Risk Management Policy. Corporate Governance Risk Management Policy

Similar documents
Risk Management Policy and Process Guide

RISK MANAGEMENT POLICY

Risk Management Policy

Confident in our Future, Risk Management Policy Statement and Strategy

Risk Management Policy Adopted by:

Bedford Group of Drainage Boards

Shepway District Council Risk Management Policy

The Risk Management strategy sets out the framework that the Council has established.

CORP RISK MANAGEMENT POLICY & METHODOLOGY

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Management Policy

Avondale College Limited Enterprise Risk Management Framework

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

Group Risk Management Policy

Risk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

Risk Management Policy and Framework

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

BUSINESS CONTINUITY POLICY

Northern Ireland Blood Transfusion Service

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

Project Risk Analysis toolkit

RISK MANAGEMENT POLICY

COMPLIANCE CHARTER 1

A Risk Management Standard

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

RISK MANAGEMENT POLICY. Version 3

Version: 3.0. Effective From: 19/06/2014

SECURITY MANAGEMENT Produce security risk assessments

How To Ensure That Sovini Is A Successful Business

RISK MANAGEMENT STRATEGY

Information and records management. Purpose. Scope. Policy

The Lowitja Institute Risk Management Plan

ENTERPRISE RISK M A NAGEMENT POLICY

Risk Management Within an Organisation

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Risk Management Framework

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

RISK MANAGEMENT POLICY (Revised October 2015)

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

V1.0 - Eurojuris ISO 9001:2008 Certified

Council Meeting Agenda 27/07/15

Bridgend County Borough Council. Corporate Risk Management Policy

Managing Risk in Procurement Guideline

Title: Rio Tinto management system

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM

BUSINESS CONTINUITY MANAGEMENT POLICY

Compliance Plan. Contents

RISK MANAGEMENT POLICY

P3M3 Portfolio Management Self-Assessment

Attribute 1: COMMUNICATION

Core Infrastructure Risk Management Plan

Risk Management. Policy

CONTROLLED DOCUMENT. Number: Version Number: 4. On: 25 July 2013 Review Date: June 2016 Distribution: Essential Reading for: Information for:

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Xavier Catholic College Risk Management - Policy & Procedure

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Annual Governance Statement 2013/14

Risk Management Framework

Risk management framework

Revised Risk Management Policy and Framework. Report by Head of Finance

Information Management Strategy. July 2012

Information Governance Strategy & Policy

Community Risk Management

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Enterprise Risk Management Framework Strengthening our commitment to risk management

RISK MANAGEMENT TOOLKIT

Risk assessment. made simple

Hazard Identification, Risk Assessment and Control Management

The Orange Book Management of Risk - Principles and Concepts. October 2004

Integrated Risk Management Policy

CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY

Business Ethics Policy

Business Continuity Business Continuity Management Policy

WHS Risk Assessment and Control Form

IPDS. Green Book Employees. An Integrated Performance Management, Pay and Grading System. Technical 2. Making West Midlands Safer.

Risk Management Plan

Succession Planning Policy and Procedure

The University of Adelaide RISK MANAGEMENT HANDBOOK

In accordance with risk management best practices, below describes the standard process for enterprise risk management (ERM), including:

ROLE PROFILE. Performance Consultant (Fixed Term) Assistant Director for Human Resources

ORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY

Catherine Booth College: School for Learning & Development. The Salvation Army Capability Framework: Generic Matrix

RISK MANAGEMENT STRATEGY and FRAMEWORK. Including risk assessment, risk register, risk management process, risk committee and risk awareness training

Risk/Issue Management Plan

Appendix 14 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

Transcription:

Corporate Governance Risk Management Policy Approved by the Council of Ministers, May 2006

1. Background The Isle of Man Government is working to promote better risk management, with emphasis on the importance of improving the way risk is managed. Risk management is a key aspect of the Corporate Governance Principles and Code of Conduct, which aims to improve governance practices across the spectrum of Government activities. Chief Executives are accountable for their Department and for its risk management; however a framework of senior level delegation is essential if risk management is to be effective. The most effective risk management emerges when ownership of any key risk is allocated to a senior manager, the Risk Owner. Without ownership being assigned at an appropriate level, responsibility and authority for implementing control actions will not be clear. The reporting mechanism will require Departments to produce, on an annual basis, a Statement of Internal Control; and collectively those statements will provide an assurance or otherwise to the Chief Financial Officer who will report corporately, providing a Statement on behalf of Government. Risk Management must be included as an integral component of the Business Planning and Performance Management process. 2. Purpose and Scope of the Policy To set out the requirements, as defined in the Corporate Governance Principles and Code of Conduct, to be met by Departments in the development and implementation of management systems for the purpose of the identification, evaluation and control of risk. The management of risk will extend to cover both strategic and operational risks that may have an impact on any of the business activities and objectives set by Government. - 1 -

3. Policy Statement It is the policy of Isle of Man Government to have a consistent, structured approach to the effective management of strategic and operational risks. The approach should address those risks which are identified during the development and implementation of aims and objectives for the Government Business Plan. The responsibility for the application of the structured approach and delivery of the effective management of strategic and operational risk lies with the Chief Executive Officers of all Departments of Government, both individually and collectively. Overview Risk management is an integral part of the management process and needs to be embedded in the culture of every Government organisation, integrated into job descriptions, performance objectives, and all aspects of strategic and operational activities. It is essential that all members of staff are aware of their role in the management of risk to an acceptable level. In addressing issues relating to risk, Departments need to be transparent and open and seek to identify and address all areas where there is need for improvement in risk management. 4. Definitions Risk Management The logical and systematic method of identifying, analysing, evaluating, treating and monitoring risks in a way that will enable the organisation to meet its objectives and minimise losses and maximise opportunities. Risk Is the possibility of undesirable events occurring that might prevent or impact upon the achievement of a Department s business objectives. The impact can be a threat to the delivery of the objectives or a missed opportunity. - 2 -

Strategic Risk Any risk which has a direct impact on the achievement of the overall objectives of a Department or which cuts across operational/divisional boundaries as opposed to risks that impact on any discrete part of the organisation. Operational Risk Any risk that impacts on the achievement of operational or divisional objectives and impacts on a discrete part of the organisation. Risk Register A composite, prioritised, list of the identified and evaluated risks outlining their likelihood and potential impact, and will include an action plan to manage or contain a risk to acceptable levels. Risk Owners The Senior Managers responsible for the area that the risk will impact on most or that has been assigned the responsibility for the risk by their Chief Executive Officer. Action Owners The managers to whom the Risk Owner has delegated responsibility for the on-going control, monitoring and status reporting in accordance with the internal arrangements. 5. Leadership and Commitment Chief Executive Officers have overall responsibility for delivering an effective risk management strategy. To this end they should:- Develop and maintain a Risk Management System within their Department. - 3 -

Review and monitor identified risks with nominated Risk Owners and Action Owners. Provide general risk awareness within Departments including any mentoring that may be required. Oversee the operation of the Risk Management Policy and ensure it is up to date by regular review. Ensure that Departmental political members are aware of the Government Risk Management Policy and their Department s Risk Register in order that they can consider the extent and types of risk that it is acceptable for the Department to bear. Ensure that all staff are involved in the risk management process. The Risk Management Policy will apply to all staff and must be included in staff induction material and training. Staff more directly involved in the risk management process by virtue of their job role will have responsibility for managing individual risks allocated to them. This responsibility will include the signing of an annual statement of control report indicating that any identified risks for which they are assigned as Risk Owner have been monitored and controlled. Their risk management responsibilities will be included in their job descriptions and performance objectives. 6. Risk Management System 6.1 Identification Departments must develop strategic and operational risk registers which cover areas of risk such as:- Anything that could impact on the reputation of the Department or Government and could undermine stakeholder s confidence in it. Any influence, external or internal to the organisation, that poses a threat to the achievement of corporate or departmental objectives. An inability to respond to or to manage changed circumstances in a way that prevents or minimises adverse effects on the delivery of objectives. - 4 -

Failure to take opportunities to deliver better and more effective services, programmes or projects. Failure to comply with legislative requirements covering employment, health and safety and the environment. Failure to guard against impropriety, malpractice, waste or poor value for money. Failure to develop and manage human resources to meet changing corporate and departmental objectives. To ensure that the exercise is comprehensive and focuses on the key activities of the Department all staff must understand the aims and objectives of the process and be involved in the production of the risk register. 6.2 Evaluation The identification of risk needs to be followed by an evaluation of the impact that risk may have on the delivery of objectives. It is therefore important to use a process that measures impact and likelihood consistently and enables the development of a hierarchy of risk for the registers. Without this consistent approach the comparison and allocation of resources to manage the risk becomes more difficult and the outcomes less measurable. The detail required on the range of risk will depend on the complexity of the department and its risks. If risk is not evaluated appropriately then establishing the hierarchy meaningfully will be problematic and there will be clusters of risk that cannot be prioritised. The adoption of the model given below will enable the consistent evaluation of risk, for the purposes of the registers, across government. Other specialist areas such as assessing clinical risks, health and safety, or construction and design project risks may require alternative risk matrices in accordance with recognised best practice. - 5 -

6.3 Risk Evaluation Matrix Impact Multiplier severity Fundamental 5 5 10 15 20 25 Major 4 4 8 12 16 20 Moderate 3 3 6 9 12 15 Minor 2 2 4 6 8 10 Insignificant 1 1 2 3 4 5 Multiplier 1 2 3 4 5 Likelihood Rare Unlikely Possible Likely Almost Certain Management Action Guide Overall Risk Rating Key Management Action High Risk Severe 20-25 Unacceptable level of risk exposure which requires immediate corrective action to be taken High Risk Major 12-16 Unacceptable level of risk exposure which requires constant active monitoring and measures to be put in place to reduce exposure Medium Risk 5-10 Acceptable level of risk exposure subject to Moderate regular active monitoring measures Low Risk Minor 3-4 Acceptable level of risk exposure subject to regular passive monitoring measures Low Risk Insignificant 1-2 Acceptable level of risk exposure subject to periodic passive monitoring measures - 6 -

Further consideration should be given to the level of control that can be achieved over the risk. This should be demonstrated in terms of classification under the following headings:- Within our Control a risk the department can directly control or manage. Within our Sphere of Influence a risk we can partly control/managed or one that we can influence how it is controlled/manage. Within Corporate Control/Responsibility a risk that can be controlled/managed within Government and impacts on other Departments. Outside our Control a risk over which there is no departmental/government control. 6.4 Managing and Controlling Risk Having identified and evaluated the risks, and documented them on the risk registers for strategic and operational risks, the arrangements for managing the risks need to be in place. These arrangements cover the allocation of duties and responsibilities for the management of the risks to key personnel as well as taking the management actions to control the specific risks. In broad terms the actions taken to control risk fall into four categories which are classified as treat, tolerate, terminate or transfer. The categories for controlling risk are explained as:- Treat involves taking action to reduce the risk by lessening the impact. This can involve improved procedures or training, investing in new equipment, changing legislation, etc. Tolerate involves accepting the risk and its impact as it stands, that is self insure or decide to cover any losses. Risks we have failed to identify are classed as being tolerated without knowledge. - 7 -

Transfer involves deciding to pass the risk or costs of the impact outside the organisation, that is contract out the risk or take out insurance to cover the costs of the impact. Terminate involves deciding to eliminate the risk by ceasing the activity or the pursuance of the objective that presents the risk. Allocation of duties and responsibilities to key personnel and an awareness of all staff within the organisation is important in ensuring the risk management process is followed and becomes part of the overall performance management and business continuity arrangements. This needs to cascade throughout the organisation and have appropriate reporting mechanisms for use within departments and across Government. The above arrangements are the minimum standards for compliance with Corporate Governance requirements but departments may need to extend these duties and responsibilities to meet their internal needs. 7. Conclusion The Department s Senior Management Team will deliver and maintain a Risk Management System within its Department. This will include coordination of the risk management processes described in this policy, for example, maintaining risk registers, and assessing progress with Risk Owners. This should provide the Chief Executive with risk updates and assess whether any decisions made could impact the existing processes. The SMT must provide a focus and reference point for staff concerns about risk matters. - 8 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information