Risk Policy & Procedure – Sample Only

Purpose and Scope:

This procedure describes the process for risk management and provides a generic procedure for assessing risk within ABC Education. It describes how risk management is linked to other compliance activities including the standards for managing risk in the Australian Quality Training Framework (AQTF), the international standard for quality management systems (ISO9001: 2000), and the requirements under the OH&S Act (2000), its associated Regulations (2001) and other Australian Standards.

Policy:

ABC Education is committed to complying with legislative requirements on risk management as part of a cycle of continuous improvement so as to ensure a safe workplace and quality training outcomes. As required by ANTA and outlined in the AQTF, ABC Education must:

include documentedprocedures to identify and manage risks concerned with compliance with the Standards for Registered Training Organisations and to correct and prevent any failure to comply with the Standards and the RTO’s quality system, policies or procedures.” (Standard 1.8)

Further, the NSW OH&S Act (2000) requires that a risk management strategy be implemented to ensure compliance. The Australian standard for risk management AS/NZ 4360 (1999) is the framework used by ABC Education. This approach ensures consistency in identification, analysis, reporting and updating of risk issues.

Figure 1 - Source: Australian/New Zealand Risk Management Standard AS/NZS4360 (1999)

Responsibilities:

  1. The Quality Management Group (QMG) has organisational responsibility for the effective implementation of risk management related to all organisational activity.
  2. Faculty and Support Unit Managers are responsible for assessing risks against their business plan, putting the procedure into operation and monitoring and following up on control plans.

Definitions:

Risk Management

The practice of systematically identifying and evaluating any threats to the organisation; establishing priorities for action and making decisions about which risk control measures need to be implemented.

Generic Procedure:

At the beginning of the planning cycle, Faculties and Support Units prepare and document business plans. These are to take into account the level of risk involved in plan associated activities, together with the mitigation strategies to be implemented where the level of risk is assessed as being too high. When and how risk is assessed for all major business activities is to be documented within the business plan (refer to the organisation’s ‘Self Assessment Guide for Functional Units’ available from the Educational Developments Unit). An approach based on the AS/NZ 4360 is to be used. Faculties and Institute Support Units are therefore to assess risk by:

  1. Establishing the unit/section objectives.
  2. Identifying major activities needed to reach the objectives.
  3. Identifying and analysing the risks associated with each activity.
  4. Evaluating and ranking the risks.
  5. Identifying the current risk control measures.
  6. Rating the current risk control measures.
  7. Determining the current risk.
  8. Controlling unacceptable risk through mitigation strategies.

Once major activities are their risks are identified, all effected stakeholders are to be included in the consultation process around the assessment of the risk.

Where risk is assessed as EXTREME of HIGH, existing and potential control measures should be established and a reassessment undertaken. Treatment options are to be applied to the extent that a LOW or MEDIUM risk level can be gained and maintained

Applying controls

Hard controls may include document trails, reconciliation, physical control over assets, authority for approvals etc. Soft controls may include ethics, competence, culture, communication, leadership, integrity etc. The effectiveness of a control should be rated in a subsequent risk assessment. Effectiveness may be rated as:

  • Poor – control is not addressing the risk (High risk level is not changing)
  • Fair – control is addressing the risk, but is not considered effective
  • Good – control effective in addressing risk (risk level is considered acceptable)

Before employing regulatory instruments as a hard control refer to the document “Principles for the use of regulatory instruments in organisations” issued by ABC Education Legal Branch. This gives guidance on when a regulatory instrument is appropriate.

Where extensive controls are in place for an activity assessed as low risk, consideration should be given to risk managing instead of continuing to control it. This frees up organisational resources. Where the final assessment is still EXTREME or HIGH, the Educational Developments, Corporate Services or Human Resources Manager should be contacted and an alternative treatment strategy considered such as outsourcing.

A more detailed guide titled ‘Implementing the Management of Risk’ is available to support the methodology behind this approach. It can be downloaded from ABC Education’s Intranet at

Generic Form:

Appendix 1 provides a generic Risk Assessment Worksheet that provides evidence of assessment within a structured format.

Compliance to AQTF:

NB - The following provides a specific example of the implementation of risk management in the area of the AQTF. The generic procedure is as applicable here as it would be in terms of OH&S, financial systems and other compliance standards management.

The Risk Management procedure outlined in the Risk Management Policy will be used to identify and manage the risks associated with compliance with the AQTF standards for Registered Training Organisations (RTO’s). Annually the Educational Development Unit will analyse ABC Education’s risk in adhering to the AQTF standards for RTO’s. A number of sources will be utilised to do this. This includes but is not limited to:

  • National Key Risk Areas identified by ANTA
  • State priorities identified by VETAB from the National Key Risk Areas
  • State sources for identifying risks
  • Results from Internal Audits
  • Analysis of Customer SuggestionsComplaints
  • Analysis of surveys conducted including staff and student surveys
  • Analysis of staff suggestions

Once this Risk Assessment has been conducted and appropriate controls implemented, a copy of the business unit risk plan is to be provided to the Educational Developments Manager for endorsement. On an ongoing basis, the Educational Developments, Corporate Services and the Human Resources Manager will monitor the risks associated with AQTF and legislative compliance from a variety of inputs including but not limited to:

  • Internal Audits
  • Staff Suggestions
  • Customer complaints
  • Ministerials
  • OH&S Committees
  • Appropriate legislation and licensing.

Review

This policy was endorsed on January 1, 2003 and is due for review by December 19, 2003.

Appendices

Appendix 1 - Risk Assessment Template.

Appendix 2 - AQTF National Risk Management Approach

Appendix 3 - National Key Risk Areas (KRA’s)

Appendix 4 - State and Territory Sources for Identifying Risk

APPENDIX 1 - RISK ASSESSMENT WORKSHEET

Business Objective:

Risk
Ref. / Risk Description / Assessment Before Controls / Accept
Risk
Y/N / Existing Control Description / Assessment After Controls / Accept
Risk
Y/N / Control
Rating / Treatment
(L) / (C) / Level of Risk / (L) / (C) / Controlled
Risk
Major Process – Steps:

Appendix 2 - AQTF National Risk Management Approach

Preamble

Unacceptable levels of risk may expose the national vocational education and training (VET) system to significant financial, legal, social and/or political consequences. To ensure individuals in receipt of training and assessment services in the VET sector are protected and assured of quality outcomes, national key risk areas have been identified by the States and Territories. These will be incorporated into the existing State and Territory risk management processes for targeting and scheduling audits of registered training organisations (RTO’s).

A national key risk area (KRA) may not assume the same priority in each jurisdiction due to demographics, policy priorities and social and economic variability. Therefore, States and Territories will select from these based on importance to their jurisdiction, for inclusion in their 12 month audit schedule.

The national key risk areas will be reviewed and updated annually by the National Training Quality Council (NTQC). In doing so, they will consider which national key risk areas were selected by States and Territories, those not selected and the reasons for those decisions, along with the need for variations, inclusions and deletions to the listing of national key risk areas.

States and Territories could advise the NTQC on priorities or emerging risks through the 12 month audit schedule. In States and Territories advice to the NTQC, there will also be an opportunity to share generic best practice information in both State and Territory audit practices and RTO business practices, as part of the continuous improvement process to ensure continued quality training outcomes in the VET sector.

The AQTF National Risk Management Approach will ensure national consistency in the identification, analysis, reporting and updating of risk issues in accordance with the Risk Management Standard AS/NZS 4360 (1999). National consistency in risk management will befurther enhanced by the application of the AQTF’s Evidence Guide for Registered Training Organisations and Auditors as a risk mitigation and control tool.

Audit activities are one part of a continuous improvement cycle to ensure quality training outcomes in the VET sector. Audit activities have the potential to inform RTO’s about possible risks associated with their business, encourage self correction and treatment, provide quality guidance and generic information sharing on best practice and highlight the need for additional support and guidance in obtaining and maintaining compliance with the AQTF’s standards for RTO’s.

Appendix 3 - National Key Risk Areas (KRA’s)

KRA1High number and/or seriousness of verified complaints against RTOs

RTO’s facing a high number of and/or seriousness of verified complaints present a high risk to the integrity of the VET system and need careful monitoring. Particular risks are associated with: appropriate policies and procedures; timeliness in dealing with complaints and transparent and fair processes.

KRA2Potentially dangerous environments and industries

RTO’s operating in potentially dangerous environments and industries have special requirements with: identifying the OH&S issues; informing and training staff and students about OH&S; understanding and managing the impact of OH&S requirements.

KRA3Delivery of Assessment & Workplace Training qualification (Certificate IV)

RTO’s delivering the qualification (integral to the Australian Quality Training Framework (AQTF) and every Training Package) face particular risks associated with:

  • the qualifications of the trainers and assessors
  • the quality of training delivery; and
  • the robustness of the assessment.

KRA4Multi-site delivery (including off-shore)

RTO’s operating across more than one site and/or off-shore have particular risks associated with maintaining quality and consistency: when operating in more than one jurisdiction; where management and operations are diversified and decentralised.

KRA5Delivery and assessment of Training Packages and other AQF

qualifications in new and emerging industries

RTO’s delivering training in new and emerging industries have little or no benchmarking data by which to verify: the currency of the qualifications and competencies of the trainers and assessors and determine professional development needs; the quality of training delivery; the robustness of the assessment; whether the training meets the needs of new and emerging industries; the status of the qualification in the industry with respect to whether or not additional training is required.

KRA6Delivery of training where training is not core business

RTO’s delivering training where training is not core business have particular risks associated with: the currency of the qualifications of the trainers and assessors; the quality of training delivery; the robustness of the assessment; the nature and quality of the supervision; the nature and quality of any partnership arrangements; the commitment of corporate management to the deployment of adequate resources (ie time, personnel, facilities, budget) to training delivery and assessment; the ethical management and transparency of multiple roles (eg schools and Group Training Companies).

KRA7Delivery by exclusive pathways

There are particular risks where apprenticeships/traineeships are delivered fully on-the-job in a way that the structured learning component is not explicit, or alternatively, where the pathway to a particular occupational outcome is fully institutionally based with no real workplace component.

For fully on-the-job pathways, RTO’s have particular risks associated with: the qualifications of trainers and assessors; the quality of training delivery; the robustness of the assessment; the nature and quality of any partnership arrangements; and the nature and quality of the supervision.

For fully institutional pathways the RTO has risks associated with relevance to current industry practice, adequacy of skill development opportunities, access to current equipment and facilities and currency of vocational competencies of trainers and assessors.

KRA8Introduction of (or significant expansion of) structured training into established industries

RTO’s delivering training in industries that have not previously had structured training have particular risks associated with: the currency of the qualifications of the trainers and assessors; the quality of training delivery; the robustness of the assessment; the adequacy of the infrastructure to manage significant expansion of structured training; and understanding enterprise and industry training requirements.

KRA9Extreme variations in training effort by RTO’s delivering the same or similar qualifications

In a competency-based environment, the training effort may vary for the same or similar qualifications. RTO’s with extreme variations in training effort for the same or similar qualifications, compared to that of other RTO’s with similar client groups, may have particular risks associated with the quality of training delivery and the consistency of outcomes.

Interface Risk Areas:

Where these issues interface with the AQTF’s Standards for Registered Training Organisations, any risks must be identified, as a result of the interface. The following key risk areas are interface areas:

KRA10 Introduction of new or changed external regulatory/licensing standards which may affect Training Package delivery

RTO’s operating where there are changes in external regulatory/licensing standards (eg Information Technology, Aged Care) which may affect Training Package delivery have particular risk associated with: identifying new or changed regulations or licences; informing appropriate persons; understanding and managing the impacts of the new requirements on Training Package delivery.

KRA11 Priority interface areas as defined by State/Territory (e.g. providers in receipt of government funds, poor AVETMISS returns, particular courses /qualifications)

RTO’s delivering training in priority areas as defined by the State/Territory are required to manage the risks associated with those defined areas. States and Territories may have particular priorities which contain inherent levels of associated risk.

Appendix 4 - State and Territory Sources for Identifying Risk

The following list provides a range of sources that States and Territories could use to identify risks associated with an RTO’s performance.

  • Complaints
  • AVETMISS returns
  • Contract management information
  • Strategic industry audits (internal/external)
  • Audit patterns – derived from local audits
  • Newspapers/advertising/training program promotional material
  • Inter-government/inter-departmental

legislation, forums, committees

  • Industry training plans
  • Research (NCVER etc)
  • Size/change of scope
  • Extreme variations in advertised program duration
  • Regulated training data
  • Field officer reports
  • Group training data – supplied by managers or media
  • Company searches
  • Annual internal audits
  • Annual financial returns
  • Student satisfaction surveys
  • Employer surveys
  • Stakeholder feedback
  • Industry bodies/training plans