Risk Management Policy and FrameworkFor Churches


Contents

1.Risk Management Policy

2.Risk Management Framework......

2.1.Synopsis......

2.2.Risk......

2.3.Framework Objectives......

2.4.Adding Value......

2.5.Organisational Structure Relating to Risk Management......

Figure 1 - Risk Management Structure

Figure 2 - Relationship between Risk Management and other activities and services

2.6.Risk Management Leadership......

2.6.1.Policy Leadership and Commitment......

2.6.2.Accountability and Authority......

2.6.2.1.Resources Board......

2.6.2.2.General Secretary and Executive Management......

2.6.2.3.Synod Risk Manager and Risk Management Administrator......

2.6.2.4.Departmental Managers and Leadership Group......

2.6.3.Planning and Objectives...... -8

2.6.4.Communication, Consultation and Participation......

2.6.5.Documentation Control......

2.6.6.Continuous Improvement......

2.7.Risk Principles...... 8

2.7.1Risk management creates and protects values...... 8

2.7.2.Risk management is an integral part of all organisational processes...... 8

2.7.3Risk management of art of decision-making...... 8

2.7.4Risk management explicitly addresses uncertainty...... 8

2.7.5Risk management is systemic, structured and timely...... 9

2.7.6Risk management is based on the best available information...... 9

2.7.7Risk management is dynamic, iterative and responsive to change...... 9

3.Criteria For Assessment...... 10-11

Table 1 - Likelihood Table

Table 2 - Consequences Table

4.Risk Analysis ………………...... 12-13

Table 3 – Risk Matrix

Table 4 – Risk Actions

Table 5 – Control Effectiveness

Table 6 – Risk Sources

1.Risk Management Policy

We recognise that risk management contributes to sound management practice, to fulfil our Spiritual Vision, Mission and Values as member Churches of the Uniting Church of Australia (WA).

The policy defines the objective of risk management as our best efforts to minimise and manage what could cause us harm in relation to people, assets and resources and reputation. It also provides us with a systematic approach to identify and manage the effects of uncertainty on our activities.

Our risk management approach is aligned to the AS/NZS ISO 31000: 2009 International Standard.

To foster risk management practices in the Uniting Church, we shall:

  • Manage an effective Risk Management Framework consistent with the International Standard AS/NZS ISO 31000: 2009 for identifying, assessing and managing risks in order to support the achievement of our objectives;
  • Comply with applicable laws, regulations and governance standards in areas in which we operate;
  • Manage Processes and Systems to empower our staff to proactively identify and address risk issues and events;
  • Facilitate communication and reporting on key business risks across the organisation and verify that the internal control systems are adequate and functioning effectively;
  • Provide risk management information and training programs using the Synod’s Insurance and Risk Services office as a source of guidance and information;
  • Develop measures to assess the effectiveness of risk management practices, monitoring performance and take steps to address deficiencies and embed continuous improvements to realise optimum outcomes.

We shall also encourage our Church leaders, managers, staff and volunteers to develop risk mitigation plans and implement risk reduction strategies as part of their daily effort.

2.Risk Management Framework

2.1.Synopsis

The Risk Management Framework is issued in accordance with its Risk Management Policy and based on the International Standard AS/NZS ISO 31000:2009. It ensures consistent and effective application of the principles and processes to manage all material risks of concern to the Church.

Under the Framework, the Manager, Insurance and Risk at the Synod is available for assistance, support and guidance.

2.2.Risk

Risk is the effects of uncertainty that exists in respect to all of our activities and services.

The consequences of a risk event may be positive or negative.

Figure 1 - Relationship between Risk Management and our activities and services


2.3Leadership Group

The key risk management responsibilities of the Church’s leadership team are to:

  • Identify relevant risks in respect to their activities and maintain a risk register;
  • Implement risk reduction strategies; and
  • Communicate and consult with all relevant participants in the congregation.

2.3.1Risk management is systemic, structured and timely.

This contributes to efficiency and to consistent, comparable and reliable results which translate into demonstrable benefits and achievements for the Group.

2.3.2Risk management is based on the best available information.

Inputs into the risk management processes are based on historical data, experience, stakeholder feedback, observations and expert judgment, but decision-makers retain final discretion as to the applicability, relevance and limitations of available information.

2.3.3Risk management is dynamic, iterative and responsive to change.

Risk management continually senses and responds to change. As events develop context and knowledge change, monitoring and review or risks take place, new risks emerge, and existing risks change or disappear.

2.4Criteria for Assessment

Table 1 – Likelihood Table

Descriptor and Risk Value / Description
Rarex 1 / A risk worth noting and may only occur in exceptional circumstances
Unlikelyx 2 / Could occur within the next five years
Possiblex 3 / Will occur within the next three to five years
Likely/Frequent x 4 / Will occur within one to three years
Almost Certain/Very Frequent x 5 / Imminent just a matter of time

1

Version 1 – 28 July 2015

Table 2 – Consequence Table

Impact
Indicators and Risk Value / Insignificant
x 1 / Minor
x 2 / Moderate
x 3 / Major
x 4 / Extreme
x 5
People Safety and Wellbeing / Incident with no injury, no loss time or ill-health; no impact on morale / Injury requiring first aid, no loss time or ill-health; low impact on morale / Injury or ill-health requiring outpatient medical treatment, some lost time; residual impact on morale of individual staff, staff, volunteers, members / Serious injury or ill-health requiring emergency intervention/hospitalisation; adverse impact on morale of a group of staff volunteers, members / Life-threatening or loss of life; adverse impact on morale of significant group/s of staff, volunteers, members
Financial (Revenue) / <$100k; or
<1% OB / >$100k – $300k; or 1% to 5% OB / >$300k - $1M; or
5% to 9% OB / >$1M - $2M;
Or 9% to 12 % OB / >$2M; or
> 12% OB
Impact on Services / Loss < 1/2 day / Loss 1/2 – 2 days / Loss 2 days – 1 week / Loss 1 week – 1 month / Loss > 1 month
Reputation and Image / Low impact, low profile and no media reports / Unsubstantiated, low impact media report/s / Substantiated, moderate impact media report/s / Substantiated, high impact media reports causing significant; and potential third party action / Substantiated, widespread media reports; damaging third party action/s.
Compliance: Contract, Regulation, Legislation, Standards / No identifiable or reportable breaches / Breaches recorded, limited adverse impact, recommendations for improvements made / Breaches recorded resulting in imposition of Sanctions leading to multiple impacts / Significant breaches recorded; Sanctions imposed; Prosecutions or actions initiated. / Significant, widespread breaches recorded; Removal of ‘licence to operate’; Prosecutions/class action

1

Version 1 – 28 July 2015

Table 3 – Risk Matrix

Risk Matrix – Adapted from ISO/IEC 31010:2009 Risk Management – Risk Assessment Techniques – L x C provides a Risk Rating
Likelihood / Consequences
Insignificant
1 / Minor
2 / Moderate
3 / Major
4 / Extreme
5
Almost Certain/Very Frequent 5 / M (05) / H (10) / H (15) / VH (20) / CAT (25)
Likely/Frequent 4 / M (04) / M (08) / H (12) / H (16) / VH (20)
Possible 3 / L (03) / M (06) / H (09) / H (12) / H (15)
Unlikely 2 / L (02) / L (04) / M (06) / M (08) / H (10)
Rare 1 / L (01) / L (02) / L (03) / M (04) / H (05)

Table 4 – Risk Actions

Risk Rating / Risk Actions / Description
Low / Accept / Risk Owner to monitor on a regular basis and report on if there is a change in status of its Likelihood or Consequences
Medium / Accept with adequate Controls / Risk Owner to monitor the situation and track performance of controls on a quarterly basis. Management responsibility specified
High / Accept risk appetite to meet Purpose / If the potential benefits of an Activity fall within the Purpose of UC, consideration is given to accept the risk with specified Controls and/or Treatment Plans. Performance to be reviewed quarterly
High / Not Accept risk due to low tolerance / Senior management attention required; Treatment Plans and management responsibility specified. Performance to be reviewed quarterly
Very High / General Secretary notified or advised / Senior management attention required; Treatment Plan and management responsibility specified. Resources Board to be advised
Catastrophic / Resources Board notified or advised / Response Plan required

Table 5 – Control Effectiveness

Rating / Proposed Definition
Excellent / Controls are fit for purpose
Review Controls annually or need basis
Adequate / Internal Controls are fit for purpose
External Controls are adequate for the purpose
Review Controls annually or need basis
Improve / Internal Controls need Improvement
External Controls must be monitored
Review Controls half-yearly or need basis
Inadequate / Controls are not fit for purpose
Improvement plans to better control the risk is necessary
Review Improvement Plans for Controls quarterly or need basis
Monitor risk quarterly or need basis
Exposed / Little or no action is taken to manage the risk
Improvement Plans to control the risk must be implemented
Review Improvement Plans for Controls monthly
Monitor risk monthly or need basis

13