SOUTHERN RURAL WATER POLICY RISK MANAGEMENT POLICY 1. POLICY STATEMENT Having regard to AS/NZS ISO 31000 Risk Management, it shall be the Policy of SRW to manage risk to protect public safety, quality and security of supply. This will be achieved through the implementation of SRW s Risk Management System, which is described in Schedule 1. 2. DATE OF BOARD APPROVAL Board Meeting No 148 held on 20 July 2006. Board Meeting No 184 held on 9 October 2008. Board Meeting No 205 held 5 May 2010. Board Meeting No 219 held 2 June 2011. 3. REVIEW May 2013 4. EXPLANATORY NOTES This Policy should read in conjunction with the Dam Safety Management Policy, and AS/NZS ISO 31000 Risk Management 5. COMMUNICATION This Policy will be made available to the Public on the SRW website Policy prepared by: Chief Financial Officer 20 May 2011
SCHEDULE 1 RISK MANAGEMENT SYSTEM 1. INTRODUCTION 1.1 A fundamental task for any organisation is identifying and managing both potential negative impacts and beneficial opportunities to achieve the entity s objectives. SRW s Risk Management System is designed to achieve this, by establishing good Risk Management practice for a business of our size and risk profile. Successful Risk Management requires a combination of sound support systems and a culture that actively seeks to identify and address risks. 1.2 SRW s Statement of Obligations imposes: as a Guiding Principle, in performing its functions and providing its services the Corporation must: manage risk to protect public safety, quality and security of supply; as an Obligation the Corporation must develop and implement plans, systems and processes, having regard to the Australian/New Zealand standard AS/NZS 4360 Risk Management, as revised from time to time, to ensure that risks to the Corporation s assets or services are identified, assessed, prioritised and managed. 1.3 SRW s Risk Management System will ensure compliance with our Statement of Obligations and the principles of good governance. 1.4 The System is designed create a consistent, comprehensive and clear definition of risk within the Corporation, facilitating a common understanding of risk exposure, specifying, recommending and agreeing on tolerable levels of risk and setting improvement priorities and targets. 1.5 The key elements of our Risk Management System are to: Categorise risks in accordance with SRW s risk assessment framework. Utilise appropriate software to record, manage and monitor risk. Define roles and responsibility for Risk Management. Define review and reporting procedures. Determine the process to manage risk for significant projects and for some headworks issues. 2. RATING OF RISKS 2.1 Risks are rated using a combination assessment of likelihood and consequence resulting in the risk rated as either low, moderate, high or extreme.
Almost certain Moderate High Extreme Extreme Extreme Likely Moderate Moderate High Extreme Extreme Possible Low Moderate Moderate High Extreme Rare Low Moderate Moderate Moderate High LIKELIHOOD Very rare Low Low Low Moderate Moderate Minimal Minor Significant Major Catastrophic CONSEQUENCE Consequence is rated from minimal to catastrophic, having regard to a range of factors as identified in the attached Table 1. Likelihood is rated from very rare to almost certain, based on the expected probability or frequency of occurrence as shown below: RATING OCCURRENCE DESCRIPTION Almost certain Likely Possible Rare Very rare Expected to occur at least once per year Expected to occur at least once every 10 years Expected to occur at least once every 100 years Expected to occur at least once every 1,000 years Expected to occur less often than once every 1,000 years The event is expected to occur in most circumstances The event will probably occur in most circumstances The event should occur at some time The event could occur at some time The event may occur only in exceptional circumstances
3. ROLES AND RESPONSIBILITIES Position Role Board Approve Risk Management policy; Approve risk assessment criteria; and Approve the risk tolerance of the Corporation. Audit & Risk Policy Committee Monitor the adequacy of the Risk Management system; and Assign review responsibility for all identified risks to a Board Committee. Board Committee s Review Risk Management performance for those risks within each Committee s ambit. Managing Implement Risk Management consistent with the approved RMS; and Director Inform the Board of any legislative changes or ministerial directions that impact on management of risk. Executive Risk Committee Monitoring, leadership and ongoing maintenance of the Risk Management System; Ensure consistent application of the Risk Management System; Review accuracy and completeness of the enterprise-wide risk register; and Co-ordinate enterprise-wide training and education initiatives. Within their respective areas: Act as Risk Reviewer and recommend a Tolerance Baseline rating for Board reporting; Ensure Risk Management processes are in place and operating effectively; and Report risk events in accordance with reporting processes. Risk Coordinator Implement Risk Management software, facilitation of supporting workshops and training and provide on-going support; Provide risk reporting to Managing Director, Executive Risk Committee, Audit & Risk Policy Committee and Board; Provide secretarial support to Executive Risk Committee; and Keep abreast of best practice developments and how these apply to the SRW context. Risk Owner For those risks designated as Risk Owner: Prioritise, specify and implement risk control actions; Identify (and report to the Executive Risk Committee) treatments that further mitigate risk; and Ensure the risk register is maintained to accurately record progress for identified actions and to reflect current knowledge of risk assessment. Managers and Supervisors Ensure induction of new employees introduces the Corporation s Risk Management System, and the role that each employee performs to mitigate Corporation risk; Ensure that as Position Description (PD) documents are created or revised, the PD incorporates that member of staff s responsibilities within the Corporation s Risk Management System; Ensure Risk Management processes are in place and operating effectively; Report risk events in accordance with reporting processes; Regular training and reinforcement of Risk Management principles to all staff in their area; and Ensure that performance appraisal for subordinate staff considers adherence to applicable Risk Management requirements for that staff member. All staff All staff across the Corporation are responsible for observing the organisation s policies, procedures, delegations and minimising risks to the organisation, at all Manager Human Resources times. Ensure that the Corporation s Human Resources policies and procedures reinforce the requirements of the Risk Management System.
Position Role Finance Manager Ensure that the treatment outcomes from the Corporation s Risk Management System is reflected in corporate plans and budgets Internal Audit As recommended by the Audit & Risk Policy Committee, specialist Internal Audit is periodically engaged to conduct independent examinations and evaluations of risk mitigation plans (policies, procedures, systems) in place to manage risk within acceptable tolerance limits. External Audit Is responsible for independently assessing the Corporation s financial state; and Will use Risk Management information to assist in determining reliance on key systems. 4. USE OF SENTINEL RISK MANAGEMENT SOFTWARE 4.1 During 2004/05, SRW implemented specialist software Sentinel to record, manage and report on our risks and Risk Management strategies. Risks are characterised based on their inherent risk (without controls), baseline risk (with existing controls) and target risk (with proposed controls), and are assigned to designated officers (Risk Owner). The register records proposed controls and actions, and provides progress reporting against those actions. 4.2 Guiding Principles 4.2.1 Risk Owner is responsible for the management of the risk and any applicable Treatment, and associated recording within Sentinel. 4.2.2 Risk Reviewer is responsible for the Acceptance of the Risk. By Accepting the Risk, the Reviewer has notified his: Recommended Tolerance of Baseline risk rating; or Agreement of Target risk and the associated Treatment (from a scope, time and financial context), and recommended Tolerance of Baseline risk rating throughout the Treatment period. 4.2.3 It is the responsibility of both the Owner and Reviewer to ensure that no Risks are recorded as Not Accepted. 4.3 Risk Procedure 4.3.1 Once a risk is identified by the Corporation a Risk Owner is identified by the applicable Executive and Sentinel maps the process of Risk Management in the following manner: 4.3.2 Risk Owner Management of risk is recorded and monitored by the Risk Owner within Sentinel as follows: 1. Risk identified Title and description recorded by Sentinel 2. Inherent risk assessment Likelihood and consequence assessment performed in an environment without any controls, result input to Sentinel as Inherent Risk 3. Including an assessment of associated Impact and Effectiveness, existing controls recorded in Sentinel 4. Baseline risk assessment Likelihood and consequence assessment performed in an environment with existing controls, result input to Sentinel as Baseline Risk 5. Treatment (A Treatment refers to a series of Milestone tasks, each Milestone task represents a separate action or project that will enhance the control environment with the objective of mitigating our risk position) a. Treatment proposed
Milestone tasks described and input to Sentinel, together with responsible officer, estimated external cost and completion date. Likelihood and consequence assessment performed in an environment with existing and proposed controls, result input to Sentinel as Target Risk b. No Treatment proposed No further Sentinel input required, including assessment of Target risk 4.3.3 Risk Reviewer 6. Acceptance Appropriate member of Executive Risk Committee agrees proposed (or no) Treatment and records their Acceptance within Sentinel. At time of Acceptance, a Review risk rating is also input to Sentinel. This rating reflects the current assessment of the risk and will mirror Baseline risk. These steps combine to formalise the Risk Reviewers acknowledgement of the risk, its current status, if applicable, any proposed Treatment and allows reporting of the Risk Reviewers recommended risk tolerance to the respective Board Committee. All Risks identified and input to Sentinel must be Accepted by a member of the Executive Risk Committee within 4 weeks of initial input. 4.3.4 Risk Owner 7. Where Treatment Accepted - Milestone reporting Monthly update of Sentinel to accurately record progress for each Milestone action. Sentinel includes a % completion field this field must reflect current progress towards completion of the task. 8. New control Once Treatment is complete, the result is input to Sentinel as a control. The Baseline risk is adjusted to reflect the new control environment (target risk remains unchanged) 4.3.5 Risk Reviewer 9. Acceptance Once the Treatment is complete and the new control has been input to Sentinel, the Review Risk is updated to reflect the new Baseline risk. 5. REPORTING & REVIEW 5.1 Reporting risk events Irrespective that the Corporation may not have incurred a negative consequence, should an event occur that could have, or has triggered an outcome of minor or above, Corporation management must report the event to the Board. Reporting of risk events is not limited to events described within the Risk Register. 5.2 Consequence Minor and Significant Should a risk eventuate with an actual or potential consequence greater than or equal to Minor, the responsible Executive must include an appropriate description of the event, and the adequacy of our Risk Management System to mitigate the event, as a report within the next available Board agenda. 5.3 Consequence Major and Catastrophic
The occurrence of any event with an actual or potential Major or Extreme consequence must be reported immediately to the Board by the Managing Director, and this report must also incorporate an assessment of the adequacy of the Corporation Risk Management System. 5.4 Potential consequence Reporting of risk occurrence for potential consequence captures those events that have occurred, but the outcome was mitigated (either via organisation controls or good fortune). Reporting these near miss events aids the Corporations ongoing evaluation of the Risk Management System. 5.5 Board Committee reporting In order that the Board can monitor Risk Management performance, the Audit & Risk Policy Committee charter determines that the Committee will assign individual risks to a Board Committee. As required, the Chair of each respective committee will schedule Risk Presentations from management. These presentations will follow a consistent format, as approved from time to time by the A&RPC. 5.6 Reporting to the Managing Director Co-ordinated by the Risk Co-ordinator and supervised by the Executive Risk Committee, a Risk Management Exception Report will be provided for those risk events where the Sentinel record has been amended for: Any change to the risk rating of existing risks; Any new risks; Any completed milestones; Any new milestones; or Any new controls. In addition, detailed risk reporting is provided for any risk: Not Accepted ; Where a treatment has been deferred; and Where a treatment is outstanding. For each reported instance, detailed information is provided from Sentinel using the Management summary report. 5.7 Audit & Risk Policy Committee reporting In order that the Audit & Risk Policy Committee can consider the performance of Risk Management within the Corporation, reporting to the Committee consists of: 5.7.1 Executive Risk Committee Minutes of all Executive Risk Committee meetings will be tabled at the following A&RP meeting. These minutes will include copy of all detailed risk reporting provided to the Managing Director for those risks not reported to Board Committee s. 5.7.2 Balanced Scorecard report The most recent Balanced Scorecard report for any risk related objective (at May 2011 recorded as Manage Risks Well ) will be presented to the Committee for consideration. 5.8 Managing Director Risk Attestation At each scheduled meeting of the Board and in respect of key risks only, the Managing Director will advise the Board:
a. If a risk has occurred b. If a risk has been re-assessed to a lower (or higher) rating; and c. Of any significant change that has been made to the management / mitigation strategies of a risk. 5.9 Annual Review A key risk is any event with a Catastrophic or Major inherent consequence. 5.9.1. Annually, on or about 28 February, the Risk Co-ordinator will distribute to all Corporation supervisory and management staff a summary and detail report of all Risks recorded by Sentinel. 5.9.2. By the April Audit & Risk Policy Committee meeting, the Executive Risk Committee will have considered these summary and detail reports so that an Annual Risk Review can be considered by the Committee, and then the Board, for the year ending 31 March. 5.9.3. The reports forming the Annual Risk Review will include, but are not limited to : a. The summary schedule of risks recorded by Sentinel; b. New risks recorded since the last Annual Risk Review; c. Changed circumstances, including technological or legislative developments, that may have affected existing risk ratings. All amendments to a Baseline rating since the last Annual Risk Review will be reported by the Review; and d. Occurrence of actual and potential risk events since the last Annual Risk Review. Prior to submission of the report to the Committee, any revisions to Sentinel during the preceding 12 months must by Accepted by the Managing Director, as demonstrated to the Committee by the Managing Directors authorisation of the Annual Review. 5.9.4. The Annual Risk Review is provided to the Board at the next scheduled Board meeting. 6. SPECIAL ARRANGEMENTS FOR PROJECTS AND HEADWORKS 6.1 Special arrangements for significant projects Several characteristics relating to projects warrant a variation to their Risk Management compared to the on-going risks associated with our businesses. Risk characteristics of projects typically include: an evolving understanding of the risk and control measures as the project progresses; a very wide range of inter-related risks that can directly impact on several businesses; a risk exposure that only exists during the project and the option to completely avoid the risk by abandoning the project or by deferring it to more preferred time. The proposed arrangement for project Risk Management, that accounts for its more dynamic and inter-related nature, is to require the project manager to undertake a risk assessment and to prepare a Risk Management plan at key stages of the project. The plan would require CE approval prior to proceeding to the next stage. Key stages for projects would vary but typically would include the following: project proposal, conceptual design, detailed design and pre-tender. Given the relative short duration of projects and the evolution of risk understanding during its cycle, we will manage these risks as part of the general project management requirements. Consequently these risks would fall outside RMS and have separate reporting arrangements. The RMS would include the controls on managing risks for major projects. 6.2 Special arrangements for headworks Several aspects of Risk Management for headworks stand it apart from our other responsibilities. Very well established, detailed, conservative and prescriptive processes developed by Australian National Committee Of Large Dams (ANCOLD) cover the assessment of dam failures resulting from earthquakes or extreme flood events. There is a clear expectation that dam owners should comply
with these guidelines to demonstrate compliance with their duty of care. Consequently, we plan to continue to manage the earthquake and flood event risks in accordance with the ANCOLD guidelines. The RMS would cover all other headworks risks, including the downstream impact of floods and damage (but not destruction) to Headworks structures and ancillary equipment.
Table 1 CONSEQUENCE FOR: Proposed People Environment SRW Reputation SRW Reputation Proposed SRW Reputation SRW Finances SRW Finances Customers Proposed Customers Third-party Assets 5 Catastrophic Fatality or multiple fatalities Extensive and long-term impact on the environment Ministerial abolishment of enterprise Breach resulting in a fine > $2.5 M Recurring expenditure > $25M Non recurring losses > $250M Severe & recurring shortfall on announced allocation for major system Widespread and prolonged interruption to service resulting in customer financial failure Expenditure and losses > $25M CONSEQUENCE OF: 4 Major 3 Significant Permanent disability; loss of limb or severe illness Major injury requiring longterm hospitalisation Significant and long-term impact on the environment Noticeable longterm impact on the environment Ministerial Breach resulting in removal of Board a fine > $250,000 Ministerial Breach resulting in removal of Chair a fine > $25,000 Prolonged adverse Nationwide media coverage Adverse statewide media coverage Recurring expenditure > $2.5 M Recurring expenditure > $250,000 Non recurring losses > $25 M Non recurring losses > $2.5 M Substantial shortfall on announced allocation for major system Significant shortfall on announced allocation for major system Substantial interruption to service resulting in significant customers financial loss Significant interruption to service Expenditure and losses > $2.5M Expenditure and losses > $250k 2 Minor Injury resulting in minor hospitalisation Systematic but relative impact on the environment Ministerial reprimand of Board Breach resulting in a fine > $2.5k Adverse regional media coverage Recurring expenditure > $25k Non recurring losses > $250,000 Systematic but relative minor shortfall on announced allocation Systematic but relative minor interruption to service Expenditure and losses > $25k 1 Minimal Injury not resulting in hospitalisation Minor and isolated impact on the environment DES Secretary reprimand of CE Non-judicial sanction Adverse local media coverage Recurrent losses greater than $2.5k Capital losses greater than $25k Minor and isolated shortfall on announced allocation Minor and isolated interruption to service Expenditure and losses > $2.5k