Implementing the Commonwealth

Department ofFinance

ImplementingtheCommonwealth

RiskManagementPolicy–Guidance

2016

ResourceManagementGuide211

DepartmentofFinance

CommercialandGovernmentServices

978-1-925205-46-6(Print)

978-1-925205-45-9(Online)

CopyrightNotice

Content

ThisworkiscopyrightandownedbytheCommonwealthofAustralia.

WiththeexceptionoftheCommonwealthCoatofArms,thisworkislicensedunderaCreativeCommons

Attribution3.0Australialicence(CCBY3.0) (

Thisworkmustbeattributedas:“CommonwealthofAustralia,DepartmentofFinance,Commercialand

GovernmentServices,“ImplementingtheCommonwealthRiskManagementPolicy–Guidance”.

UseoftheCoatofArms

ThetermsunderwhichtheCoatofArmscanbeusedaredetailedonthefollowingwebsite:

Contactus

Inquiriesregardingthelicenceandanyuseofthisworkarewelcomeat:

CommercialandGovernmentServices

DepartmentofFinance

OneCanberraAvenue,ForrestACT2603

Email:

Contents

Introduction...... 4

PolicyElements...... 6

Elementone-Establishingariskmanagementpolicy...... 7

Elementtwo-Establishingariskmanagementframework...... 9

Elementthree-Definingresponsibilityformanagingrisk...... 12

Elementfour-Embeddingsystematicrisk

managementintobusinessprocesses...... 14

Elementfive-Developingapositiveriskculture...... 16

Elementsix-Communicatingandconsultingaboutrisk...... 19

Elementseven-Understandingandmanagingsharedrisk...... 21

Elementeight-Maintainingriskmanagementcapability...... 23

Elementnine-Reviewingandcontinuouslyimproving

themanagementofrisk...... 26

Appendix...... 30

AppendixA-Glossaryofterms...... 31

AppendixB-Examplesoftypicalriskmanagementrolesand responsibilities...... 35

Introduction

PurposeofthisGuide

ThisGuideprovidespracticaladvicetoassistCommonwealthofficialsin

implementingtherequirementsoftheCommonwealthRiskManagementPolicy.1

TheGuideisdesignedtobeusedasalearningresourceandisnotmandatory. Itisimportantthatentitiesdevelopriskmanagementframeworksandsystems thataretailoredtotheneedsoftheirorganisation.Entitiesmayelecttoadapt

theconceptscontainedinthisGuidetosuittheirspecificneedsorusealternative

methodologies.

ThemandatoryelementsoftheCommonwealthRiskManagementPolicyare repeatedinthisGuideintheboxesatthebeginningofeachelement.

Whatisriskmanagement?

Riskistheeffectofuncertaintyonobjectives.Riskisthepossibilityofaneventor activitypreventinganorganisationfromachievingitsoutcomesorobjectives.

Riskmanagementistheactivitiesandactionstakentoensurethatan organisationisconsciousoftherisksitfaces,makescoordinatedandinformed decisionsinmanagingthoserisksandidentifiespotentialopportunities.

Whatarethebenefitsofriskmanagement?

•improvedabilitytoidentify,evaluate,andmanagethreatsandopportunities

•improvedaccountabilityandbettergovernance

•bettermanagementofcomplexandsharedrisks

•improvedfinancialmanagement

•improvedorganisationalperformanceandresilience

•confidencetomakedifficultdecisions

•decreasedpotentialforunacceptableorundesirablebehaviourssuchas fraudandharassment.

1TheCommonwealthRickManagementPolicyandsection16ofthePGPAActsetoutaframeworkthat

encourageCommonwealthentitiestoengagewithrisk,demonstrateinnovativethinkingandestablishand5

maintainappropriatesystemsofriskoversightandinternalcontrol.

PolicyElements

Elementone-Establishingarisk managementpolicy

CommonwealthRiskManagementPolicy

Anentitymustestablishandmaintainanentityspecificriskmanagement

policythat:

a. definestheentity’sapproachtothemanagementofriskandhowthis approachsupportsitsstrategicplansandobjectives

b. definestheentity’sriskappetiteandrisktolerance

c.containsanoutlineofkeyaccountabilitiesandresponsibilitiesfor

managingandimplementingtheentity’sriskmanagementframework

d. isendorsedbytheentity’saccountableauthority.

Thekeyelementsofanentity’sriskmanagementpolicy

Overviewoftheapproachtoriskmanagement

Entitiesareencouragedtoincludeintheirriskmanagementpolicyastatement

ofintenttoembedriskmanagementintotheirdecisionmakingandperformance managementprocesses.Theinclusionofariskphilosophystatementorkey principlescanbeusefulinconveyingtoofficialsthetoneforriskmanagement

intheentity.

Riskappetiteandtolerance

Riskappetiteistheamountofriskanentityiswillingtoacceptorretainin ordertoachieveitsobjectives.Riskappetiteisusuallysetoutinastatementor seriesofstatementsthatdescribetheentity’sattitudetowardrisktaking.

Risktoleranceisthespecificlevelofrisktakingthatisacceptableinorder toachieveaspecificobjectiveormanageacategoryofrisk.Risktolerance representsthepracticalapplicationofriskappetiteandwillbemosteffective whenitiseasilyunderstoodbyallofficials.

Ariskappetiteandtolerancestatementprovidesofficialswithanunderstanding oftheentity’sacceptablerisklevelsforallsignificantriskcategories.Incases whereriskappetiteislow,thisstatementprovidesguidancetoofficialsonwhat decisionstheycannotmake.Wheretheentityispreparedtotakeincreased levelsofrisk,astatementreflectingthisempowersofficialstomakeacceptable risk-baseddecisions.

Risktolerancestatementsoftenincludequantitativemeasurestoenable monitoringandreview.ForexampleanentitywithalowriskappetiteforIT systemoutagesmaydefinetheirrisktoleranceasnomorethanfivedaysof systemoutagesperannum.

Whiletheinclusionofariskappetiteandtolerancestatementinarisk managementpolicycanbeusefulinsettingthetoneforrisktakingintheentity, thismaynotalwaysbepracticalduetothelevelofdetailrequired.Insuch circumstances,itmaybemorepracticaltorefertoitorlinktootherdocument/s detailingtheentity’sriskappetiteandtolerance.

Keyaccountabilitiesandresponsibilities

Whiletheaccountableauthorityisultimatelyresponsibleformaintainingsystems ofriskoversight,managementandinternalcontrol,anentity’sriskmanagement policycanbeausefulmeansofcommunicatingmorespecificriskmanagement responsibilitiestoofficials.Asidefromthoserequirementssetoutinelement

threeoftheCommonwealthRiskManagementPolicy,thinkaboutwhatadditional responsibilitiesandaccountabilitiesyouwouldliketocommunicate.

Astatementnotingthatallofficialsintheentityareresponsibleformanaging riskcanbeausefulwayofcommunicatingtostaffthatitisnotjusttherisk managementareathatisresponsibleformanagingrisk.

Accountableauthorityendorsement

Akeyroleofthepolicyistoprovideaclearandmeaningfulmandatefortheentity’s riskmanagementframework.Itiscriticalthattheaccountableauthorityunderstands andendorsesthepolicyasthissignifiestoallofficialstheexpectationthatthepolicy isanessentialpartoftheirday-to-daywork.

Awrittenstatementorpersonalmessagefromtheaccountableauthority(orsenior leadership)thatsummarisestheentity’sriskmanagementpolicycanalsoeffectively andclearlyexpresstheintentionsandrequirementsoftheorganisation.Theway

inwhichsuchmessagesaredistributedandpublicisedarealsoimportantfactorsin howsuccessfullyriskmanagementissuesarecommunicated.2 Optionscaninclude circulationthroughtheentity’sinternalnetwork,publicationssuchasnewsletters,

displaysincorridorsandliftsandmakingitavailableexternallyviatheinternet.

Practicaltips

•Undertakeregularreviewstoensuretheentity’sriskmanagement

policyandriskappetiteremainalignedwithriskprocesses.

•Linktheentity’sriskmanagementpolicytootherelementsoftherisk managementframeworksuchasmoredetailedproceduresandguidance material.

•Includeavisionarystatementintheriskmanagementpolicythatincludes whattheentityisseekingtoachievethroughgoodriskmanagementand keygoalsfortheriskmanagementprograminthefuture.

82StandardsAustralia,SA/SNZHB436:2013RiskManagementGuidelines–CompaniontoAS/NZSISO

31000:2009,p31

Elementtwo-Establishingarisk managementframework

CommonwealthRiskManagementPolicy

Anentitymustestablishariskmanagementframeworkwhichincludes:

a. theoverarchingriskmanagementpolicy

b. anoverviewoftheentity’sapproachtomanagingrisk

c.howtheentitywillreportriskstobothinternalandexternalstakeholders d. theattributesoftheriskmanagementculturethattheentityseeksto

develop,andthemechanismsemployedtoencouragethis

e. anoverviewoftheentity’sapproachtoembeddingriskmanagementinto

itsexistingbusinessprocesses

f.howtheentitycontributestomanaginganysharedorcrossjurisdictional

risks

g. theapproachformeasuringriskmanagementperformance

h. howtheriskmanagementframeworkandentityriskprofilewillbe

periodicallyreviewedandimproved.

i.Theriskmanagementframeworkmustbeendorsedbytheentity’s

accountableauthority.

Designingariskmanagementframework

Ariskmanagementframeworkisasetofcomponentsthatsupporttheconsistent andsystematicmanagementofriskinanentity.Eachentityneedstodetermine itsownriskmanagementframeworkthatisthebestfitfortheentity’spurpose, structureandsize.

Anentity’sriskmanagementframeworkismosteffectivewhenitisaligned withotherbusinessprocesses.Keyamongsttheseincludetheentity’s:

•corporateplan

•managementanddecisionmaking

•governanceandassurancearrangements

•changeandbusinessimprovementprograms

•operationalprogramplanning,management,andreportingrequirements. Whileariskmanagementframeworksetsthefoundationforriskmanagement,

itistheentity’sriskculturethatwillultimatelydeterminehoweffectiveitisin

changingthebehaviourofofficials.

Thekeyattributesofagoodriskmanagementframework

•Itisfit-for-purposeandtailoredtotheneedsoftheentity.

•Itiswellunderstood,consistentlyapplied,integratedandcentralisedacross theentity.

•Itdetailstherequiredactionsfordesigning,implementing,monitoring,and reviewingriskmanagementintheentity.

•Itisusedbyofficialsaspartoftheirday-to-daydecisionmaking.

Thereisnostandardformatorstructureforariskmanagementframework.

Thenatureoftheworkcarriedoutbyeachentitywilldeterminethedesignand sophisticationofitsriskmanagementframework.However,frameworkelements usedbymanyentitiesincludethoseillustratedbelow.

RiskManagementPolicy

Overviewof theentity’s approachtorisk management

Riskappetiteand risktolerance

Key accountabilities and responsibilities

EmbeddingRiskManagement

Management ofShared andCross

Jurisdictional

Risks

Risk Management Reporting

MeasuringRisk Management Performance

RiskReview and Evaluation

PositiveRiskCulture

Practicaltips

•Includeadocumentmapintheriskmanagementframeworktoclarify

anddifferentiatebetweenpolicy,guidanceandprocessdocuments.

Thisavoidsconfusion.

•Structuredocumentsintoalogicalhierarchy;separatedintostrategic andoperationallevelguidance.

•Providetrainingandongoingsupporttoofficialssothattheyareawareof, andunderstand,theentity’sriskmanagementframework.

•Makeiteasyforofficialstoaccesstheframeworkcontent,forexample, throughtheentity’sintranetandotherinternalnetworks.

•Reviewandupdatetheentity’sframeworkpromptlyafterrestructuresor

changesinoperatingenvironment.

•Regularlyreviewtheentity’sriskmanagementframeworktoensurethatall classesorcategoriesofrisktowhichtheentitymaybeexposedarebeing consideredandmanaged.

Elementthree-Defining

responsibilityformanagingrisk

CommonwealthRiskManagementPolicy

Withintheriskmanagementpolicy,theaccountableauthorityofanentitymust

definetheresponsibilityformanagingriskby:

a. definingwhoisresponsiblefordetermininganentity’sappetiteand

toleranceforrisk

b. allocatingresponsibilityforimplementingtheentity’sriskmanagement

framework

c.definingentityrolesandresponsibilitiesinmanagingindividualrisks.

Keyresponsibilitiesformanagingrisk

Responsibilityfordeterminingriskappetiteandtolerance

Thismayinclude:

•thepersonwhoisultimatelyresponsiblefordeterminingriskappetite andtolerance(usuallytheaccountableauthorityworkingwiththesenior executive)

•specificresponsibilitiesfordeveloping,approving,monitoringandadjusting anentity’sriskappetiteandtolerance.

Responsibilityorimplementingtheriskmanagementframework

Thismayinclude:

•design

•publication

•reviewoftheentity’sriskmanagementframework

Theseresponsibilitieswillbemosteffectivewheretheyareclearlydefined, effectivelycommunicatedandassignedtoaspecificpersonorteam

Responsibilityformanagingindividualrisks

Responsibilitiesthatmaybedefinedinclude:

•Riskowners.Accountableformanagingaparticularrisk

•Controlowners.Responsibleformaintainingtheeffectivenessofmeasures

tomodifyrisk

•Risktreatmentowners.Responsibleforimplementingstrategiesincases wheretherisklevelisunacceptableaftercontrolsareapplied

Guidancecanbeprovidedonhowtodischargetheseresponsibilitiesandhow

riskandcontrolownerscanbestinteractsothatrisksareactivelymanagedwithin agreedtolerances.

Entitiesareencouragedtoincludeastatementintheirriskmanagement frameworkthatallofficialsatalllevelsoftheentityareresponsibleformanaging risk.Theseresponsibilitiesincluderiskswithinanindividual’sareaofcontroland whole-of-entityandsharedrisks.

Examplesofsometypicalriskmanagementresponsibilitiescanbefoundat

AppendixB.

Practicaltips

•Documenttheentity’sriskprocesses,includingguidelines,sothat theaccountableauthorityandallotherseniorofficialsunderstandtheir responsibilitiesforoverseeingtheentity’sriskmanagementprocessesand keyrisks.

•Ensurethatofficialsunderstandanybusinessrisksthattheyown,how theserisksrelatetoandmayimpactontheentity’senterpriserisks,and theirrolesinmanagingrisk.

•Developclearandconsistentriskregistertemplateswhich,when completed,maketheriskmanagementresponsibilitiesofeachofficial clearandeasilyupdatedasrequired.

•Makeriskmanagementakeycompetencyandresponsibilityofallofficials.

Incorporateriskmanagementresponsibilitiesintojobdescriptions,duty

statementsandperformanceagreements.

Elementfour-Embedding systematicriskmanagementinto businessprocesses

CommonwealthRiskManagementPolicy

Eachentitymustensurethatthesystematicmanagementofriskisembedded inkeybusinessprocesses.

Opportunitiestoembedriskmanagement

Successfullyembeddingriskmanagementintoanentity’sbusinessprocessesis challengingandthoughtprovoking.Itrequiresanapproachtailoredtotheentity’s corporateobjectives,operatingenvironmentandcontext.Ausefulapproach

toembeddingriskmanagementcanbetoestablishshortandlong-termplans forembeddingriskmanagement.Thesecanthenbecommunicatedtokey stakeholders.

Embeddingriskmanagementtakestime,butthereareanumberofopportunities toachievequickwinsinthefollowingareas:

•Governance.Anentity’sgovernancefunctionhasanumberofkeyrisk

managementroles.Theseincludehelpingtointegrateriskmanagement

intostrategy,establishingriskappetitethroughtheentity’sriskmanagement policy,definingriskmanagementrolesandresponsibilities,benchmarking, andreviewinghowriskismanagedwithintheentity.

•Corporateplanning.Assessingandmanaginganentity’senterpriserisks isanintegralpartofanentity’scorporateplanningframework.Anentity’s strategicobjectivescanbethestartingpointofanyriskidentificationprocess.

•Changemanagement.Changemanagementpoliciesandinstructions

mayincludetherequirementforariskassessmentofallsignificantchange

activities.

•Projectsandprograms.Projectandprogramimplementationinvolves constantlyidentifyingandmanagingrisk,suchassharedriskincomplex projectsandriskinterdependenciesbetweenprojects.Thiscouldallow individualprojectriskstobeaggregatedtoprovideaprogramandportfolio view.

•Auditandassuranceprograms.Clearlyunderstandinganentity’srisk profileenablestheprioritisationofanentity’sauditandassuranceactivities. Theoutcomeofinternalandexternalauditactivitiesmayinfluencethedesign ofanentity’scontrolframework.

•Organisationalresilience.Increasingorganisationalresilienceallows entitiestoresistbeingaffectedbyaneventorincreasestheirabilitytoreturn toanacceptablelevelofperformanceinanacceptableperiodoftimeafteran eventhasoccurred.3

Alignmentwithspecialistriskcategories

Specialistriskcategoriesoftenhavetheirownlegislation,standards,compliance andreportingobligations.Entitiesmayalsohavespecialistprogramsand processesincluding:

•businesscontinuityanddisasterrecovery

•fraudcontrol

•workplacehealthandsafety

•protectivesecurity

Whileaspecialistprogrammayleadtoanincreasedfocusandmanagementof theserisks,specialistprogramsmaybenefitfrombeingconnectedtotheentity’s overarchingriskmanagementframeworktoensureconsistency.Thiscanbe achievedbyadoptingcommonterminologyandprocessesacrossallprograms.

Practicaltips

•Usetheentity’sriskmanagementpolicyanditsaccountableauthority instructionstolinktheriskmanagementframeworktoothercorporate frameworksandprocesses.

•Reflecttheentity’sriskappetiteandtolerancesintheentity’sinternal controlframeworkanddelegationarrangementsinareassuchasfinance, procurement,businesscontinuityandhumanresources.

•Assistbusinessunitownerstoembedriskmanagementintotheiractivities byprovidingcommonrisktoolsandtemplatesthatcanbeincorporated

intotheirdocumentsandprocesses.

•Usechangesorrestructuresintheentityasanopportunitytoembedrisk managementinbusinessprocessesorfunctions.

•Includeeasy-to-useriskmanagementtoolsandtemplatesintocorporate andbusinessplanningdocumentationandprocesses.

•Communicatequickwinsassoonastheyoccur.Highlighthowembedding riskmanagementintobusinessprocessesresultedininnovativeoutcomes orotherbenefitstotheorganisationthroughidentifyingandtreatingrisks.

3ASISSPC.1-2009AmericanNationalStandard,OrganisationalResilience:Security,Preparednessand

Elementfive-Developingapositive

riskculture

CommonwealthRiskManagementPolicy

Anentity’sriskmanagementframeworkmustsupportthedevelopmentofa positiveriskculture.

Characteristicsofapositiveriskculture

Apositiveriskcultureexistsinanentitywhenofficialsunderstandtherisksfacing theirentityandconsistentlymakeappropriaterisk-baseddecisions.Apoorrisk cultureisoftenevidencedbyofficialsbeingignorantoftheentity’srisks,being excessivelyriskaverseoroverconfident.

Apositiveriskculturegenerallyincludesthefollowingattributes:

•leaders,managersandsupervisorsconsistentlyandpositivelydemonstrate anddiscusstheimportanceofmanagingriskappropriately

•theentity’sriskmanagementframeworkisintegraltoitsoperatingmodel

•officialsarecomfortabletalkingopenlyandhonestlyaboutrisk,using

commonlyunderstoodrisktermsandlanguage

•officialsunderstandandagreetheneedandvalueofeffectiverisk

management

•officialsownandmanageriskandproactivelyseektoinvolveothersas

appropriate

•officialsownandmanagecomplexandsharedriskswithothers

•incentivesreinforceappropriaterisk-relatedbehaviour

•officialsarecomfortableraisingconcernswithauthorityfiguresandthose

beingchallengedrespondpositively

•theentityhasasupportiveenvironmentforescalatingriskissueswiththe seniorexecutive.

Whyisapositiveriskcultureimportant?

Cultureismorethanjustcomplyingwithyourentity’sriskmanagementframework. Thebehavioursandattitudestoriskarejustasimportantastheframework.

Decisionsareoftenmade,andrisksmanaged,withoutcompleteinformation,with inadequateresourcesandagainstcompetingpriorities.Inthesecircumstancesa strongriskculturewillsupportthepropermanagementofrisk.

Howtoinfluenceriskculture

Abriefdescriptionoftheinfluencersofriskculture,andsomeexamplesof

desirableanddetrimentalriskbehavioursareprovidedbelow.

Riskcompetence
Thecollectiveriskmanagementcompetenceoftheentity
Desirablebehaviours / •Proactivesharingofbestpractice
•Consultingwithothersoften
Detrimentalbehaviours / •Reluctancetolearnfrompastmistakes
•Followingtheherd
Organisation’sriskenvironment
Howtheorganisationalenvironmentisstructuredandwhatisvalued
Desirablebehaviours / •Adheringtoriskmanagementpolicies,processesand procedures
•Listeningtoothers
•Involvingriskprofessionalsinimportantriskdecisions
Detrimentalbehaviours / •Reluctancetoescalaterisks
•Minimisingrisks,optimismbias
•Cuttingcorners
Motivation
Thereasonswhypeoplemanageriskthewaythattheydo
Desirablebehaviours / •Innovatingandchangingpoorpractices
•Takingpersonalaccountabilityformanagingrisks
•Admittingtomakingmistakes
Detrimentalbehaviours / •Shootingthemessenger
•Avoidingresponsibility
•Rewardingexcessiverisktaking
Relationships
Howpeopleintheentityinteractwithothers
Desirablebehaviours / •Openandhonestdialogueregardingrisks
•Constructiveresponsetochallenge
Detrimentalbehaviours / •Inadequatechallengeofexcessiverisktaking
•Yieldingtoinappropriatepressurefromothers

Indeterminingtheriskbehaviourstheywilldisplay,officialsareoftenguidedby theaccountableauthorityandtheentity’sexecutives.Keyelementsinclude:

•Rolemodels.Influentialindividualswholeadbyexample.Therisk managementbehaviourstheydisplayguideothers.Itcanbeusefultoassign accountabilityoftheentity’sriskculturetoavisibleseniorexecutivesponsor.

•Explicitmessages.Duringrecruitmentandinduction,andthroughouttheir careers,officialsareprovidedwithmanyinstructionsandguidelinesthatwill influencehowtheyviewandmanagerisk.

• Incentives.Themannerinwhichofficialsarerewardedandrecognised.

Howtheseincentivestakeintoaccountriskmanagementbehaviourswill indicatehowriskmanagementisvalued.

• Symbolsandactions.Thedailyactionsofleaderswillbenotedbyofficials

andmirrored.

Measuringriskculture

Itmaytakeyearsforanentitytodevelopandmaintainapositiveriskculture. Anentity’sriskculturecanbemonitoredandformallyassessedthroughstaff surveysorconsultations.

Practicaltips

• Identifyandprioritisekeybehaviourstoinfluenceandshapeapositive

riskculture.

•Encourageallofficialsinmanagementrolestocommunicateregularlywith

theirteamsaboutthevalueofgoodriskmanagement.

•Identifyandconnectanetworkofriskchampionsacrosstheentitythatcan encouragepositiveriskbehavioursthroughtheirrole,personalexperience orreputation.

•Rewardandrecognisepositiveriskmanagementbehaviourbothpublicly andthroughtheentity’sperformancemanagementprocesses.Positive reinforcementofsuccessfulriskmanagementapproachesandoutcomes maintainsmomentumandpromotesgoodriskmanagementpractices.

•Whereanentityacceptsanoptimallevelofrisk,thismayresultinthatrisk beingrealised.Treattheseeventsasopportunitiestoreview,learnand improvethemanagementofsimilarrisks.

•Inestablishingamorepositiveriskculture,focusonchangingattitudes andbehavioursratherthanjustimplementingnewpoliciesand procedures.

•Apositiveriskcultureisnotasingleactivity.Prioritisethekeyrisk managementbehavioursyouwishtochangeandimplementpractical measurestoinfluenceandshapethesefirst.

Elementsix-Communicatingand consultingaboutrisk

CommonwealthRiskManagementPolicy

Eachentitymustimplementarrangementstocommunicateandconsultabout

riskinatimelyandeffectivemannertobothinternalandexternalstakeholders.

Howtocommunicaterisk

Communicatingriskinformationwithstakeholdersisimportant,asitmaintains confidenceandtrustanddevelopsacommonunderstandingoftheentity’srisks. Externalstakeholderssuchasministers,othergovernmententities,suppliersand thewidercommunitymayneedanopportunitytocommunicatetheirviewsand feelinvolvedindecisionmakingwhereappropriate.

Developariskcommunicationplan

Ariskcommunicationplancanbeaneffectivewayofdocumentinganentity’s

approachtocommunicatingrisk.Whendevelopingariskcommunication plan,considerbothexternalandinternalreportingrequirements.Tominimise duplication,riskinformationprovidedincorporatereportingmaybeusedtoinform seniorexecutiveswhencompletingannualreportingtasks.

Ariskcommunicationplancanbetailoredforeachindividualentityandmay includeinformationon:

•theattitudeandapproachtomanagingrisk

•theriskprofile

•individualrisks

•specificcontrolresponsibilities.

Anentity’sriskprofileisakeytoolforinformingseniorexecutivesandstakeholders

ontheprioritiesandmanagementofriskandmaybedevelopedatacorporate levelaswellasatbusinessunitandbranchlevels.Clearcommunicationofthe entity’srisksreliesondevelopingqualityriskprofilesthatprovideacompleteview ofkeyrisks.

Buildacultureofopenriskcommunication

Allofficialsareresponsibleforcommunicatingriskandsharingriskinformation

withintheentityandwithexternalstakeholdersasappropriate.

Opencommunicationrequirestimetodevelopandreliesonofficials acknowledgingthatgoodriskcommunicationprovidesanopportunitytoinnovate andimproveperformance.

Aspartofeffectivecommunication,entitiesareencouragedtoprovideregular, candidbriefingsonkeyrisks,threatsandopportunities.Whereappropriate, significantissuescanthenbeescalatedtotheaccountableauthorityand/or minister.

Considercommunicationrequirements

Entitiesareencouragedtouseriskcommunicationtoidentify,assessandprovide

informationonthemonitoringofrisksagainstthecorporateobjectivesofthe

entity.Thismaybealignedwithotherreportingframeworks.

Whencommunicatingaboutrisk,askyourselfthefollowingquestions:

•Whatneedstobecommunicated?

•Whoneedstoknow?

•Whatisthetimeframe?

•Willterminologybeanissue?

•Whatisthemostacceptableformatwhenpresentinginformation?

•Whatanalysishasbeenperformedtoproviderobustnesstothedata?

•Whatfollow-upactionisneeded?

Riskcommunicationiscriticaltoensurethattheentity’sriskmanagement processesareconsistentlyimplemented atalllevels.Operationalriskreporting toseniorexecutivesismosteffectivewhenitoccursatregularintervals throughouttheyear.

Practicaltips

• Tailorthestructureandcontentofriskreportsfortheaudience,the natureoftherisksbeingreportedandthecircumstances.

•Developtemplatesforriskassessmentsthatcaptureenoughinformation tosupporttheriskassessmentprocess.

•Workwithkeystakeholderstoshareriskprocessesandterminologyand standardisetheseasmuchaspossible.

•Beflexibleinadoptingstrategiestocommunicateriskinformationto officials.

•Examplesincludeinternalentitynews,policyawarenessprograms, internalriskforumsandnewsletters,ariskmanagementintranet

page,questionnairesandsurveys,participationinwebinars,facilitated workshops,focusgroups,externalworkinggroupsandforums.4

•‘Dashboards’whichhighlightareasofconcernoropportunitycanquickly andeffectivelyconveyinformationtoseniorexecutivestoenablethemto focusonkeyissues.

4AS/NZSHandbook327-2010,CommunicatingandConsultingaboutRisk,providesfurtherinformation aboutmattersthatneedtobeconsideredwhenplanningcommunicationandconsultation.

Elementseven-Understanding andmanagingsharedrisk

CommonwealthRiskManagementPolicy

Eachentitymustimplementarrangementstounderstandandcontributetothe managementofsharedrisks.

Characteristicsofsharedrisk

Sharedrisksarethoserisksthatextendbeyondasingleentity,requiringhigh levelsofcooperationbetweenstakeholderstoeffectivelyunderstandandmanage thoserisks.Stakeholdersoftengobeyondgovernmenttoincludeotherpartners, suchasindustry,thewidercommunityandacrossjurisdictions.

Sharedriskisacrucialelementofprogram/policydeliveryandfailingtoidentify andmanagetheserisksoftenimpactsabroadrangeofstakeholders.

Itisthereforeimportantthatentities,incollaborationwiththeirstakeholders, cooperatetoidentifyandmanagerisks,developclearrolesandresponsibilities formanagingtheserisksandagreetooutcomes.

Aspectstoconsiderinmanagingsharedrisk

Visibilityoftherisk.Proactiveandcomprehensiveinformationexchangeis essentialtofullyidentifythenatureandseverityofrisks,monitortheirstatusand managethepotentialrealisationofrisks.

Controlsandtreatments.Responsibilityforimplementingandmanaging specificcontrolsandtreatmentprogramsmaybeallocatedordispersedacross separateentities.Thisinvolvescollaborativeapproachestodesigning,deploying, monitoringandreportingtheeffectivenessofcontrolsandtreatments.

Exposuretoconsequencesandeffects.Whenariskisrealised,asharedrisk mayimpactanumberofentitiesandthewidercommunity.Wherepracticable, entitiesareencouragedtoestablishmechanismstoappropriatelysharethe burdenoftheriskexposure.Thiscanbeachievedthroughpooledorcollaborative responsecapabilities,definingfinancialexposuresexplicitlyingovernance arrangements,orthroughagreeingintegratedtreatmentplans.

Documentingthemanagementofsharedrisks

Documentingsharedrisksisgoodgovernance,improvesunderstandingof complexrelationshipsandclarifiestheextentofknowledgeofsharedrisksata pointintime.

Whendefininghowanentitymanagessharedrisk,guidancetoofficials

mayinclude:

•ameaningfuldefinitionofsharedriskintheentity’sriskmanagementpolicy theconceptofsharedrisk,andthearrangementsformanagingit,intoproject orprogrammanagementframeworksandprocesses

•examplesofsharedrisksthatarerelevanttotheentity

•alistofthoseintheentitylikelytoberesponsibleformanagingsharedrisk

•protocolsforestablishingmechanismstocollaborativelymanagesharedrisks

•anidentificationofthemechanismsandprotocolstobeusedforrecording, monitoringandreportingonmanagingsharedrisk,bothinternallyand externally.

Collaborativeresilience

CommonsharedriskswithintheCommonwealthincluderiskswhichthreaten thesafetyandsecurityofentitiesandtheservicestheyprovide.Thesemay includenaturaldisasters,actsofterrorism,andinfrastructureormarketfailures. SignificantopportunitiesexistforCommonwealthentitiestocollaborateinorder toenhancetheirindividualandcollectiveresiliencetosuchrisks.

Entitiesareencouragedtoworkwithstakeholderstobetterunderstand commonthreats,sharedvulnerabilitiesandtooptimisetheircollectiveability

toprevent,manageandrecoverfromdisruptiveevents.Communitiesofpractice, peerentitiesorthoseincloseproximitytooneanothercanbeformedto

encouragethis.

Practicaltips

• Establishmemorandaofunderstandingwithpartnerstoformalisean agreedunderstandingofresponsibilitiesandexpectationsformanaging sharedrisk.

•Developsharedriskregistersandprofileswithkeypartnersandhold regularcollaborativeriskassessmentworkshopswithrepresentativesof thesepartnerstoencourageparticipantstolookbeyondtheirownentity’s viewoftherisk.

•Educateofficialsontheirresponsibilitytoidentifyandcontributeto

managingsharedrisks.

•Theentity’sriskregisterandriskprofiletemplatescanbeenhancedby documentingthecontrolsandcontrolownersformonitoringsharedrisk. Forexample,ensurethatriskcontrolsmanagedfromoutsidetheentityare notedandmonitored.

•Ensuresharedrisksarelinkedtogovernancearrangementssuchas

interdepartmentalcommitteesorestablishedjointarrangements.

•Provideguidancetoofficialsonopportunitiestoconsidersharedriskas

partofcontractualarrangementsortheadministrationofgrants.

Elementeight-Maintainingrisk managementcapability

CommonwealthRiskManagementPolicy

Eachentitymustmaintainanappropriatelevelofcapabilitytobothimplement

theentity’sriskmanagementframeworkandmanageitsrisks.

Determiningtheappropriatelevelofriskmanagement capability

Whendetermininganappropriatelevelofriskmanagementcapability,consider theseverityoftherisksbeingmanagedandtheimportanceorprofileofthe objectivestheymayaffect.Thelevelofriskmanagementcapabilityinanentity maybemeasuredagainstthepotentialcostoftherisks,shouldtheyberealised, andtheentity’sriskappetiteandtoleranceforthoserisks.

Maintaininganappropriatelevelofriskmanagementcapabilitydoesnot necessarilymeanowningitexclusivelyinanentity.ManyCommonwealthentities facecommonriskchallengesandcanthereforesharethespecialistcapabilities neededtomanagethem.Forexample,thespecialistexpertiserequiredto analyseparticularnaturesofriskcanbesharedbypeerentitiesascanthe lessonslearned.

Capabilitiesthatcanhelpanentitymanagerisk

Risksystemsandtools

Theriskmanagementframeworksandriskprofilesofentitieswillvarygreatlyin complexityandscale.Riskprocessesandtoolscanbetailoredaccordinglyand mayrangeincomplexityfromsimplespreadsheetstodedicatedenterpriserisk managementsoftware.

Someofthefunctionsprovidedbyrisksystemsandtoolsinclude:

•integratedstorageofriskinformationandriskprofiles

•analysisofriskinformation,includinganalyticssuchas‘causalfactor’

analysisandkeyriskindicatormonitoring

•riskinformationdisseminationandsharing,includingriskstatusreportsand riskandcompliancedashboards

•automationofriskprocessesworkflows.

Risksystemsandtoolswillbemosteffectivewhentheyareappropriatetothe entity’sneeds,wellmaintainedandcomplementedbytrainingandworkplace support.Iftheyareoverlycomplextheywillbeunderutilised.Iftheyare inadequate,theywillnotprovidethefunctionalitydesiredorsupportefficient workprocesses.

Peoplecapability

Buildingthecapabilityofanentity’sofficialsiscriticalasitensuresaconsistent approachtomanagingriskacrosstheentity.Equippingofficialstoeffectively manageriskmayinclude:

•clearlydefinedriskresponsibilitiesandaccountabilities

•riskcompetencyacquiredthroughlearninganddevelopment,mentoringand experience

•accesstorelevantcommunicationsandinformationaccess

•peersupportandcollaborationmechanisms

•riskmanagementaspartofthestaffinductionprogram

•ongoingriskmanagementtraining

•recognitionandreward

•riskmanagementbeingintegratedintoofficials’performanceagreements.

Learninganddevelopmentopportunitieswillbemosteffectivewheretheyare tailoredtothecurrentcompetencylevelofofficialsandtheriskmanagement requirementsoftheirrole.Theappropriatelevelofriskcompetenceamong officialswillvarysignificantlybetweendifferentrolesandlevels.

Toidentifytheentity’sriskmanagementtrainingneeds,entitiescan:

1. determineandcompiletheriskmanagementcompetencyrequirementsof theirworkforce

2. undertakeaskillsanalysistodeterminetheircurrentlevelofcapability.

Comparingthesewillprovideaclearunderstandingofcompetencyneedsin ordertodevelopaprioritisedlearninganddevelopmentprogram.

Managingriskinformation

Thequalityandavailabilityofinformationonriskneedstobeaccurateandreadily availabletoensurethatrisksaresuccessfullyassessed,monitoredandtreated acrosstheentity.Accesstoreliableriskinformationallowsrisktobemeasured andcommunicatedtobothinternalandexternalstakeholders.

Riskinformationwillbemostreliablewhereitis:

•basedonestablisheddatasetsorbenchmarks

•consistentacrosstheorganisation

•unambiguousandprovidesabalancedviewoftherisk

•sufficientlyenduringtoallowcomparisonofrisksovertime

•generatedandprocessedefficiently.

Buildingeffectiveriskmanagementprocesses

Anentity’sriskmanager,orriskmanagementteam,cansupportthedevelopment

ofgoodriskprocessesthrough:

•developingafit-for-purposeriskmanagementpolicyandprocessesin

theentity

•supportingseniorexecutivesbycoordinating,compilingandpresentingclear andconciseriskinformationabletobeusedinplanninganddecisionmaking

•ensuringthereareeasilyaccessiblesystemsandprocessesinplaceto

enableallofficialstosystematicallymanageriskintheirday-to-daywork

•supportingbusinessunitstoimplementtheriskmanagementprocess

•ensuringriskmanagementprocessesareappliedconsistentlyacross theentity

•developingandimplementinganappropriateriskcommunicationstrategy

•identifyingtheneedsforskillsdevelopmentandspecifictraininginrisk

managementacrosstheentity

•developingandmaintainingariskreportingframeworktoenable

regularreportingofkeyrisks,andthemanagementofthoserisks,tosenior management.

Practicaltips

•Thinkholisticallyaboutthecapabilitiestheentityneedstoeffectively manageriskincludingpeople,processes,systems,andinformation. Conductacapabilityneedsanalysistodetermineandprioritiserisk managementcapabilitygaps.

•Provideappropriateriskandriskmanagementawarenesstrainingto officialsbothinitiallyandonaregularbasisasarefresher.Includean overviewoftheentity’sriskmanagementframeworkintheinduction programandhighlightthecapabilitiesofficialscandrawontohelpthem managerisk.

•Identify,trainandconnectriskchampionsdrawnfromdiversepartsofthe entity.Thesechampionscanhelpspreadriskmanagementgoodpractice andinfluencebehaviours.

•Identifyopportunitiestodevelopskillsthroughmoreinformallearning methodssuchasregularlunchtimediscussionsessionsoropportunitiesfor peopletolearnthroughpracticalexperience.

•Whenconsideringtheacquisitionordevelopmentofrisktoolsorsystems,

ensuretheentityidentifiesafit-for-purposesolution.

•Sharecasestudiesandlessonslearntbasedonpreviousexperiencesin theentitywhereverpossible.

Elementnine-Reviewing andcontinuously improvingthemanagementofrisk

CommonwealthRiskManagementPolicy

Eachentitymustreviewitsrisks,itsriskmanagementframeworkandthe applicationofitsriskmanagementpracticesonaregularbasis,and implementimprovementsarisingoutofsuchreviews.

Reviewingthemanagementofrisk

Asanentity’senvironment,objectivesandcapabilitieschangeovertime,

sodoitsrisks,itsriskappetiteanditsexposuretoexistingrisks.Toensurenew risksareidentified,andexistingrisksremainappropriatelymanaged,entities needtocontinuouslyreviewtheirriskmanagementframeworkandtherisks beingmanaged.

Effectiveriskmanagementprogramsrequireregularreviewandevaluation mechanisms,bothformalandinformal.Thisguideswhethertheentity’s approachtoriskmanagementisconsistentwithitsobjectives,ensuresthat theriskmanagementframeworkiscontinuouslyimprovedandthatgoodrisk managementpracticeisrecognisedandrewarded.Thesemechanismsalso

provideassurancetotheaccountableauthorityontheefficiency,effectiveness andrelevanceoftheentity’sapproachtoriskmanagement.

Toassesstheperformanceofanentity’sriskmanagementframework,threekey

aspectscanbeconsidered:

•Valueadd.Thedegreetowhichriskmanagementiscontributingtothe achievementoftheentity’sobjectivesanditseffectivenessinidentifyingand managingrisk.

•Maturity.Whethertheriskmanagementframeworkisfitforpurposeforthe

entityandrepresentstheappropriateapplicationofbetterpractice.

•Compliance.Theextentandtheconsistencyoftheapplicationoftherisk managementframeworkinpracticeacrosstheentity.

Reviewinganentity’sapproachtomanagingrisk,andtheperformanceofitsrisk

managementframework,hasfourkeysteps:

1. reviewtheentity’sriskmanagementframework

2. reviewcompliancewithandtheapplicationoftheframework

3. reviewtheentity’sriskprofile

4. reviewindividualrisksandthecontrolsthatareinplacetomanagethem.

Howtoreviewtheriskmanagementprogram

Ongoingreviewandevaluationofanentity’sriskmanagementframework,

programandpracticeoccursatthreelevels.

Regularcheckingand

1monitoring

Management

2review

3

Independent

review

Levelone–Regularcheckingandmonitoring

Thefirstlineofresponsibilityformanagingriskistheday-to-daydecisionsof officialsinallrolesandatalllevels.Accordingly,thisiswherethefirstlineof reviewalsolies.Individualswillchoosetoacceptorrejectrisksonagivenday foravarietyofreasons–someappropriateandinformed,andsomenot.

Aprocessofongoingdiscussionaboutrisk,andworkgroupandpeermoderation isimportanttoensureaconsistentapproach.

Relevantissuesforconsiderationincludetheaccuracyandeffectivenessofthe riskregister,whethertheconsequencesandimpactlevelsofindividualrisksare stillrelevantandtheeffectivenessofcontrolsandtreatments.

Leveltwo–Managementreview

ReinforcingtheLevelOnereview,managementreviewofbothriskassessment andcontrolsformsthenextlevelofreview.Managementreviewofthese decisions,behavioursandactionsfulfilstworolessimultaneously:

•monitoring,correctingerrorsormisjudgments

•buildingriskmanagementcapability,competenceandconfidence.

Tofulfilthisroleeffectively,managersareencouragedtounderstandthecontext, objectivesandbusinessoftheentity,itsriskmanagementframework,anditsrisk appetiteandtolerances.

Thesereviewswillbemosteffectivewhentheyareregularandseenasroutine,

andundertakenonaprogramedbasis.Reviewsmaybeplannedtotarget highriskprocesses,butalsosamplebroadlyacrosstheentityanditsservice providers.Whereissuesareidentified,determineiftheyarespecifictoan individualriskorriskdecisionmaker,orsystemicintheentity.

Oncedetermined,theissueisaddressedwithfindingsandcorrective

actionsdocumented.

Levelthree–Independentreview

Independentreviews,suchasaudits,canprovidealevelofassurancethata comprehensiveriskmanagementframeworkandprocessisinplaceand implementedeffectively.6

Independentreviewalsobringsafreshperspective,andcanidentifywherean entity’sframeworklacksalignmentwithitsorganisationalobjectives,opportunities forimprovementinprocesses,andinstancesofnon-compliance.

Independentreviewscanbeusefulinidentifyingopportunitiestoenhance consistencyacrosstheentityincludingmoreeffectivewaysofmanagingsimilar risks,orcategoriesofrisk,fromanentity-wideperspective.

6AdviceonthescopeandplanningofauditsandotherformsofassuranceisgivenintheHB158-2010

28DeliveringAssuranceBasedonISO31000:2009,RiskManagementPrinciplesandGuidelines.

Practicaltips

• Establisharigorousprocessof‘nearmiss’orincidentreporting,analysis andreview. Thisallowsanentitytosharelessonslearntdealingwithissues, crises,problemsandsuccesses.

•Reviewtheentity’sapproachtomanagingriskanditsriskmanagement frameworkatregularintervals.Entitiesareencouragedtoconducta comprehensiveannualreviewasasensiblebenchmark.

•Ensurethattheseniorexecutivescheduletimetodiscussanddebate theentity’sriskprofile.Thismayincludetherollingreviewofindividual risksindetail,acompletereviewoftheentityriskprofile,andoccasional

opportunitiestoconsidertheentity’srisksfromafresh‘cleansheetofpaper’

perspective.

•Constantlymonitortheongoingeffectivenessofcontrols.Develop performancemeasuresforeachsignificantcontroltosupportconsistentand reliablemonitoringandreporting.

•Includeriskissuesintheentity’sannualauditplan,commissioning

independentreviews,orthroughpeerreviewprogramswithotherentities.

•Alignthereviewandoversightofriskmanagementwithsimilarbusiness processesandgovernancearrangements.Inparticular,reviewtherelevance oftheriskmanagementframeworkeachtimetheentity’scorporateplanning processesarerevised.

•Considerarangeofinformationsourceswhenreviewingtheentity’srisks andtheeffectivenessofitsriskmanagementframework.Thesecaninclude insurancedata,benchmarkingdata,internalauditoutcomes,internal reviews,financialperformancedata,losseventinformationoranecdotal feedback.

•Benchmarktheentity’sriskmanagementperformanceagainstitspeersand

meetregularlywithcounterpartsinotherentitiestoexchangegoodpractice.

•Ensurethatriskmanagementactivitiesaretraceable.Intherisk managementreviewprocess,recordsprovidethefoundationfor improvementsinmethodsandtools,aswellastheoverallprocess.7

7SA/NZSHB436:2013RiskManagementGuidelines–CompaniontoAS/NZSISO31000:2009,p87.

AppendixA-Glossaryofterms

TermDefinition
Accountableauthority / Thepersonorgroupofpersonswhohasresponsibilityfor,andcontrol
over,aCommonwealthentity’soperations.
Seealso:
Finance’sglossary of resource management terms
Auditandrisk committee / Anindependentcommitteethatprovidesassuranceandadviceon theentity’soperationsincludingtheeffectivenessoftheentity’srisk managementframework.Commonwealthentitiesmayhaveaseparate auditandriskcommittee.
Australian/New ZealandRisk Management Standard(AS/NZS ISO31000) / AS/NZSISO31000hasbeendevelopedasagenericandflexible standardthatisnotspecifictoanygovernmentorindustrysector. TheStandardidentifieselementsorstepsintheriskmanagement
processthatcanbeappliedtoawiderangeofactivitiesatanystageof implementation.ItreplacedAS/NZS4360on6November2009.
Commonwealthentity / ACommonwealthentityisa:
a.DepartmentofState;or
b.ParliamentaryDepartment;or c.listedentity;or
d.bodycorporateestablishedbyalawoftheCommonwealth
Seealso:
Finance’sglossary of resource management terms
Consequence / Outcomeorimpactofaneventthatmaybeexpressedqualitatively
orquantitatively.Therecanbemorethanoneconsequencefromone event.Consequencecanbepositiveornegative.Consequencesare consideredinrelationtotheachievementofobjectives.
Control / Ameasuretomodifyrisk.Controlsaretheresultofrisktreatment. Controlsincludeanypolicy,process,device,practiceorotheractions designedtomodifyrisk.
Corporate
Commonwealthentity / ACommonwealthentitythatisabodycorporateandlegallyseparate fromtheCommonwealth.
Seealso:
Finance’sglossary of resource management terms
Enterprise-widerisk management(ERM) / Alsoknownasentity-wideorintegratedriskmanagement.An integratedapproachtoassessingandaddressingallrisksthatthreaten achievementoftheentity’sstrategicobjectives.ThepurposeofERMis tounderstand,prioritise,anddevelopactionplanstomaximisebenefits andmitigatetoprisks.
TermDefinition
Entityrisk managementpolicy / Adocumentcontainingtheoverallintentionsanddirectionofan entityrelatedtoriskmanagement.
Event / Theoccurrenceorchangeofaparticularsetofcircumstances. Theeventcanbecertainoruncertain.Theeventcanbea singleoccurrenceoraseriesofoccurrences.
Exposure / Extenttowhichanentityissubjecttoanevent.
Externalcontext / Externalenvironmentinwhichtheentityseekstoachieveits objectives.Externalcontextcaninclude:cultural,political, legal,regulatory,financial,technological,economic,natural andcommercialenvironmentwhetherinternational,national, regionalorlocal,aswellastheperceptionofexternal stakeholdersandkeydriversandtrendshavinganimpacton theobjectivesoftheentity.
Hazard / Asourceofpotentialharmorasituationwithapotentialto causeloss.
Internalaudit / Independent,objectiveassuranceandconsultingactivity designedtoaddvalueandimproveanentity’soperationsand accomplishitsobjectivesbybringingasystematic,disciplined approachtoevaluateandimprovetheeffectivenessofrisk management,control,andgovernanceprocesses.
Internalcontext / Internalenvironmentinwhichtheentityseekstoachieveits objectives.Internalcontextcaninclude:capabilitiesunderstood intermsofknowledge;informationsystems,decision
makingprocesses;policies;perceptions,valuesandculture;
governancestructures.
Internalcontrol / Anyprocess,policy,device,practiceorotheractionswithin
theinternalenvironmentofanorganisationwhichmodifiesthe
likelihoodorconsequencesofarisk.
KeyRiskIndicators
(KRI) / Measuresandmetricsthatrelatetoaspecificriskand demonstrateachangeinthelikelihoodorconsequenceofthe riskoccurring.
Non-corporate
Commonwealthentity / ACommonwealthentitythatisnotabodycorporateandis legallypartoftheCommonwealth.
Seealso:
Finance’sglossary of resource management terms
Resilience / Adaptivecapacityofanentitytoresistbeingaffectedbya
riskevent.
TermDefinition
Risk / Theeffectofuncertaintyonobjectives.Aneffectisadeviation fromtheexpected—positiveand/ornegative.Riskisoften expressedintermsofacombinationoftheconsequencesofan event(includingchangesincircumstancesorknowledge)and theassociatedlikelihoodofoccurrence.
Riskacceptance / Theinformeddecisiontotakeaparticularrisk.Riskacceptance canoccurwithoutrisktreatmentorduringtheprocessofrisk treatment.Risksacceptedaresubjecttomonitoringandreview.
Riskaggregation / Theconsiderationofrisksincombination.
Riskanalysis / Theprocesstocomprehendthenatureofriskandtodetermine thelevelofrisk.
Riskanalysisprovidesthebasisforriskevaluationand decisionsaboutrisktreatment.
Riskappetite / Theamountofriskanentityiswillingtoacceptorretainin ordertoachieveitsobjectives.Itisastatementorseriesof statementsthatdescribestheentity’sattitudetowardrisk taking.
Riskassessment / Theprocessofriskidentification,riskanalysisandrisk
evaluation.
Riskcapacity / Theamountandtypeofriskanorganisationisabletosupport
inpursuitofitsobjectives.
Riskevaluation / Theprocessofcomparingthelevelofriskagainstriskcriteria. Riskevaluationassistsindecisionsaboutrisktreatment.
Riskevent / Ariskeventoccurswhentheconditionsfortheexistenceofthe riskcometogetherwithatriggeringactionwhichleadstothe creationofanevent(canbeeitherapositiveornegativeevent). Riskeventsleadtomeasurableeffectswhichmayleadtoother effectsandeventuallyleadtoanundesirableconsequence.
Riskidentification / Theprocessoffinding,recognisinganddescribingrisks.
Riskidentificationinvolvestheidentificationofrisksources,risk
events,theircausesandtheirpotentialconsequences.
Riskidentificationcaninvolvehistoricaldata,theoretical analysis,informedandexpertopinionsandstakeholder’s needs.
Riskmanagement / Coordinatedactivitiestodirectandcontrolanorganisationwith regardtorisk.
TermDefinition
Riskmanagement framework / Asetofcomponentsthatprovidethefoundationsand organisationalarrangementsfordesigning,implementing, monitoring,reviewingandcontinuallyimprovingrisk managementthroughouttheorganisation.
Riskmanagement plan / Adocumentwithintheriskmanagementframeworkspecifying theapproach,themanagementcomponentsandresourcesto beappliedtothemanagementofrisk.
Managementcomponentstypicallyinclude:procedures, practices,assignmentofresponsibilitiesandsequenceof activities.
Riskmanagement process / Thesystematicapplicationofmanagementpolicies, proceduresandpracticestothetasksofcommunicating, establishingthecontext,identifying,analysing,evaluation, treating,monitoringandreviewingrisk.
Riskoversight / Thesupervisionoftheriskmanagementframeworkandrisk managementprocess.
Riskowner / Apersonwiththeaccountabilityandauthoritytomanagearisk andanyassociatedrisktreatments.Sometimesreferredtoas
aRiskSteward.
Riskprofile / Adescriptionofanysetofrisks.Thesetofriskscancontain thosethatrelatetothewholeorganisation,partofthe organisationorasotherwisedefined.
Riskreporting / Aformofcommunicationintendedtoaddressparticularinternal orexternalstakeholderstoprovideinformationregardingthe currentstateofriskanditsmanagement.
Risktolerance / Thelevelsofrisktakingthatareacceptableinorderto
achieveaspecificobjectiveormanageacategoryofrisk.Risk tolerancedefinesthelimits(quantifiablewherepracticable)that supporttheentity’sriskappetite.
Sharedrisk / Ariskwheremorethanoneentityisexposedtoorcan
significantlyinfluencetherisk.
Treatment / Atreatmentisaproposedcontrol,yettobeimplemented.The termcanalsobeusedtorefertotheprocessofselectionand implementationofmeasurestomodifyrisk.

AppendixB-Examplesoftypical riskmanagementrolesand responsibilities

Thetablebelowidentifiessomecommonaccountabilitiesandresponsibilitiesfor

managingriskinanentity.Theseareexamplesandmaynotapplytoallentities.

GroupTypicalriskmanagementresponsibilities
Accountable authority / •Determineandarticulatetheentity’sriskappetiteand
tolerance.
•Establishandmaintainanappropriatesystemofinternal controlsfortheentity.
•Championtheentity’sriskmanagementframework,ensuring itisappropriate,implementedandcontinuouslyevolvingto reflectthechangingenvironment.
•Approvetheentity’senterpriseriskprofile.
•Endorsetheapproachtomanagingsignificantandcriticalrisk
areas.
•Discusstheentity’skeyriskswiththeresponsibleminister.
•Understandtheimpactoftheentity’sevolvingriskprofileonits abilitytoachieveitsobjectives.
Executive management committees / •Reviewrecommendationsfromtheentity’sauditandrisk committee(s)andotherassuranceandreviewactivitiesand implementimprovementsasrequired.
•Supporttheaccountableauthorityindeterminingtheentity’s
riskappetiteandtolerance.
•Reviewtheperformanceoftheriskmanagementframework.
•Understandandchampiontheentity’sriskmanagement framework,ensuringitisappropriateandcontinuallyevolving toreflectthechangingenvironment.
•Reviewandmaintainoversightoftheentity’senterpriserisk profile.
GroupTypicalriskmanagementresponsibilities
Auditandrisk committees / •Provideindependentassuranceoftheeffectivenessofthe entity’sriskmanagementframework.
•Monitortheimplementationoftheriskmanagementprogram againsttheendorsedimplementationstrategyorplan.
•Reviewanentity’sinternalcontrolstructuresandadvise whetherkeycontrolsareappropriateandareoperating effectively.
•Reviewcompliancewithanentity’sriskmanagementpolicy
andprograms.
•Provideadvicetotheaccountableauthoritytoassistthemin meetingtheirexternalaccountabilityobligations,including statutoryandfiduciaryduties.
•Reviewthecontentofreportsofinternalandexternalaudits
toidentifymaterialthatisrelevanttotheentity,andadvisethe accountableauthorityaboutgoodpractices.
•Monitorandunderstandthepotentialimplicationsofemerging risksontheentity’sriskprofileanditsabilitytoachieveits objectives.
Seniorexecutives / •Modelgoodriskmanagementbehaviours.
•Contributetothedevelopmentoftheentity’senterpriserisk profile.
•Reviewbusinessunitriskprofiles.
•Reviewandassessthecurrentandplannedapproachto
managingsignificantandcriticalriskareas.
•Ensuretheriskmanagementframeworkisimplementedin individualbusinessunits/branches.
•Supportofficialswhoengagewithriskinanappropriateand
informedmanner,regardlessoftheoutcome.
•Contributetothedevelopmentoftheentity’sriskprofileand understandtheeffectofemergingrisksontheentity’sabilityto achieveitsobjectives.
Managersand supervisors / •Identify,reviewandmanagetherisksandriskprofilesfortheir
businessunits.
•Identifyandmonitoremergingrisksandunderstandtheimpact
theymayhaveontheriskprofileoftheirbusinessunit.
•Ensureofficialsareawareoftheentity’sriskmanagement
frameworkintheirdecisionmaking.
•Recogniseriskmanagementbehaviours(positiveornegative)
withintheirteams.
•Communicateriskinformationwithbothinternalandexternal stakeholders.
GroupTypicalriskmanagementresponsibilities
Riskmanager/
adviser/team / •Coordinatetheimplementationoftheriskmanagement framework.
•Promoteconsistentandaccurateriskmanagementpractice
througheffectiveriskmanagementplanning.
•Facilitate,challengeanddriveriskmanagementcapability withintheentity.
•Reporttotheseniormanagementgroup,executive managementteamandauditcommitteeorboardatregular intervals.
Riskowners / •Maintainresponsibilityformonitoringaspecificrisk.
•Understandtheriskstheyarechargedwithandbesufficiently seniortoinfluencetheirmanagement.
•Understandandinterprettheentity’sriskappetiteand
toleranceasitappliestotheirrisks.
•Recordanddocumenttheriskinappropriateriskregisters.
•Activelymonitortheriskcontexttounderstandandrespondto anychanges.
•Challengetheeffectivenessofcontrols.
•Communicateandreportontheriskatregularintervals.
Riskchampions / •Officialswholeadtheircolleaguesbymodellinggoodrisk
behaviours.
•Leadriskactivities,initiativesandassessmentsandencourage
effectiveriskmanagementintheirarea.
•Networkwithotherriskchampionstosharegoodpracticeand buildskillsandcapability.
Controlowners / •Responsibleformaintainingcontrolsandcontributingto treatmentprograms.
•Activelymonitorthecontinuedviability,relevanceand
effectivenessofthecontrolortreatmentprogram.
•Informtherelevantriskownerwhentheeffectivenessofthe
controlortreatmentisatrisk.
Allofficials / •Recognise,communicateandrespondtoexpected,emerging orchangingrisks.
•Contributetotheprocessofdevelopingriskprofilesfortheir
branch/businessunit.