an advisry capacity. Risks, risk prfile, risk management capability and systems, and the risk envirnment are all cnstantly changing and evlving. A regular review f a risk management framewrk will: prvide assurances t the executive management that the agency s risk prfile has been prperly identified, dcumented and assessed ensure the agency s prcedures and gvernance systems are wrking effectively, and ensure that risks are being effectively mnitred and treated t an agreed level. At a minimum, an annual review f the entire risk management prcess shuld be undertaken by the accuntable fficer r statutry bdy. It is imprtant t cnsider lessns learned, bth psitive and negative, and t use these t enhance current practices and prcesses. It is als imprtant t assess whether all elements f the risk management framewrk have been implemented effectively. Respnsibility fr reviewing the risk management framewrk may be allcated t a cmmittee t prvide supprt and advice t the accuntable fficer r statutry bdy. It may be a separate risk management cmmittee, r cmbined with the agency s audit cmmittee. While the cmmittee has n respnsibility fr managing the risks themselves, they may be respnsible fr regularly reviewing and evaluating the risk management framewrk and related gvernance systems t prvide assurance n their efficiency and relevance. It is gd practice fr the cmmittee t carry ut such reviews at least annually, t ensure the prcedures remain fit fr purpse and are up-t-date. The cmmittee shuld take care nt t cnfuse reviewing risk management prcedures with risk management itself. Reviewing the prcess is nt a substitute fr the active management and treatment f an agency s risks. 2 Treasury Bard f Canada Secretariat, Integrated Risk Management Framewrk July 2011 Page 15 f 55
Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Fr further infrmatin abut risk management and audit cmmittees, refer t the Audit Cmmittee Guidelines Imprving Accuntability and Perfrmance, December 2009. Practical Guidance Material Applicatin Guide 2 prvides pints t be cnsidered when develping a rbust risk management framewrk t assist with integrating and embedding a risk management rganisatinal culture int the agency s existing gvernance, reprting and decisin-making prcesses. Agencies are encuraged t develp a risk management framewrk apprpriate t their circumstances. Applicatin Guide 3 prvides an illustratin f hw risk management interacts with the brader respnsibilities and functins f an agency. July 2011 Page 16 f 55
A Guide t Risk Management Financial Risk Management management prcess Framewrk >> As shwn in AS/NZS ISO 31000, the risk management prcess cnsists f seven steps. Each step f the risk management prcess will be cnsidered in detail in this Guide, with practical examples prvided n hw t implement the prcess within agencies. Overview Diagram The seven steps f the risk management prcess are: establishing the cntext risk identificatin risk analysis risk evaluatin risk treatment cmmunicatin and cnsultatin, and mnitring and review While the steps are shwn separately within this prcess, agencies are reminded that the risk management prcess is cntinually ccurring. These prcesses can be undertaken in any sequence as agencies may find that sme prcesses verlap r fall in a different rder. Agencies are encuraged t develp a cmplete risk management prcess that suits their circumstances. Fr example, the sectins n risk identificatin, risk analysis and risk evaluatin can be encmpassed in the ne prcess knwn as risk assessment. The risk management prcess develped by an agency may require refinement after a review f the prcess has been undertaken. July 2011 Page 17 f 55
Financial >> A Guide t Risk Management Establishing the cntext Management Framewrk The purpse f establishing the cntext is t determine the bundaries within which the risk management framewrk will perate. It shuld nte the bundaries f the framewrk and the successfully address the risks that may be identified in the assessment phase f the risk management prcess. capacity f the agency t Overview Diagram In establishing the cntext, an agency shuld cnsider: the external and internal envirnment the risk prfile risk appetite and risk tlerance levels a risk matrix and respnsibilities, and the business cntinuity plan. The cntext f the agency shuld be reviewed n a regular basis t ensure any effects n an agency frm these areas are identified n a timely basis. External and internal envirnment Establishing the external and internal envirnment f the agency is the first step in the risk management prcess. It invlves cnsideratin f bth challenges and pprtunities in the cntext f the agency s visin and bjectives, perating envirnment and key stakehlders. The envirnment is imprtant as it sets the parameters within which risks are identified, assessed and managed. As such, it must be sufficiently bradly defined t include a wide range f trends, influences and time hrizns. Agencies will need t cllect infrmatin at bth the strategic and peratinal levels, and include bth the external and internal risks facing the agency. The primary influences n the external envirnment relate t the scial, cultural, plitical, legal, regulatry, financial, technlgical and ecnmic envirnments within which the agency perates. These external influences culd ccur at internatinal, natinal, state, reginal r lcal levels. Influences n the internal envirnment may include: the agency s bjectives and planned results plans established t ensure the agency achieves its bjectives and delivers its services individual prjects being undertaken by the agency the agency s gvernance and accuntability structures plicies established by the agency resurces available within the agency (fr example, infrmatin systems, staffing and funding), and existing risk management expertise and practices. The defined external and internal envirnments shuld be regularly and systematically examined t ensure that they remain apprpriate and desirable. Risk prfile There is a significant interrelatinship between develping a risk prfile and the strategic planning prcess. Risk management underlies all aspects f pririty setting, planning and resurce allcatin. In additin, the risk prfile, with tw-way linkages frm and int each f these areas, prvides a vehicle t integrate them at the whle-f-gvernment level. Thus, the risk prfile is infrmed by and shuld feed back int an agency s strategic planning dcuments and prcesses. In a mature practice f integrated risk management, a rbust July 2011 Page 18 f 55
Financial Management >> Overview Diagram A Guide t Risk Management Framewrk strategic and peratinal planning prcess shuld assimilate the risk prfile, eliminating the 3 need t present it separately. Risk appetite and risk tlerance While establishing the cntext, the agency shuld als cnsider its risk appetite, which is the amunt (r range) f risk which is cnsidered by the agency t be acceptable and justifiable. Acrss Gvernment, the risk appetite f individual agencies will differ depending upn the envirnment within which the agency perates. Risk appetite can be expressed as a series f bundaries apprpriately authrised by the agency s executive management. Different levels f staff within an agency shuld be given clear guidance by management n the limits f risk which they can accept. This invlves key discussins being held at varius levels within an agency and acrss agencies especially where there are interrelatinships r similarities. T identify the acceptable levels f risk it is expected that discussins wuld be held at executive level with central agencies t clearly cmmunicate, assess and prvide directin n what are acceptable levels f risk. Discussins wuld cncern plitical, ecnmic, scial, technlgical, legal, envirnmental and financial issues that impact n agencies and n the whle-f-gvernment. In develping the risk appetite fr an agency, cnsideratin may be given t: cmmitments r views previusly expressed by Parliament r Cabinet hw the agency s stakehlders (fr example, the public and Parliament) have reacted t past risk events and issues whether stakehlders have been cnsulted n risk tlerances and perfrmance targets (fr example, via special interest grups), and the agency s perfrmance expectatins, as expressed in its strategic plan and budget dcumentatin. The agency shuld cnsider its risk tlerance at this stage f the prcess. Risk tlerance can be defined as the acceptable variance frm the agency s risk appetite bundaries. Agencies shuld develp prcesses t determine acceptable limitatins and whether r nt they are negtiable. Within an agency, the risk appetite and risk tlerance will generally nt be static. Rather they will differ depending upn the particular challenge r pprtunity at the time. Individual prjects are an example f hw the risk appetite within an agency may differ. Agencies shuld als cnsider an apprpriate prcess where a risk falls marginally utside the desired risk tlerance, but a strng case exists as t why the risk shuld be accepted and managed. Determining an agency s risk appetite is nt a ne-ff event. Bth risk appetite and risk tlerances may change ver time as new infrmatin and utcmes becme available, and as stakehlder expectatins evlve. Risk matrix and respnsibilities A risk matrix shuld cmbine the likelihd f the risk ccurring, and the cnsequence shuld such a risk ccur, t result in the risk rating fr treating and/r mnitring the risk. Parameters shuld be set fr each likelihd and cnsequence in an agency s risk matrix. Fr example, the likelihd f a risk ccurring may be classified as unlikely n a simple matrix if it is expected t ccur less than 5% f the time, r nce in a year. Each pssibility within a matrix shuld be defined and the necessary actin and the relevant fficer respnsible fr the risk dcumented fr each pssibility. The matrix shuld be reviewed with the internal and external envirnments t determine the relevance t the risks 3 Based n Treasury Bard f Canada Secretariat, Integrated Risk Management Implementatin Guide July 2011 Page 19 f 55
Financial Management risk criteria. Framewrk >> Overview Diagram A Guide t Risk Management identified by an agency. An agency shuld ensure that all risks are analysed using the same Examples f risk matrices are prvided belw; hwever agencies are strngly encuraged t develp an apprpriate analysis system fr their individual circumstances. Simple risk matrix example CONSEQUENCE LIKELIHOOD Minr Mderate Significant Unlikely Lw Lw Medium Pssible Lw Medium High Likely Medium High High Where an agency cnsiders mre cmplex risk analysis is required (fr example, where a number f risks have been identified and mre detailed analysis is required t rank the risks fr implementatin f risk treatment (refer t Risk Analysis sectin)), then a mre detailed risk matrix shuld be used. Detailed risk matrix example CONSEQUENCE LIKELIHOOD Insignificant Minr Mderate Majr Critical Rare Unlikely Pssible Likely Almst Certain LOW Accept the risk Rutine management LOW Accept the risk Rutine management LOW Accept the risk Rutine management MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment LOW Accept the risk Rutine management LOW Accept the risk Rutine management MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment LOW Accept the risk Rutine management MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment HIGH Quarterly senir management review HIGH Quarterly senir management review MEDIUM Specify respnsibility and treatment MEDIUM Specify respnsibility and treatment HIGH Quarterly senir management review HIGH Quarterly senir management review EXTREME Mnthly senir management review HIGH Quarterly senir management review HIGH Quarterly senir management review HIGH Quarterly senir management review EXTREME Mnthly senir management review EXTREME Mnthly senir management review Agencies may als cnsider develping a matrix fr each divisin, branch, wrk unit, prgram and/r prject. Alternatively, an agency may define the cnsequences int varius risk categries, such as financial risks, ccupatinal health and safety risks, plitical risks, and s n. The agency wuld then prvide a quantitative and/r qualitative descriptr fr each cnsequence. Fr example, a financial risk categry may define an extreme cnsequence as a financial lss greater than $1 millin, r the lss f a business peratin. It is imprtant that agencies determine the level f detail that will be apprpriate fr their circumstances and ensure they develp a risk management system that meets their needs and is within their capabilities. July 2011 Page 20 f 55
Business cntinuity plan Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Agencies must recgnise that sme risk is unavidable and it is nt within the ability f the agency t cmpletely manage all risks t a level cmmensurate t an agency s risk appetite. Fr example, agencies have limited cntrl ver risks assciated with terrrist activity r natural disasters. In these instances, the nly actin that can be taken by the agency is the preparatin f cntingency plans fr business cntinuity. A business cntinuity plan shuld include apprpriate crisis management plans that can be activated as required and these plans shuld be tested peridically t ensure their effectiveness. Practical Guidance Material Applicatin Guide 4 prvides elements an agency may need t cnsider when determining their risk criteria and their external and internal envirnment. July 2011 Page 21 f 55
Financial >> A Guide t Risk Management Risk identificatin Management Framewrk Once the envirnment within which the agency perates has been established (that is, the cntext), the next stage is the identificatin f individual risks. Overview Diagram The aim f this step is t generate a cmprehensive list f threats and pprtunities based n thse events that might create, enhance, prevent, degrade, accelerate r delay the achievement f the agency s strategic bjectives. Cmprehensive identificatin is crucial, because a risk that is nt identified at this stage will nt be included in further analysis. 4 Risk identificatin shuld include examinatin f the knck-n effects f particular cnsequences, including cascading and cumulative effects f actins. Envirnmental scanning A cmmn methd used by agencies t identify emerging risks is envirnmental scanning. An envirnmental scan is a pwerful risk management and strategic planning tl that entails careful mnitring f an agency s internal and external envirnments t detect early signs f challenges and pprtunities that may influence the agency s current and future plans. It invlves btaining bth factual and subjective infrmatin n the ptential challenges and pprtunities t increase the agency s awareness f the key risks it faces. Key cnsideratins fr agencies when undertaking envirnmental scanning include: the type f risk plitical, legal, ecnmic, envirnmental, sci-cultural, technlgical the surce f risk external (plitical, ecnmic, natural disasters) r internal (reputatin, security, knwledge management) the causes f the risk the impacts f the risk type f expsure (peple, reputatin, prgram results, pririties, funding, assets), and the level f cntrl the degree t which the agency can influence, affect r manage the risk. In undertaking the envirnmental scanning prcess, issues that an agency shuld cnsider include: the frequency f scanning depending n the agency s cntext, envirnmental scanning may be undertaken cntinuusly r peridically (fr example, mnthly r yearly) timeframe fr example, plicy develpment fficers may be interested in develpments ver the next twenty-five years, whilst scanning that supprts peratinal decisin making may be restricted t a six mnth timeframe scpe sme agencies may be fairly inward-lking in their risk identificatin prcesses if they perceive that the majr element f risk arises frm within the agency; thers may need t cnsider a much wider scpe (including internatinal, natinal r interstate) if they cnsider that they may face risks frm a wider envirnment pprtunity/challenge sme envirnmental scanning is cncerned mainly with sptting ptential challenges, but it can equally be used t scan fr pprtunities ( psitive risks ), and many challenges may be cnverted int pprtunities if identified early, and rigur/infrmality envirnmental scanning varies in the extent t which it is structured and supprted by technlgy, that is, sme agencies may use sphisticated assessment schemes and infrmatin search technlgies, while ther agencies will rely almst entirely n infrmal netwrks f cntacts and gd judgement. 5 4 Standards Australia, AS/NZS ISO 31000:2009 Risk management principles and guidelines 5 HM Treasury, The Orange Bk: Management f Risk Principles and Cncepts, Octber 2004 July 2011 Page 22 f 55
Financial Managemen t Framewrk >> Overview Diagram A Guide t Risk Management Other resurces r methds that can be adpted by agencies t identify risks include: agency dcuments, such as the strategic and peratinal plans, perfrmance reprts, budgets, and audit bservatins and recmmendatins Parliamentary prcesses and issues highlighted at Estimates Cmmittee hearings media reprts and cmmentary benchmarking the agency s perfrmance against that f ther agencies undertaking brainstrming activities preparing a strength-weakness-pprtunity-threat (SWOT) analysis what-if scenaris t seek reactin frm stakehlders, and the use f surveys and questinnaires. Irrespective f the methd used by the agency t identify the risks, it is vital that relevant and up-t-date infrmatin is used, and that peple with apprpriate knwledge are invlved in the risk identificatin prcess. Practical Guidance Material Applicatin Guide 5 prvides cnsideratin pints that relate t an agency s risk identificatin prcess and highlights ptential surces f risks. Applicatin Guide 6 utlines ptential surces f risk that may ccur at an agency, crss-agency and/r whle-f-gvernment level fr agencies t cnsider. July 2011 Page 23 f 55
Financial >> A Guide t Risk Management Risk analysis Management Framewrk Risk analysis invlves analysing the impact f the ptential tial challenge r pprtunity, starting with an assessment f the cnsequences as well as the likelihd f a risk ccurring. Overview Diagram A cmmn apprach fr analysing risk is thrugh the use f the risk matrix that the agency wuld have develped previusly refer t Establishing the cntext sectin. Where an agency cnsiders the risk analysis prcess t be relatively straight-frward (fr example, an agency with few external stakehlders may cnsider risk analysis simpler than fr an agency with cnsiderable public interest and scrutiny), then categrisatin f the risk as high, medium r lw may be cnsidered sufficient. The agency shuld use critical judgement t determine the level f analysis that is required based n what is apprpriate and reasnable. The prcess fr analysing risk will differ frm agency t agency; hwever, an individual agency shuld ensure all risks within its agency are assessed using the same methd. Where cllabratin between agencies is required, an agency may need t adpt a flexible apprach t risk analysis when assessing a crss-agency risk. Hwever, prvided practical, relevant and rbust prcesses are in place at all levels, risk analysis shuld infrm agency level risks and whle-f-gvernment risks. Once an agency s risks have been identified and analysed, management may use a simple table t summarise the assessment. Fr example: Risk 1. 2. 3. Assessment Lw Medium High Tw step apprach t assessing risk Agencies may cnsider using a tw-step apprach t assessing risk. The first step invlves assessing challenges r pprtunities based n their inherent risk. This is the risk that exists prir t any internal cntrls being implemented t manage the risk. After inherent risk is assessed, agencies culd fcus n the residual risk, which is the risk which remains after actin has been taken t manage the risk (and assuming the actin is perating effectively). Advantages f using this tw-step analysis apprach include: assisting management with identificatin f excessive r ineffective cntrls, and ensuring management is aware f the agency s expsure if the cntrl fails. If the tw-step apprach is implemented, bth inherent and residual risk will need t be reassessed whenever cntrls are adjusted r envirnmental scanning indicates that circumstances may have changed. The fllwing is a simple example f dcumenting risk based n a tw-step apprach: Inherent assessment RISK Likelihd Cnsequence 1. 2. 3. Residual assessment CONTROLS IN PLACE Likelihd Cnsequence ACTION PLANNED AND OWNER As can be seen frm the abve table, when a tw-step apprach is adpted, risk analysis, risk evaluatin and risk treatment are interrelated prcesses, which need t be cnsidered by the agency simultaneusly. July 2011 Page 24 f 55
Practical Guidance Material Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Applicatin Guide 7 prvides agencies with key cnsideratin pints when analysing risks. July 2011 Page 25 f 55
Financial >> A Guide t Risk Management Risk evaluatin Management Framewrk Once an agency has identified and analysed its risks, they shuld be evaluated t determine which risks are t be treated and the pririty fr treatment implementatin. This prcess is eatment ptins are utlined in the Risk treatment sectin. knwn as risk evaluatin. Tr Overview Diagram When evaluating risks agencies shuld cnsider: the external and internal envirnment the agency perates in (that is, the established agency cntext) this will largely invlve the verall strategic directin f the agency the risk appetite f the agency, as established earlier in the risk management prcess fr example, where the agency is invlved in speculative activities, high risk activities may nt always require pririty treatment the risk appetite f parties ther than the agency (that is, the stakehlders) fr example, sme high risk activities may be mre acceptable t the public than thers any legal, regulatry r ther requirements which may exist fr example, if the risk culd result in legal actin against the agency, this risk may be a high pririty if the prbability f ccurrence is high, and the cst/benefits f treating the risk. The highest pririty shuld be given t thse risks that are evaluated as being the least acceptable. High pririty risks shuld be given regular attentin, review and evaluatin. Over time, specific risks and risk pririties will change, and an agency will need t review and evaluate its priritisatin prcess. Further infrmatin is prvided in the sectin n Mnitring and review. Practical Guidance Material Applicatin Guide 8 utlines sme f the areas that shuld be cnsidered when evaluating and priritising risks within an agency. July 2011 Page 26 f 55
Financial >> A Guide t Risk Management Risk treatment Management Framewrk Once risks have been analysed and evaluated, the agency needs t determine the apprpriate risk treatment/s. Any actin taken t address a risk becmes part f the agency s internal cntrls. Overview There are Diagram a numbe r f risk treatment ptins available, and mre than ne may be applied t a given risk. Risk treatment ptins include: treat the risk. This apprach enables the activity r actin t cntinue within the agency, but actin is available t reduce the risk t an accepted level. The treat ptin can be further dissected int fur different types f cntrls: preventative cntrls designed t limit the pssibility f an undesirable utcme being realised. The mre imprtant it is that an undesirable utcme shuld nt arise, the mre imprtant it becmes t implement apprpriate preventive cntrls. Examples f preventive cntrls include separatin f duty, installing security cameras t deter criminal activity, the use f cntract terms t enable recvery f verpayment r t safeguard against ptential breaches f cntracted prject milestnes. crrective cntrls designed t crrect undesirable utcmes which have been realised. Examples f crrective cntrls include rtating staff psitins, internal audit review f preventative and detective cntrls, r a change t management prcedures. directive cntrls designed t ensure that a particular utcme is achieved. They are particularly imprtant when it is critical that an undesirable event is avided, particularly in the area f health and safety. Examples f directive cntrls include a requirement fr prtective clthing t be wrn, r that staff be apprpriately trained befre wrking unsupervised. detective cntrls designed t identify unfavurable events after they have ccurred. As they are after the event cntrls, they are nly apprpriate when it is pssible t accept the lss r damage incurred. Examples f detective cntrls include inventry r asset stcktakes, bank recnciliatins, r mnitring activities which detect changes that shuld be respnded t. 6 transfer the risk. Risk transfer may be achieved by taking ut insurance t facilitate financial recvery against the realisatin f a risk, r by cmpensating a third party (ptentially anther agency) t take the risk because the ther party is mre able t effectively manage the risk. Risk may be whlly transferred, r partly transferred (that is, shared). Fr example, an agency may, with the Treasurer s apprval, enter int a frward cntract (such as a cntract fr the agency t buy an asset frm an verseas party at a specified future time at a price agreed tday) t transfer sme f the exchange rate risk t the ther party. terminate the risk. Sme risks may nly return t acceptable levels if the activity is terminated. The pprtunities in the public sectr t terminate an activity may be limited due t the nature f gvernment respnsibility. That is, the gvernment may nly be invlved in delivering a service which is required fr the public benefit because the assciated risks are t great fr the private sectr t be invlved. take the pprtunity. There may be pprtunities fr an agency t take advantage f a risk event. Fr example, the agency may identify that a reductin in ver-the-cunter payments may result in reduced pening hurs. Opprtunities, hwever, may arise where the agency culd partner with anther agency t cmbine cunter services (thus maintaining pening hurs but reducing persnnel csts) r transfer sme f the resurces t imprve ther areas f service delivery. 6 HM Treasury, The Orange Bk: Management f Risk Principles and Cncepts, Octber 2004 July 2011 Page 27 f 55
Financial Managemen may be accepted because: t Framewrk >> Overview Diagram A Guide t Risk Management It may be apprpriate, in sme instances, t accept the risk rather than treat the risk. A risk the prbability r cnsequences f the risk is lw r minr the cst f treating the risk utweighs any ptential benefit the risk falls within the agency s established risk appetite and/r tlerance levels whle-f-gvernment plicy requires acceptance f the risk, r the agency has limited r n cntrl ver the risk, fr example, natural disasters, internatinal financial market impacts, terrrism and pandemic illnesses. T manage such risks, agencies shuld have a business cntinuity plan in place (discussed in Establishing the cntext) t prvide effective preventin and recvery fr the agency, while reducing adverse stakehlder impacts caused by the event, and these plans shuld be subject t regular testing and review. When determining the mst apprpriate treatment ptin in relatin t risks, agencies shuld cnsider the fllwing: there shuld be a balance between the csts and effrts invlved in implementing the ptin against the benefits derived. Apart frm the mst extreme undesirable utcme (such as lss f human life) it is generally sufficient t design cntrls t give a reasnable level f assurance that the likely lss will be within the agency s risk appetite. as well as cnsidering financial csts, agencies may als need t take int accunt the plitical, envirnmental r scial csts and benefits. the values and perceptins held by stakehlders and the mst apprpriate ways t cmmunicate with them. Where risk treatment ptins can impact n risk elsewhere in the agency r with stakehlders, they shuld be invlved in determining the treatment. risk treatment itself can intrduce risks, fr example, the failure r ineffectiveness f the risk treatment measures, r the intrductin f secndary risks that will als need t be assessed, evaluated and treated. Agencies shuld fully integrate risks int their strategic and peratinal plans, and prepare risk treatment plans t dcument hw the chsen treatment/actin will be implemented. The fllwing pints shuld be addressed: the identificatin f fficers assigned respnsibility fr implementing the plan prpsed treatment actins and timeframes, including a cst-benefit analysis f alternatives the physical and human resurce requirements t implement the actins perfrmance indicatrs that will be used t measure, review and evaluate the effectiveness f the treatment/actin, and the nging mnitring and reprting requirements. Practical Guidance Material Applicatin Guide 9 identifies key elements that need t be cnsidered by decisin makers when aiming t treat different types f risk within an agency. July 2011 Page 28 f 55
Financial >> A Guide t Risk Management Mnitring and review Management Framewrk Cntinuus mnitring and review are vital cmpnents f an effective risk management prcess. They may be undertaken as part f a frmal peridic prcess, r perfrmed n an ad hc basis. Overview The primary Diagram purpse f m nitring and review is t determine whether risks still exist, whether new risks have arisen, whether the likelihd r impact f risks have changed, and t reassess the risk pririties within the internal and external cntext f the agency. Mnitring and review prvides imprtant feedback with regard t assurance ver the efficiency and effectiveness f cntrls implemented t treat risks. It enables the agency t analyse and learn lessns frm event successes, failures and near-misses. Review f risks and review f the risk management prcess are distinct frm each ther and neither is a substitute fr the ther. The review prcesses shuld: ensure that all aspects f the risk management prcess, including the framewrk, are reviewed at least nce a year ensure that risks themselves (and their assciated internal cntrls) are subjected t review within a suitable timeframe (with apprpriate prvisin fr management s wn review f risks and fr independent review/audit), and make prvisin fr alerting the apprpriate level f management t new risks r t changes in already identified risks s that the change can be apprpriately addressed. 7 It is imprtant that respnsibilities fr mnitring and reprting are clearly defined, and that results are dcumented and shared with all apprpriate internal and external stakehlders. This includes sharing experiences and better practices internally and acrss gvernment. Under the Act, the Head f Internal Audit is respnsible fr prviding assistance in risk management. As a member f senir management, the Head f Internal Audit is in a psitin t reprt t relevant management cmmittees n many f the majr risks the agency faces. Where specialist risk managers are appinted t undertake this reprting, the Head f Internal Audit wuld ensure management's reprting is effective. The results f mnitring and reviewing the risk management prcess shuld als be used as input t the review f the risk management framewrk. This enables cntinuus imprvement f the risk management prcess and framewrk which will lead t imprvements in the agency s management f risk and its rganisatinal risk culture. Practical Guidance Material Applicatin Guide 10 highlights key elements t be cnsidered when an agency evaluates its mnitring and reviewing prcesses that relate t risk management. 7 HM Treasury, The Orange Bk: Management f Risk Principles and Cncepts, Octber 2004 July 2011 Page 29 f 55
Financial >> A Guide t Risk Management Cmmunicatin and cnsultatin Management Framewrk Cmmunicatin, cnsultatin and regular feedback must take place during all steps in the risk management prcess. The nature f the risk (fr example, strategic, peratinal, plitical) determining an apprpriate cnsultatin prcess. will need t be cnsidered in Overview Diagram All staff within an agency must be invlved in the risk management prcess, including identifying, analysing, managing and reprting n risks. Internally, risk cmmunicatin prmtes actin, cntinuus learning, innvatin and team wrk. It can demnstrate hw management f a lcalised risk cntributes t the verall achievement f agency bjectives. 8 It is imprtant t ensure that all agency staff understand, in a way apprpriate t their rle, what the agency s risk strategy is, what the risk pririties are and hw their particular respnsibilities in the agency fit int the risk management framewrk. If this is nt achieved, apprpriate and cnsistent embedding f risk management and an rganisatinal risk culture will nt be achieved and risk pririties may nt be cnsistently addressed. 9 Stakehlders utside the agency can als prvide infrmatin abut risks that may affect the agency, as well as assist with managing knwn risks. When identifying stakehlders f a risk, and determining with whm t cnsult, agencies may cnsider: staff within the agency the agency s Risk Management Champin the accuntable fficer / Chief Executive Officer / agency executive management the agency s risk management cmmittee (r similar) staff in ther agencies r relevant Australian Gvernment agencies Department f the Premier and Cabinet (DPC) and Treasury the agency s prtfli Minister r Cabinet the public partners and/r third party agencies used t delivery key services interest grups, fr example, emplyer grups, industry grups, unins, and suppliers. Crss-agency risks Where agencies have shared pririties and challenges, and have identified risks frm a jint r cluster viewpint, a lead agency shuld be determined t establish clear cmmunicatin and cnsultatin prcesses. The lead agency wuld be respnsible fr pening up dialgue within the cluster either by an infrmal frum r strategic meetings within the cluster, with DPC and/r Treasury included where the risk has whle-f-gvernment implicatins. An agency may be required t adpt a risk analysis methdlgy cmpatible with the lead agency in rder t prvide cmparable risk reprting and ratings. The aim is t imprve cmmunicatin and netwrking within relevant clusters and t develp cntacts and share knwledge. The single cde f cnduct fr all public sectr fficers prvides cnfidentiality prtcls t be fllwed when discussing all risks. 8 Treasury Bard f Canada Secretariat, Integrated Risk Management Framewrk 9 HM Treasury, The Orange Bk: Management f Risk Principles and Cncepts, Octber 2004 July 2011 Page 30 f 55
Reprting Financial Management Framewrk >> Overview Diagram A Guide t Risk Management In rder t ensure the effectiveness f the risk management prcess, cnsideratin shuld be given t establishing an apprpriate reprting structure within an agency. Fr example, the Head f Internal Audit may be required t reprt t the risk cmmittee (r the audit cmmittee where applicable) r the accuntable fficer r statutry bdy regarding the status f the risks currently n the risk register r incrprated int the strategic and peratinal plans. Reprting prcesses shuld be timely and address the fllwing pints: the adequacy and effectiveness f the internal cntrls in place t treat risk identificatin f any new risks that may have arisen, and implementatin f new cntrls t address key risks. Where significant risks are identified within an agency, prcesses shuld be in place fr reprting these t the agency s Chief Executive Officer. Depending upn the risk, the Chief Executive Officer may discuss the risk with cunterparts in ther agencies, r escalate the risk t the apprpriate Minister. Practical Guidance Material Applicatin Guide 11 utlines key cnsideratins linked t cmmunicatin and cnsultatin prcesses with stakehlders t identify and manage agency risks. Applicatin Guide 12 prvides a list f ptential stakehlders that agencies shuld cnsider thrughut the entire risk management prcess. July 2011 Page 31 f 55
Financia Applicatin l Management Guides Framewrk The applicatin guides are designed t prvide agencies with practical guidance fr the implementatin f the cncepts discussed thrughut the dcument. The fllwing >> Overview Diagram A Guide t Risk Management applicatin guides are prvided: Applicatin Guide 1 - Glssary f terms Applicatin Guide 2 - Risk management framewrk Applicatin Guide 3 - Example f integrated risk management within an agency Applicatin Guide 4 - Establishing the cntext Applicatin Guide 5 - Risk identificatin Applicatin Guide 6 - Ptential surces f risk Applicatin Guide 7 - Risk analysis Applicatin Guide 8 - Risk evaluatin Applicatin Guide 9 - Risk treatment Applicatin Guide 10 - Mnitring and review Applicatin Guide 11 - Cmmunicatin and cnsultatin Applicatin Guide 12 - Ptential Stakehlders The applicatin guides are prvided fr agencies t cnsider when develping their risk management prcess as a whle. As this dcument cntains generic guidance, sme pints may nt be applicable t all agencies. Agencies are encuraged t adapt the guides t suit their wn individual circumstances. July 2011 Page 32 f 55
Applicatin Guide 1 - Glssary f terms Financial Management Framewrk Term >> Overvi ew Diagram A Guide t Risk Management Belw is a glssary f terms applicable t risk management. They are based largely n the definitins cntained in AS/NZS ISO 31000. Cnsequence Cntrl Likelihd Operatinal Risk Residual Risk Risk Risk Acceptance Risk Analysis Risk Appetite Risk Assessment Risk Avidance Risk Evaluatin Risk Identificatin Risk Management Risk Management Cmmittee Risk Management Framewrk Risk Management Prcess Risk Prfile Risk Rating Risk Register Definitin/meaning The utcme f an event (fr example, a lss, injury, disadvantage r gain) which affects the agency s ability t achieve its bjectives. Any actin taken t manage risk. The chance f smething happening. Thse risks that arise in day t day peratins, and which require specific and detailed respnse and mnitring regimes. If nt treated and mnitred, peratinal risks culd ptentially result in majr adverse cnsequences fr the agency. Risk remaining after new cntrls r treatments are taken int accunt. The chance f smething happening that will have an impact n the achievement f the agency s bjectives. Risk is measured in terms f cnsequences and likelihd, and cvers threats and pprtunities. An infrmed decisin by the risk wner t accept the cnsequences and the likelihd f a particular risk. A systematic prcess t determine the nature f risk and the magnitude f their cnsequences. The amunt f risk that the agency is prepared t accept r be expsed t at any pint in time. The verall prcess f risk identificatin, analysis and evaluatin. An infrmed decisin nt t becme invlved in, r t withdraw frm, a risk situatin. The prcess used t determine risk management pririties by cmparing the level f risk against predetermined standards, target risk levels r ther criteria. The prcess f finding, recgnising and describing risks. The crdinated activities t direct and cntrl an agency with regard t risk. A standing cmmittee respnsible fr prviding versight f the agency s management f risk. The agency s plicies, prcedures, systems and prcesses cncerned with managing risk. The systematic applicatin f management plicies, prcedures and practices t the tasks f establishing the cntext, identifying, analysing, evaluating, treating, mnitring and cmmunicating risk. The dcumented and priritised verall assessment f a range f specific risks faced by the agency. The rating resulting frm the applicatin f the agency s risk assessment matrix n the likelihd and cnsequence f a risk ccurring. A system r file that hlds all infrmatin n identifying and managing a risk. July 2011 Page 33 f 55
Term Definitin/meaning Financial Management Framewrk Risk Sharing >> Overview Diagram A Guide t Risk Management Risk Retentin Risk Tlerance Intentinally r unintentinally retaining the respnsibility fr lss, r financial burden f lss within the agency. Sharing with anther party the burden f lss, r benefit f gain frm a particular risk The variatin frm the pre-determined risk appetite an agency is prepared t accept. Risk Transfer Shifting the respnsibility r burden fr lss t anther party thrugh legislatin, cntract, insurance r ther means. Risk Treatment Strategic Risk Selectin and implementatin f apprpriate ptins fr dealing with risk. Risks that may affect the agency s ability t meet its strategic bjectives and require versight by senir executives. July 2011 Page 34 f 55
Financial Management Framewrk >> Overvie A Guide t Risk Management Applicatin Guide 2 - Risk management framewrk Cnsideratin Pints Integrated risk management is abut embedding risk int the agency s existing gvernance, planning, reprting and decisin-making prcesses by develping a rbust risk management w Diagram framewrk. The cnsideratin pints cntained belw, designed t assist agencies with integrating risk management, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Has the accuntable fficer r statutry bdy develped and implemented a rbust risk management framewrk apprpriate t the size f their agency? Des the agency have the necessary plicies and prcedures in place t supprt risk management? Des the agency ensure all staff are infrmed f the risk management framewrk? Des the agency have an explicitly stated risk management plicy that cmplements their visin and strategic bjectives? Is there a designated risk management champin r unit t versee the implementatin f integrated risk management? Des risk management have the demnstrated supprt and nging attentin f executive management? Des the agency have a risk management cmmittee, r similar? Is risk management cmmunicated, understd, and applied thrughut agency prcesses? Is risk management integrated int existing gvernance and decisin-making structures and perfrmancereprting systems? Have cntrl and accuntability systems been adapted t accunt fr risk management prcesses? Have key perfrmance indicatrs and critical success factrs been identified and included in agency reprts? Des reprting n risk and risk management take place thrugh existing management prcesses (e.g. perfrmance reprting, nging mnitring, appraisals, internal auditing)? Has the agency put in place effective initiatives t build risk management awareness? Is written guidance (framewrk, plicy, r perating principles) cmmunicated thrughut the agency t supprt individual units in building risk management int day-t-day peratins? Is the risk management prcess integrated int strategic and peratinal planning? Des the agency identify and encurage educatin, training and develpment in risk management? July 2011 Page 35 f 55
Financial Management Framewrk Ntes: >> Overview Diagram A Guide t Risk Management Questin Yes N N/A Is the risk management framewrk reviewed at least annually? July 2011 Page 36 f 55
A Guide t Risk Management Financial agency Management Framewrk Applicatin Guide 3 - Example f integrated risk management within an >> Overview Diagram OBJECTIVES OF GOVERNMENT Articulated in Tward Q2: Tmrrw s Queensland and Charter f Fiscal Respnsibility FAA, s10 AGENCY STRATEGIC PLAN Articulates agency visin, purpse, risks, strategies and perfrmance indicatrs AGENCY OPERATIONAL PLAN/S Articulates agency services, perfrmance measures and risks AGENCY RISK MANAGEMENT Cntinuus prcess t assist an agency in achieving their bjectives. Asks: Hw d we manage threats that will prevent us frm achieving ur visin, purpse and services? OR Hw d we take advantage f pprtunities? FPMS, s9 FPMS, s9 FPMS, s28 ACCOUNTABILITIES FOR RISK MANAGEMENT Accuntable fficer/ statutry bdy FAA, s61 Chief Finance Officer (department) FAA, s77 FPMS, s57 Head f Internal Audit (department) FAA, s78 All staff INTERNAL CONTROLS Internal cntrls in existence r intrduced t mitigate/cntrl risks FPMS, s8 INTERNAL AUDIT (where established) Assesses if cntrls are effective and whether risk treatments are apprpriate FAA, s78, FPMS, s29 INTERNAL PERFORMANCE MONITORING AND REPORTING Mnitring and reprting achievement/prgress PMF, FPMS, s11 EXTERNAL REPORTING OF PERFORMANCE Reprting t public n service delivery and achievements via annual reprt FPMS, s50, ARR Legend: ARR: FAA: FPMS: PMF: Annual Reprt Requirements fr the Queensland Public Sectr Financial Accuntability Act Financial and Perfrmance Management Standard Guide t the Queensland Gvernment Perfrmance Management Framewrk July 2011 Page 37 f 55
Financial Management Framewrk Cnsideratin Pints >> Overview Diagram A Guide t Risk Management Applicatin Guide 4 Establishing the cntext Establishing the cntext invlves setting the parameters within which risks are identified, assessed and managed. The cnsideratin pints cntained belw, designed t assist agencies with establishing their risk cntext, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Has the agency implemented apprpriate prcesses t identify bth the internal and external cntext within which the agency perates (fr example, use f envirnmental scanning)? Has the risk been established with reference t the agency s bjectives and strategic planning? In determining the cntext, has the agency cnsidered bth challenges and pprtunities? Des the agency s envirnmental scanning prcess include a wide range f influences, trends and time hrizns? Des the agency cnsider bth its external and internal cntexts in relatin t risk management? Has the agency determined and dcumented its risk tlerances fr the varius cmpnents f its envirnment? Is the cntext regularly reviewed t ensure it remains crrect/apprpriate t the agency s systems r cntrls? Has the agency determined apprpriate risk criteria that align with its bjectives? Agency-level risks Have the bjectives f individual prjects been cnsidered as part f the risk management cntext? Has the agency cnsidered its capabilities and capacities (fr example, funding, staff and technlgy)? Crss-agency risks Des the agency cnsider the risk management practices f ther agencies with which it delivers services? Des the agency cnsider crss-agency risks and cmmunicate these risks with relevant agencies? July 2011 Page 38 f 55
A Guide t Risk Management Financial Management Framewrk Questin Yes N N/A Whle-f-Gvernment risks >> Overview sectr Diagram envirnment? Des the agency cnsider the wider plitical and public Des the agency cnsider strategic risk issues (fr example, climate change) that require crdinatin with ther relevant agencies? Des the agency cnsider the ptential impact f risks n industry and the cmmunity? Ntes: July 2011 Page 39 f 55
Applicatin Guide 5 Risk identificatin Financial Management Framewrk >> Overvie A Guide t Risk Management Cnsideratin Pints Risk identificatin is the prcess f identifying an agency s challenges and pprtunities. The cnsideratin w Diagram pints cntained belw, designed t assist agencies with identifying risk, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Are risks identified with reference t the agency s strategic plan, that is, the bjectives and deliverables f the agency? Are risks identified with reference t the agency s peratinal plans? Are risks identified with reference t the agency s prgram and prject plans? Is risk identificatin linked t whle-f-gvernment plicy and stakehlders? Des the agency cnsider risks at the agency, crssagency and whle-f-gvernment levels? Des the agency identify bth challenges and pprtunities? Des the agency cnsider bth internal and external risks? Des the agency have nging, cmprehensive and systematic prcesses fr identifying risks? Are identified risks recrded in a risk register? Are the staff invlved in risk identificatin knwledgeable abut the prcess r activity being reviewed and abut the risks that must be managed as part f that activity? Des risk identificatin invlve apprpriate stakehlders? Are strategic risks surced frm/reflected in the agency s strategic plan? Agency-level risks When identifying risks, des the agency cnsider the findings frm past audits, evaluatins and ther assessments? Des the agency review relevant crprate recrds t determine if a pattern exists (fr example, financial r prperty lsses, data/recrd lsses, wrkplace health and safety reprts)? Des the agency cnsider risks identified frm past July 2011 Page 40 f 55
Financial Management learning? Framewrk >> Overview A Guide t Risk Management Questin Yes N N/A Des the agency undertake a gap analysis (that is the difference between existing practice and strategic plans, plicies and practices)? Diagram Crss-agency risks Des the agency cnsider hw risks within the agency may affect ther agencies? Des a crss-agency cmmittee assess risks assciated with jint prjects? Is there a prcess fr ntifying relevant stakehlders f crss-agency risks? Ntes: July 2011 Page 41 f 55
A Guide t Risk Management Financial Management Framewrk Applicatin Guide 6 - Ptential surces f risk Belw are sme examples f ptential surces f risk, separated between agency, crssagency and whle-f-gvernment risk. In sme cases the examples are listed in mre than ne level, which has been dne t highlight that the same challenge r pprtunity can affect the agency in different ways. >> Overview Diagram Agency risk Crss-agency risk Whle-f-Gvernment risk plicy and strategy plicy and strategy plicy and strategy agency reputatin agency reputatin plitical factrs plitical factrs plitical factrs machinery f machinery f machinery f Gvernment changes Gvernment changes Gvernment changes public expectatins public expectatins public expectatins stakehlder relatins stakehlder relatins stakehlder relatins media relatins media relatins media relatins changing demgraphics industry develpments industry develpments glbalisatin changing demgraphics prgram activities security threats glbalisatin prgram delivery terrrism security threats service delivery emergency terrrism majr prjects preparedness business cntinuity structure and reprting natural disasters emergency relatinships ecnmic trends preparedness planning and pririty cmpetitive trends technlgy trends setting service delivery cmpetitive trends prject management majr prjects business line activities envirnmental prtectin budgeting and resurce prgram activities accuntability allcatin prgram delivery transparency financial management service delivery natural disasters perfrmance management alliances, partnerships prject management majr prjects envirnmental prtectin structure and reprting relatinships security, privacy and cnfidentiality planning and pririty setting budgeting and resurce allcatin expenditure management revenue and cst recvery prcurement and cntracting financial management perfrmance management legal liabilities and litigatin accuntability transparency Whle-f-Gvernment reputatin July 2011 Page 42 f 55
Financial Management Framewrk inventry management >> Overview Diagram A Guide t Risk Management Agency risk Crss-agency risk Whle-f-Gvernment risk prject management change management asset management human resurces infrmatin and knwledge infrmatin technlgy cmmunicatins statutry reprting cmpliance with laws, regulatins and plicies agreements and cntractual bligatins wrkplace health and safety envirnmental prtectin security, privacy and cnfidentiality legal liabilities and litigatin accuntability transparency natural disasters Surce: Based n examples prvided in Treasury Bard f Canada Secretariat, Integrated Risk Management Implementatin Guide July 2011 Page 43 f 55
Applicatin Guide 7 Risk analysis Financial Management Framewrk >> Overvie A Guide t Risk Management Cnsideratin Pints Risk analysis invlves analysing the impact f a ptential challenge r pprtunity fr the agency. w Diagram The cnsideratin pints cntained belw, designed t assist agencies with risk analysis, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Des the agency have dcumented prcedures t analyse the likelihd and cnsequence f each risk? Des the agency cnduct apprpriate analysis f the nature and extent f the causes and impacts f the risks? Are all risks analysed using a cnsistent methdlgy? Are risk analyses adequately dcumented? Has the agency examined and evaluated existing cntrls fr the identified risks in terms f their strengths and weaknesses? Are risk management cntrls regularly mnitred? Are apprpriate levels f management and emplyees invlved in the risk analysis prcess? Des risk analysis include ensuring that the agency is nt ver-cntrlled fr the risks it faces? Ntes: July 2011 Page 44 f 55
Applicatin Guide 8 Risk evaluatin Financial Management Framewrk >> Overvie A Guide t Risk Management Cnsideratin Pints Risk evaluatin invlves determining which risks shuld be treated, and the pririty fr treatment w Diagram implementatin. The cnsideratin pints cntained belw, designed t assist agencies with risk evaluatin, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Are risks fund during the analysis prcess cmpared with the risk prfile, risk appetite and risk tlerance established when the agency cntext was cnsidered? Has the agency fully integrated risks int their strategic and peratinal plans r established risk treatment plans fr the management f risks, where necessary? Are all risks within the agency evaluated using a cnsistent methdlgy? Are evaluated risks priritised t ensure treatment f the highest risks is cnsidered first? Are evaluated risks reviewed by an independent persn t ensure risks are treated cnsistently? Are risks re-evaluated ver time t determine if pririties need t change? Are risks reviewed r evaluated as part f the agency s wn strategic and peratinal planning prcesses? Ntes: July 2011 Page 45 f 55
Applicatin Guide 9 Risk treatment Financial Management Framewrk >> Overvie A Guide t Risk Management Cnsideratin Pints Risk treatment is the actin, if any, taken t manage r mitigate a risk. The cnsideratin pints w cntained Diagram belw, designed t assist agencies with risk treatment, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Are risks treated in accrdance with the pre-determined risk criteria established by the agency? D prpsed risk treatment plans include cst/benefit analyses f alternative curses r actin? Is the managing f risks and assciated cntrls assigned t particular fficers within the agency? Agency-level risks Des the agency have frmal, dcumented cntingency plans fr disaster recvery and business cntinuity? Des the agency regularly review and test risk cntrls and cntingency plans? Are internal cntrls develped and dcumented t treat identified risks? Crss-agency risks Des the agency have cntractual agreements in place t manage crss-agency prjects and their related risks? Is there cllabratin between agencies t agree risk treatments attached t identified crss-agency risks? Are prcesses in place t ensure crss-agency risks and risk treatments are mnitred ver time? Are Treasury and DPC infrmed f risk treatments, particularly if there are budget r plicy implicatins? Whle-f-Gvernment risks Is there cllabratin between agencies t agree n risk treatments attached t whle-f-gvernment risks? Are prcesses in place t ensure whle-f-gvernment risks and risk treatments are mnitred ver time? Are Treasury and DPC infrmed f risk treatments, particularly if there are budget r plicy implicatins? Have strategic risks been assigned specific risk treatments and are these shared with ther agencies? July 2011 Page 46 f 55
Financial Ma Ntes: nagement Framewrk >> Overview Diagram A Guide t Risk Management Questin Yes N N/A July 2011 Page 47 f 55
Applicatin Guide 10 Mnitring and review Financial Management Framewrk >> Overvie A Guide t Risk Management Cnsideratin Pints Risk mnitring and review is abut determining whether risks still exist, whether new risks have w arisen, Diagram whether the likelihd r impact f risks have changed, and t reassess the risk pririties. The cnsideratin pints cntained belw, designed t assist agencies with risk mnitring and review, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Des the agency have a regular mnitring and review prcess t evaluate the: relevance f the risks t the achievement f the agency s bjectives? effectiveness f existing gvernance cntrls? applicatin f risk treatment plans in practice? cntinuing relevance f the risk treatment plans t the agency s strategic and peratinal bjectives? Des the agency have plicies and prcedures in place fr the reassessment f its risk prfile and the pprtunities prvided by changes t the agency s internal and/r external envirnments? Are adequate management infrmatin systems in place t facilitate risk mnitring and review requirements? Is risk appetite assessed in light f changing circumstances (fr example, at regular intervals, as well as at trigger pints such as a State electin)? Are higher rated risks and assciated current cntrls, and new cntrls/treatments reviewed regularly? Agency-level risks Is there regular reprting f the status f risks (fr example, t senir r executive management, risk management cmmittee)? Des the Head f Internal Audit (where established) prvide assistance in risk management and identifying deficiencies in risk management? (refer sectin 78 f the Financial Accuntability Act 2009) Des the internal audit unit undertake regular reviews f the risk management prcess? Crss-agency risks D prcesses exist t ensure nging mnitring and reprting f crss-agency risks? July 2011 Page 48 f 55
Financial >> Overvie w Diagram A Guide t Risk Management Management Whle-f-Gvernment risks Framewrk Questin Yes N N/A D prcesses exist t ensure nging mnitring and reprting f whle-f-gvernment risks? Are strategic risks reviewed and evaluated thrugh engaging apprpriate prcesses such as envirnmental scanning? Are the results f any strategic risk review prcess shared with ther agencies facing similar risks? Ntes: July 2011 Page 49 f 55
Financial Management Framewrk >> Overvie A Guide t Risk Management Applicatin Guide 11 Cmmunicatin and cnsultatin Cnsideratin Pints Stakehlders, bth internal and external t the agency, shuld be cnsulted in the identificatin w Diagram and management f risk. The cnsideratin pints cntained belw, designed t assist agencies with cmmunicatin and cnsultatin, are t be treated as a GUIDE ONLY. They are nt t be cnsidered t be exhaustive, and sme pints may nt be applicable t all agencies. Questin Yes N N/A Are all staff aware f their respnsibilities with respect t risk identificatin, treatment and management? Des the agency s risk management framewrk prmte cntinuus imprvement thrugh learning and innvatin? Within the risk management framewrk, is there a prcess t ensure all stakehlders are identified? Where apprpriate, is a cmmunicatin plan develped (fr example, where a large number f stakehlders are invlved)? Are all key stakehlders cnsulted thrughut the risk management cycle? Are stakehlder perceptins f risk addressed? Des the agency have prcesses t btain input frm Ministers and/r Cabinet n risks, their treatment and the Gvernment s appetite fr risk? Are the agency s risks discussed regularly with Department f the Premier and Cabinet and Treasury? Agency-level risks Is there regular cmmunicatin between the Head f Internal Audit and the risk management cmmittee (r equivalent)? Des the risk management champin have direct access t the risk management cmmittee (r equivalent) t raise cncerns? Is there a risk management reprting system in place that ensures all relevant parties are kept infrmed f the risks faced by the agency? Crss-agency risks Are effective cmmunicatin strategies implemented fr crss-agency risks (fr example, multi-agency cmmittees, and regular executive management frums)? July 2011 Page 50 f 55
Financial Management Framewrk >> Overvi e w Diagram A Guide t Risk Management Questin Yes N N/A D risk management champins cmmunicate with their cunterparts in ther agencies? Des the lead agency advise the apprpriate risk analysis matrix t be fllwed fr the crss-agency risk, and establish clear lines f cmmunicatin and cnsultatin? Whle-f-Gvernment risks Des the agency have prcesses t ensure Ministers and/r Cabinet are infrmed f high-risk r whle-f- Gvernment risks? Are effective cmmunicatin strategies implemented fr whle-f-gvernment risks (fr example, multi-agency cmmittees, and regular executive management frums)? D risk management champins cmmunicate with their cunterparts in ther agencies? Ntes: July 2011 Page 51 f 55
Financial Management Framewrk >> Overview Diagram A Guide t Risk Management Applicatin Guide 12 - Ptential stakehlders The table belw prvides a list f ptential agency stakehlders that can be invlved in risk management. This list is t be treated as a GUIDE ONLY. It is nt t be cnsidered t be an exhaustive list, and sme stakehlders may nt be applicable t all agencies. Ptential Stakehlder Cmments Staff within the agency these may include staff members directly invlved with identifying, analysing, evaluating, treating r reprting n a risk Risk management champin Accuntable fficer / Chief Executive Officer / agency executive management / statutry bdy bard if a risk is identified that may affect anther agency business area, then this risk shuld be cmmunicated t the ther business area may ccur where a whle-f-agency r crss-agency risk is identified t ensure apprpriate cnsideratin and actin taken the risk management champin may als becme invlved if a risk wner des nt take respnsibility fr their particular risk particularly t elevate risks frm a business area level t an agency, crss-agency r whle-f-gvernment issue ther examples where executive-level reprting may be desirable include: when additinal staff and/r resurces are required t manage a risk when the cnsequence f a risk is cnsidered t be extreme, r the prbability f the risk ccurring is very likely this culd be achieved thrugh regular reprting f risks, r in a standard sectin in all briefing ntes (this will assist with integrating risk within the nrmal prcesses f the agency) Head f Internal Audit legislative respnsibility t prvide assistance and identify deficiencies in risk management Agency s audit and risk management cmmittee (r similar) the audit and risk management cmmittee is nt respnsible fr wning r managing risks rather it cmments n the risk management and assurance prcesses which are in place the accuntable fficer / Chief Executive Officer / agency executive management may decide t raise particular risks with the audit and risk management cmmittee, fr advice n hw t manage a risk r hw a risk may interact with ther risks Staff in ther agencies may be invlved with identifying r managing a risk particularly with crss-agency prjects may als seek expert advice frm ther agencies n hw t manage a risk, fr example, the Office fr Abriginal and Trres Strait Islander Plicy may prvide advice n risks with ptential indigenus impacts Department f the Premier and Cabinet and Treasury particularly where the strategic risks may have a whle-f- Gvernment impact Minister / Cabinet fr risks with ptentially significant impact n the Gvernment s stated pririties fr the State, it may be apprpriate t elevate the risks t the Minister r Cabinet. required when additinal funding is cnsidered necessary t manage risks ptential risks shuld be cntained in all Cabinet Submissins where cnsidered necessary, the Minister r Cabinet may pt t July 2011 Page 52 f 55
Ptential Stakehlder Financial Management >> Overview Diagram A Guide t Risk Management Framewrk Cmments advise Parliament f the ptential risk Public there may be instances where the public is engaged t assist with managing a particular risk, fr example, the public was engaged t help manage the effects f the drught thrugh water ratining the public may als be engaged t assess its risk appetite regarding particular issues, fr example, t assess the appetite f the public t adding fluride t the drinking water in rder t btain this level f invlvement with the public, agency s may need t engage the media r survey cmpanies Partners r third party agencies Interest grups, fr example, emplyer grups, industry grups, unins may be cnsidered stakehlders where a public private partnership is in place, r where an agency uses a third party t deliver key services, fr example Australia Pst. instances may ccur when the views f the public are sught, but targeted twards particular interest grups which may have expert knwledge r represent targeted members f the public. Fr example, fr a risk that may impact n health services in Queensland, it may be beneficial t cntact the Australian Medical Assciatin Suppliers while risk management may nt need t be discussed with suppliers, where nn-delivery by a supplier may cmprmise the agency s service delivery, cmmunicatin may be necessary with the supplier t reinfrce the imprtance f established timeframes July 2011 Page 53 f 55
Financial Useful Managemen resurces t Framewrk (purchase required) >> Overview http://www.saiglbal.cm/ Diagram A Guide t Risk Management AS/NZS ISO 31000:2009 Risk Management Principles and guidelines, Standards Australia Best practice in risk management - A functin cmes f age, The Ecnmist Intelligence Unit, 2007 http://www.kpmg.cm.au/prtals/0/eiu_risk_management.pdf Framewrk fr the Management f Risk, Treasury Bard f Canada Secretariat, August 2010 http://www.tbs-sct.gc.ca/pl/dc-eng.aspx?id=19422 Gd Practice Guide Managing risk acrss the public sectr, Victrian Auditr-General s Office, 2004 http://dwnlad.audit.vic.gv.au/files/risk_guide.pdf HB 231:2004 Infrmatin security risk management guidelines, Standards Australia (purchase required) http://www.saiglbal.cm/ HB 436:2004 Risk Management Guidelines, Standards Australia (purchase required) http://www.saiglbal.cm/ Integrated Risk Management Framewrk, Treasury Bard f Canada Secretariat (available but rescinded 27 August 2010) http://www.tbs-sct.gc.ca/pl/dc-eng.aspx?id=12254§in=html Integrated Risk Management Implementatin guide, Treasury Bard f Canada Secretariat (available but rescinded 27 August 2010) http://www.tbs-sct.gc.ca/pubs_pl/dcgpubs/riskmanagement/guide-preng.asp?printable=true Queensland Gvernment Insurance Fund http://www.qgif.qld.gv.au/ Queensland Gvernment State Disaster Management Grup http://www.disaster.qld.gv.au/default.asp Queensland Pandemic Influenza Plan 2009 http://www.premiers.qld.gv.au/publicatins/categries/plans/influenza-plan-2009.aspx Reprt t Parliament N. 6 fr 2007 Beynd Agency Risk, Auditr-General f Queensland http://www.qa.qld.gv.au/ Risk Management Matrix http://www.eventsprtstephens.cm.au/insurance/risk-management-tl/ The Orange Bk: Management f Risk Principles and Cncepts, HM Treasury, Octber 2004 http://www.hm-treasury.gv.uk/d/range_bk.pdf Victrian Gvernment Risk Management Framewrk, July 2007 http://www.dtf.vic.gv.au/ca25713e0002ef43/pages/ecnmic-and-financial-plicy-victrianrisk-management-framewrk July 2011 Page 54 f 55
Financial Management Framewrk >> Overview Diagram A Guide t Risk Management If yur agency has any questins cncerning A Guide t Risk Management, please cntact the relevant Prtfli Cntact Officer (DPC) r Treasury Analyst (Treasury) fr yur agency. Alternatively, email the Financial Management Helpdesk with details f yur query and a respnse will be prvided by the Financial Management Branch f Treasury: Email: fmhelpdesk@treasury.qld.gv.au July 2011 Page 55 f 55