Chapter 1.6.2 – Enterprise Risk Management

Home 9 Policy 9 Chapter 1.6.2 – Enterprise Risk Management
Back to Policies & Procedures
[ivory-search id="40" title="AJAX Search Form"]

Purpose and Objectives

Provide the necessary guidance for managing enterprise risk within Company and also outlines how these principles will be embedded at all levels of the organisation. The Framework aligns established risk management principles and processes with the organisation’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.

The Framework approach requires that:

  • Enterprise risk management is performed consistently throughout the whole organisation.
  • Enterprise risks are assessed and managed in a context that is relevant to each part of the organisation.
  • The Framework approach will be inclusive of the following organisational risk areas:
  • Corporate – associated with the high-level longer-term goals, objectives and strategies.
  • Operational – associated with business functions / operations.
  • WH&S – associated with regulatory and compliance risks.
  • Project and Events – associated with defined, significant Company projects.

In implementing Company will actively:

  • Identify and prioritise corporate, operational, compliance and major project & event risks and opportunities using the risk management process;
  • Ensure enterprise risk management becomes part of day to day management and processes;
  • Provide employees with the procedures necessary to manage enterprise risks;
  • Ensure employees are aware of risks and how to identify, assess and control them; and
  • Compile and monitor a register of strategic and operational risks in order to achieve continuous improvement in enterprise risk management.

Scope

Applies to all Company employees, Contractors, Customers/Clients, volunteers and visitors to facilities controlled by the Company. The policy extends to all current and future activities, and new opportunities.

Aims to ensure that a robust Enterprise Risk Management strategy is developed and applied to all key services and the risks of disruption that may impact them.

Encompasses both the explanation of the business Enterprise Risk Management strategy, and requires the establishment of the framework for implementing the Policy’s principles, and templates for staff to develop arrangements and plans within their own areas.

Policy Statement

The management of risk is a process that is continuously done by all humans, sometimes consciously and sometimes without realising it. While this is the case, to ensure the appropriateness of the organisation’s decision making and actions, the management of risk needs to be done in a manner that is systematic and organisational wide.

A systematic approach to enterprise risk management relies on understanding and embedding into an organisation, sound risk management principles. The principles contained within the Australian Standard for Risk Management – Principles and Guidelines (AS/NZ ISO 31000:2009) prescribe 11 best practice principles.

  • Creates and Protects Value
  • Integral Part of all Organisational Processes
  • Underpins Decision Making
  • Manages risk
  • Systemic, Structured and Timely
  • Based on the Best Available Information
  • Tailored to the Organisation
  • Takes Human and Cultural Factors into Account
  • Transparent and Inclusive
  • Dynamic, Iterative and Responsive to Change
  • Facilitates Continual Improvement of the Organisation

Framework

Through the development of the Framework and its supporting processes, Company clearly establishes its risk appetite and provides guidance to all employees on their responsibilities and expected actions in relation to effectively managing risk.

Mandate and Commitment

AS/NZS ISO 31000:2009 Risk Management provides context on Company requirement to establish an effective risk management process.

While not mandated by law, it is expected that Company risk management activities are undertaken in accordance with AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines. Adherence to this guide will lead to Company improving risk management capabilities, resulting in enterprise risks being more effectively and efficiently managed.

Through Company Enterprise Risk Management Policy and demonstrated Executive commitment, the Framework supports risk management practice, reporting, responsibilities and accountabilities at all management levels.

The success of the Framework also depends on the effectiveness of the foundations and processes that embed it throughout the organisation.

The Framework provides a conceptual structure for communicating risk information, promoting greater awareness and improved coordination of risk management processes. It also identifies how risk management will be monitored and reported.

The Framework integrates the process for managing risk into an organisation’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.

Determining Risk Appetite

Risk appetite provides value to the process as it is where the alignment, planning, understanding and preparation occur. The context, internal or external, refers to the environment in which Company seeks to achieve the particular objective being risk assessed. The risk management context considers the goals, objectives, strategies, scope and parameters of Company activities that could be a source of uncertainty or those parts of Company where the risk management process is being applied. This includes consideration of the benefits, costs and opportunities for risk management activities and the resources required. Setting the risk criteria is also part of establishing the context.

Risk appetite has two principal components:

  1. Risk Tolerance: How much risk can the organisation choose to accept?
  2. Risk Capacity: How much risk can the organisation afford to take?

Company has a relatively conservative appetite for risk.

In particular, the Company has no appetite for risks which will:

  • Have a significant negative impact on Company long-term financial sustainability; or
  • Result in breaches of legislative requirements and/or significant successful legal claims against the Company ; or
  • Compromise the safety and welfare of employees, contractors and/or members of the community; or
  • Cause significant and/or irreparable damage to the environment; or
  • Result in major disruption to the delivery of key Company services and/or significant loss of key assets/infrastructure; or
  • Result in widespread and/or sustained damage to the Company reputation.

The Company has an appetite for risks associated with:

  • Positive impacts on Company long-term financial sustainability; or
  • Improving efficiency and/or generating additional sources of income; or
  • Ensuring legislative compliance and/or reducing the likelihood of successful legal claims against Council; or
  • Ensuring the safety and welfare of employees, contractors and/or members of the community; or
  • Maintaining, protecting and/or enhancing the environment the provide a greater amenity to the community; or
  • Maintaining and where necessary improving levels of service to the community; or
  • Providing/offering a significant community benefit.

Company risk tolerance and capacity will be assessed on a case by case basis.

Risk Hierarchy

Risks are categorised as:

  • Corporate
  • Operational
  • Workplace Health & Safety
  • Major projects and events

Depending on the level at which the risk is likely to affect Company ability to achieve its objectives. This hierarchy defines accountability for managing risks throughout the organisation.

Implementation

Risk management can be applied at all levels within Company and to all corporate (strategic) and operational activities. It is also applicable to specific projects and effective decision making. As such the way in which risks are identified and managed is critical to the achievement of Company objectives.

To manage risk Company applies risk assessment methodology, as described below, that is designed to ensure that risk management decision making is based a sound approach, consistency in assessment, and utilises a common language that is easily understandable across the whole of the organisation. This approach takes into account the unique environment which Company operates.

This process provides a structured approach to managing all corporate (strategic) and operational activities across business units and organisation levels.

Details of the enterprise risk management process can be obtained from the Enterprise Risk Management Procedure. Risk Treatment and Control

Risk treatment and control is designed to either reduce the likelihood of the risk occurring or to reduce the consequences of the risk were it to occur. The proposed treatment(s) should reduce the risk level to an acceptable level, (i.e. medium or low).

If even with proposed additional treatments, it is assessed the risk level will remain at an unacceptable level, serious consideration should be given as to whether the activity, that will create the risk, is to be commenced or continued if already in progress. However, it should not be assumed that the activity must cease.

A further important consideration in considering risk treatments is the balancing of the cost associated with the treatment against the benefit derived from it. In general, the cost incurred in managing risks needs to be commensurate with the benefits gained. Also, consider how risk avoidance regarding one activity can affect the significance of risk in other activities and the total risk profile.

Risk Treatment Options

The following risk treatment options will be considered:

  • Avoid the Risk
  • Do not proceed with the activity likely to generate the risk.
  • Manage the Risk’s likelihood or consequence
  • Documented policies and procedures
  • Appropriate qualifications
  • Structured training and induction programs
  • Effective supervision processes
  • Effective monitoring, review, audit and compliance procedures.
  • Removing the risk source
  • Transfer/Share the Risk
  • Outsource the activity to a third party
  • Seek legal or other external advice
  • Insurance
  • Accept or Retain the Risk
  • Following cost/benefit analysis
  • Increasing the risk in order to pursue an opportunity

Monitoring and Review

It is important that once risks are identified and assessed that they are subject to ongoing monitoring, using the level of risk as a guide as to the frequency of monitoring and review.

When conducting a review of the risks, it should also include a review of the risk acceptance decision which is important due to:

  • Changing legislation
  • Changes within the organisation (i.e. loss of key staff, reduction in revenue, change in risk profile/appetite)
  • Changes to codes, standards and practices
  • Environmental changes
  • Budget constraints
  • Change in strategic direction

The Company is active in monitoring the effectiveness of the controls to ensure that this residual risk remains within prudent limits.

Framework Monitoring, Review and Improvement

Based on the results of monitoring and reviews of risk management outcomes, decisions will be made on how the Risk Management Framework can be improved. These improvements should lead to improvements in the management of risk and the risk management culture.

Some of the processes that support continuous improvement and review of the Framework include:

  • Regular assessment of the quality of risk management processes and documentation prepared by business areas to identify opportunities for improvement;
  • Inclusion of risk management with organisation culture survey data to inform improvement, communication and training requirements;
  • Regular reviews of models, frameworks, and standards used in other organisations and jurisdictions to ensure that our Framework continues to reflect contemporary best practice;
  • Ongoing training and development for Enterprise Risk Management employees to ensure that they are equipped with a sound knowledge and skills base; and
  • The inclusion of, and measurement against, performance measures relating to Company performance with regard to risk management.
  • Outcomes of review activities, with recommendations, will go through CEO.

Procedure

The Enterprise Risk Management Procedure (the Procedure) ensures informed decision-making, consistent assessments, and a common language is used and understood across all business units. The Procedure describes the enterprise risk management process to ensure that risks are appropriately identified and treated.

Risk Registers

The Risk Registers set out the identified risks (including the material risks), impact, risk assessment, existing controls, residual risk, proposed treatment and responsible manager. Risks identified as inherently ‘low’ or ‘moderate’ are considered acceptable. However, these risks will be managed and monitored regularly to ensure they remain acceptable to the changing environment.

The risk registers will also cover the expected sources of assurance. Risk registers are developed and maintained for each category of risk within the risk hierarchy.

Risk Treatment Action Plan

A Risk Treatment Action Plan (the Plan) is used to help work through the treatment decision-making process in a structured manner and to help schedule actionable priorities.

The Plan should take into account the following:

  • Priority
  • Options for treatment
  • Preferred option
  • Cost involved
  • Resourcing
  • Cost benefit analysis
  • Timeframes involved

Source of Assurance

In addition to identifying risks and developing mitigation strategies, the strength of the sources of assurance will also be considered, including the management controls, risk controls and compliance, and independent verification, recognising that not all sources of assurance provide the same degree of surety.

The source of assurance needs to consider:

  • The nature of the risk and Company appetite for the risk;
  • The expertise of the assurance provider and the resources available to them;
  • The ability to implement effective control measures;
  • How the overall monitoring and management of the control measures can take place; and
  • The cost of providing such assurance.

Common internal sources of assurance include, but may not be limited to:

  • Internal audits;
  • Self-assessment and/or self-certification; or
  • Quality management processes.

Common external sources of assurance include, but may not be limited to:

  • External audits;
  • Peer review bodies/groups;
  • Regulatory inspection bodies/agencies; or
  • Professional accreditation schemes.

Enterprise Risk Management Reporting

In order to ensure the ongoing maintenance and effectiveness of enterprise risk management within the organistaion, risk management reporting is completed on a regular basis. These reports include, but may not be limited to:

Quarterly Statement of Assurance from line managers, provided to appropriate Directors;

  • Regular risk reports to Company and review of specific risk registers on a cyclical basis;
  • Risk reporting to the Executive Management Team on a monthly basis;
  • Detailed six (6) monthly Executive Management Team review of risk registers;
  • Risk reports to Company on a six (6) monthly basis; and
  • Incident reports to Company after the event and to Company in the case of an extreme event.

Risk reporting draws information up to enable the compilation and modification of risk registers. It is through these reports that risk owners are able to prioritise, analyse and update the status of risks and appropriately escalate high priority risks.

Roles and Responsibilities

The Company is responsible for:

  • Adopting a Risk Management Framework and Policy that complies with the requirements of AS/NZS ISO 31000:2009 and to review and amend the Framework and Policy in a timely manner and/or as required.
  • Being satisfied that risks are identified, managed & controlled appropriately to achieve Company Strategic Objectives;
  • Appointing and resourcing the Company;
  • Providing adequate budgetary provision for the financing of risk management including approved risk mitigation activities;
  • Reviewing Company risk appetite; and
  • Considering risk information provided by the Administration to inform Company decision making.

Audit, Risk and Business Improvement Committee is responsible for:

  • Reviewing adequacy and effectiveness of the Framework and associated policies and procedures, and make a recommendation to Company as to their appropriateness;
  • Providing oversight of the risk management and internal audit functions of Company ;
  • Reviewing and monitor the development and implementation of risk management principles across the Council;
  • Monitoring changes to Company risk profile and highlight material changes; and
  • Monitoring performance of implementing action plans arising from risk assessments.

The Chief Executive Officer is responsible for:

  • Establishing and maintaining a culture of risk awareness and intelligence;
  • Ensuring governance mechanisms effectively monitor risks and the way they are managed;
  • Ensuring employees receive support in fulfilling their responsibilities;
  • Setting standards of best practice for risk management, based on the AS/NZS ISO 31000:2009;
  • Contributing to the attainment of Company Corporate Plan;
  • Managing risks that may impact on Company ability to achieve the objectives of Company Corporate Plan; and

The Directors are responsible for:

  • Implementing the Framework and associated policies and procedures;
  • Ensuring that regular risk assessments are undertaken within the area of their responsibilities to identify existing or potential risk and ensure that appropriate treatments are implemented and functioning appropriately;
  • Ensuring that the risk register is maintained and up-to-date in relation to their areas of responsibility;
  • Managing risks that may impact on the department’s ability to achieve the objectives of Company Corporate Plan and Operational Plan; and
  • Reporting risks, as required, to Company in consultation with the CEO

The Managers are responsible for:

  • Managing risks that may impact on the sections ability to achieve the objectives of Company Operational Plan;
  • Providing oversight of the operational risks, including reviewing and maintaining the risks registers, and reviewing the adequacy and effectiveness of the controls and treatments; and
  • Escalating operational risks that are high or extreme or cannot be managed locally (including risks that require coordination between areas) to the Executive Management Team.

The Internal Auditor function is responsible for considering Company risk registers when developing annual audit plans and contributing to the training of employees specifically around internal controls.

All employees are required to comply with Company Framework

Communication and Consultation

Communication and consultation are integral parts of and must occur throughout, the risk management process for all stakeholders. It is important to communicate and consult with stakeholders at each step of the risk management process.

Communication efforts must be focused on consultation and two-way dialogue, rather than a one-way flow of information from decision makers to stakeholders. This provides a shared and better understanding of risks identified and the appropriate treatment options.

The Risk Management Officer will be available to assist employees throughout the risk management process including risk assessments, developing treatments and reporting.

Any changes to the ERM framework that impacts the process is to be communicated to all stakeholders.

Risk Assessment

The risk assessment is the overall process of risk identification, analysis and evaluation. The ERM Process Procedure details the risk assessment and treatment process and includes:

The Risk Calculator, and associated Risk Consequence and Likelihood Tables; and

Guidance on control effectiveness and treatment plans/controls.

Identifying Risks

Risk identification is critical in determining the absolute source of all threats to the Company and their effects on the Company ‘s ability to successfully achieve their objectives. This process must encompass all risks to operations; both threats and opportunities E.G. something that presents a danger to the organisation if eventuated, and something that threatens the objectives of the organisation if not acted upon.

A sub-element of Risk identification requires that the ‘threat’ of the risk is gauged, this is calculated by assessing:

  • Likelihood, and
  • Consequence, of the risk and their farther-reaching, affects – the ‘Butterfly effect’, and
  • Exposure or the duration that the enterprise is exposed to the hazard

Risk Analysis

A risk analysis is an assessment of the risk. This is determined/calculated on a Risk Calculator (determined by the organisation based on the specific needs of the organisation) and a Risk Matrix. This process is designed to provide useful information about the potential risks and their assumed effects on the organisation’s objectives. The data is presented as:

A list of identified Risks to the organisation

  • An initial risk score – designed to give a worst-case rating (remember, this score is determined by calculating the likelihood and consequences should an incident occur, on a matrix) on each risk in the list
  • A likelihood score for each risk
  • A Consequence score on each risk
  • Risk scores are calculated using LIKELIHOOD x CONSEQUENCE = RISK SCORE (some calculators also take into account the length of EXPOSURE that the organisation has to each risk, which can give more detailed data about the threat)

Risk Evaluation

Evaluating the risk is making a determination about whether the level of risk falls within the Risk Tolerance of the organisation. Risk tolerance is a pre-set benchmark that indicates whether a risk is acceptable or unacceptable to the business. E.G. A window cleaner, working on high-rise buildings has to accept that the work involves working at heights. Their control measures/treatments, therefore, are designed to mitigate the risk of falling from those heights to an industry risk standard of A.L.A.R.P. (As Low As Reasonably Practicable).

Note: Taking into account the decision by Company to accept a risk based on the evaluation, Company has determined that the risk is ALARP. In this case, the risk owner has decided that the current risk rating is acceptable to Company . For a risk to be ALARP it must be possible for the risk owner to demonstrate that the cost involved in reducing the risk further would be grossly disproportionate to the benefit gained. The ALARP principle arises from the fact that infinite time, effort and money could be spent on the attempt of reducing a risk to zero with little or no further benefit to Company or the community.

Risk Treatment

Undertaking risk treatments over and above the existing controls will be necessary for those risks determined to be unacceptable (not ALARP) or that the level of risk is necessary to pursue an opportunity. Risk treatment involves selecting one or more options for modifying risks and then implementing those options to achieve a current risk rating subsequently evaluated as acceptable.

Evaluate the risk – determining that the current risk levels are within tolerance (ALARP) and if not, generating new risk treatments/controls to mitigate them

Identifying risk treatments – looking at new methodologies/strategies for dealing with these unacceptable risk levels (based on the Hierarchy of Controls)

Assessing treatment efficacy – monitoring and reviewing new treatment outcomes and evaluating whether or not the risk levels are within acceptable tolerances

Monitor and Review

Monitoring and review ensure that changing context and priorities are managed and emerging risk is identified. Included in this step are:

  • Monitoring and review of controls (effectiveness, adequacy, changes in risk environment etc);
  • Learning lessons from successes and failures in terms of root causes and control effectiveness;
  • Improving the risk management process; and
  • A combination of audit processes and line management review etc.

All risk assessments and treatments will be conducted in accordance with the ERM Process Procedure. All relevant documentation must be placed in Company electronic recordkeeping system – Enterprise Content Management (ECM).

Documentation

  • Risk Assessment Matrix
  • Audit reports