Risk Management Guideline - Queensland Government risk management guideline Page 3 of 28...

Risk Management Guideline

The process for managing departmental and business

area risk Version no.: 1.1 Reference no.: HREAS:GU:2013:001

Policy owner: Principal Consultant, Risk management Pages: 28

Effective date: April 2013 Review date: April 2015

Security classification: Unclassified Uncontrolled when printed

Risk Management Document Suite

Corporate Assurance and Risk Management

of 28

Table of contents

Introduction ................................................................................................................................... 3

Purpose ......................................................................................................................................... 3

What is risk? ................................................................................................................................. 3

Types of risk .................................................................................................................................. 4

The risk management process ..................................................................................................... 4

Step 1: Communication and Consultation 5

Step 2: Establish the Context 6

Step 3: Risk assessment – Identify risk 8

Step 4: Risk assessment – Analyse risk 10

Step 5: Risk assessment – Evaluate risk 12

Step 6: Treat risk 14

Appendix A Risk identification techniques ........................................................................... 17

Appendix B Risk cause categories ........................................................................................ 18

Appendix C DSITIA risk assessment matrix .......................................................................... 20

Appendix D DSITIA risk rating responses ............................................................................. 21

Appendix E Risk controls and treatments ............................................................................. 22

Appendix F Fraud and corruption risk assessment ............................................................. 23

Appendix G Glossary .............................................................................................................. 26

References .................................................................................................................................. 28

DSITIA risk management guideline

of 28

Introduction

Risk needs to be considered and addressed by everyone. Risk management is critical to the

department’s planning, management and decision-making processes. Effective risk management

will support the achievement of the department’s objectives, help improve service delivery,

accountability and decision-making, and contribute to the personal well-being of employees. This

Risk Management Guideline should be read in conjunction with the DSITIA Risk Management

Policy and the DSITIA Risk Management Framework.

Purpose

This guideline describes best practice for identifying, assessing, treating and monitoring risks

based on the approach outlined in the DSITIA Risk Management Framework.

What is risk?

As defined in the AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines, risk is

the effect of uncertainty on objectives. Risk is only present if there is an element of uncertainty

surrounding it. If something is going to happen for certain then there is no risk. Figure 1 shows the

key risk components and how they link with the internal control environment (preventative,

detective and corrective controls).

Figure 1: Key components of a risk


of 28

Types of risk

The DSITIA risk governance model defines four types of risk.

Strategic risks are the high level, long-term risks of most concern to the Board of Management

and senior executive and will likely have a material impact on the department’s ability to achieve its

strategic objectives.

Departmental risks take a horizontal view of risk across the department and predominantly relate

to corporate services that support the department’s service delivery objectives, e.g. finance,

procurement, people, audit, information management and technology.

Business area risks are operational risks that relate to the business area’s purpose, objectives

and operations.

Program and project risks are those risks likely to have an impact on a project team's ability to

complete a project or program.

The risk management process

The department’s risk management process provides a systematic approach to identifying, assessing and treating risks. The department has adopted the seven-step process outlined in AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines depicted in Figure 2.

Figure 2: AS/NZS ISO 31000 risk management process


of 28

Step 1: Communication and

Consultation

What is the purpose of this step?

Communication, consultation and regular feedback

must take place at all stages of the risk management

process. Effective communication and consultation

throughout the process will ensure that those involved in managing risk, including affected

stakeholders, are aware of, and understand why particular actions are necessary.

It is important to identify all stakeholders who should be involved in the risk management activity

prior to the risk assessment being undertaken because this will assist in:

bringing together different areas of expertise for identifying and analysing risk

ensuring that different views are appropriately considered in evaluating risks

ensuring risks are adequately identified

securing endorsement and support for treatment plans.

How do we do it?

It is important that risk management communication and consultation is undertaken using existing

management communication and decision-making processes within the department or business

area.

The key stakeholders should be consistent for both business planning and business risk

management, to ensure that the two functions are integrated. Business areas should identify if

there are additional stakeholders who will be required to participate in the business risk

management process, and if so, should ensure these stakeholders are included in the planning

and risk process.


of 28

Step 2: Establish the Context


The purpose of this phase is to define the

parameters within which risks will be managed and

to set the scope for the rest of the process. This

phase is concerned with developing an

understanding of the internal and external context

within which the department or business area

operates and the factors that may influence the achievement of objectives.

How do we do it?

Corporate Assurance and Risk Management (CARM) have established the context for DSITIA risk

management in the departmental policy and framework as set out in Queensland Treasury: a guide

to risk management. By considering the external and internal environment in which DSITIA

operates, CARM has established:

the DSITIA risk appetite / risk tolerance levels

the DSITIA risk assessment matrix (including risk consequence definitions and risk responses)

the DSITIA roles and responsibilities for risk management.

These elements also need to be established by each individual business area after taking into

account the internal and external environment in which the business area operates.

Understand the internal and external environment

Understanding the external and internal environment is part of a broader scanning activity and provides the platform for building strategic, business and operational objectives and understanding how we operate.

The strategic plan defines the purpose and vision of the department, its strategic objectives and

strategies and the environment the department is operating in. It is important to understand the

internal and external environment as this influences the risks the department or business area has

in relation to achieving its purpose and objectives. In addition to the information in the Strategic

Plan, business areas should ensure they have a good understanding of the external and internal

environments they are operating in.

Internal environment1 External environment

2

Strategy: the plan devised to maintain and build competitive advantage over the competition.

Political

1 The McKinsey 7S Framework

2 PESTLE model


of 28

Internal environment1 External environment

2

Structure: the way the organisation is structured and who reports to whom.

Economic & financial

Systems: the daily activities and procedures that staff members engage in to get the job done.

Socio-cultural

Shared Values: the core values of the organisation evidenced in the corporate culture and the general work ethic.

Technological

Style: the style of leadership adopted. Legal & regulatory

Staff: the employees and their general capabilities. Environmental

Skills: the actual skills and competencies of the employees working for the organisation.

Key drivers impacting the organisation

Relationships with, perceptions and values of key external stakeholders.

Risk consequence definitions

The DSITIA risk consequence definitions are defined in the DSITIA risk assessment matrix in

Appendix C. These consequence definitions are set at the departmental level; similarly, each

business area should develop their own consequence definitions for ‘severe’, ‘major’, ‘moderate’

and ‘minor’ as appropriate to their business. A ‘severe’ consequence for a business area will in

most cases be vastly different to a ‘severe’ consequence at the departmental level. Defining

consequences at both the departmental and business area levels will allow for reporting and

escalation of risks that exceed the set tolerances.

Co

ns

eq

ue

nc

e

Likelihood

Unlikely Possible Likely

Almost

certain

Severe Medium High Extreme Extreme

Major Medium High High Extreme

Moderate Low Medium High High

Minor Low Low Medium Medium

Risk rating responses

Appendix D provides the departmental criteria for responding to risks once the risk rating has

been determined. This ensures that the right people are informed of the potential risk and

appropriate actions are taken according to the risk level. The risk response ratings also need to be

determined at the business area level.


of 28

Step 3: Risk assessment – Identify risk


Risk identification involves identifying the possible risk

events that may impact on the department or business

area, what is most likely to cause these, and the

consequence or impact of the event.

How do we do it?

Risk identification involves the following steps:

Identify possible risks

Categorise the risk

Determine the risk owner

Flag whether the risk relates to fraud or corruption

Identify possible risks

Identification of risk involves considering what, why, when, where and how things can happen

(including potential for fraud and corruption) and what the impact might be if it does happen. One

way of identifying risks is to hold a workshop with key stakeholders using a structured approach

designed to identify risks. Techniques that could be used are described in Appendix A.

A risk is made up of three elements – the event (what could happen), the cause/s (the possible

triggers for the event) and the consequence/s (the end results of the event).

Event

What could go

wrong?

Cause

Why could the

event happen?

Consequence

What is the impact

of the event?

RISK

For consistency, risks should be written using the format:

There is a risk that [something may happen] due to [these cause/s] resulting in [these

consequence/s].

An example is:

There is a risk that the petty cash could be stolen due to lack of security resulting in financial loss.

Categorise the risk

The risk category enables reporting to the individuals or governance committees who have the

power to perform actions and make decisions to affect the risk rating. Each risk should be allocated

to the risk category which represents the main cause of the risk (refer to Appendix B). The risk

category can also be used to analyse the risks within the register to:

identify common risk themes

check for patterns across business areas

trace back to primary root causes of the risks

better identify cause and effect relationships


of 28

identify extreme and high level risks that should be brought to the attention of the relevant governance committees or the Board of Management.

Determine the risk owner

Once the risk has been identified, a single risk owner must be nominated. The risk owner is a

position title (not a person’s name) and is the position that has the authority to manage a particular

risk and has the accountability and authority to deploy and assign resources to manage the risk.

The risk owner must:

ensure accurate and complete risk information is recorded in the risk register

ensure risk is managed to an acceptable level (target level)

ensure risk is regularly reviewed and reported.

The risk owner is not the treatment owner (the person responsible for managing a specific risk

treatment action), although they may be assigned specific risk treatment actions. A risk may have

multiple treatments and therefore multiple treatment owners. The treatment owners are responsible

to report to the risk owner about the action/s they are performing to treat the risk.

Flag whether the risk relates to fraud or corruption

Where the risk relates to a potential for fraud and corruption, this will be flagged within the risk

register to allow all fraud and corruption risks to be identified, reported and monitored.

When performing a specific risk assessment for fraud and corruption risks, refer to Appendix F.


of 28

Step 4: Risk assessment –

Analyse risk


Risk analysis is about developing an understanding

of the risk in order to determine the level of risk and

make decisions about how the risk should be

treated.

The purpose of risk analysis is to determine the risk level or risk rating (refer to Appendix C). It

involves developing an understanding of each risk, its consequences and the likelihood of the risk

occurring. The risk analysis will inform the evaluation of risks, whether risks need to be treated and

the selection of the most appropriate risk treatment strategy.

How do we do it?

Risk analysis involves:

identify the controls that are already in place (existing controls)

determine the likelihood of the risk occurring (refer Appendix C)

determine the consequence of the risk occurring (refer Appendix C)

calculate the risk rating (likelihood x consequence) (refer Appendix C).

Identify existing controls

Controls are typically the department’s policies,

strategies and procedures and should effectively

modify the risk level by either reducing the

consequence of the risk, should it occur, or the

likelihood of the risk occurring. Treatments are

then added (in step 5 – Evaluate risk) where it is perceived that the existing controls do not

maintain the risk at an acceptable level. The current risk likelihood, consequence and risk rating

are initially determined once existing controls have been taken into account.

To identify existing controls, think about the controls that are currently in place that are in some

way already reducing the overall risk. This could include controls or strategies that may not be set

up to address this risk specifically but still influence the likelihood and/or consequence of the risk

occurring. If a policy, program, project, initiative or action has been developed then it is treated as

an existing control if it is implemented and effective (refer Appendix E for additional detail).

Note: Many risk management methodologies refer to ‘inherent risk’ and ‘residual risk’. ‘Inherent

risk’ is defined as the initial risk level prior to any controls being considered and does not change

during the life of the risk. ‘Current risk’ (commonly known as ‘residual risk’) is the risk remaining

once any existing controls have been taken into account, and this measure is dynamic because it

changes as treatments are implemented, or controls are removed or deemed ineffective. Inherent

risk is less relevant for entities with an established operating environment and some degree of pre-

existing internal controls, and has therefore been omitted from the DSITIA risk management

framework as it is considered that all risks will have some form of existing control and to avoid

confusion surrounding the term ‘inherent risk’.

CONTROL

an existing mechanism that is modifying the risk

TREATMENT

an additional mechanism required to further modify the

risk


of 28

Consider whether the following types of controls exist:

Type of control

Definition Examples

Preventative

controls

controls that manage the causes of the

risk to decrease the likelihood of the risk

occurring (or increase it in the case of an

opportunity)

training programs

contract conditions

processes and operating procedures

security

Detective

controls

controls that produce evidence that

preventative controls are functioning, or

identifies events after they have occurred

audit and compliance programs

reviews

reconciliations

Corrective

controls

controls that decrease the extent of the

consequence once it has occurred (or

increase it in the case of an opportunity)

business continuity plan

disaster recovery plan

crisis plan

insurance

Determine the likelihood of the risk occurring

Determining the likelihood of a risk eventuating is a subjective consideration. When determining

the likelihood of the risk, the risk owner should consider:

existing controls and how effective they are at mitigating the risk

past records and experience

any results of research or consultation.

The DSITIA risk assessment matrix (refer to Appendix C) defines the likelihood of the risk

occurring, based on the information available at the time of assessment, as either ‘unlikely’,

‘possible’, ‘likely’ or ‘almost certain’.

Determine the consequence of the risk occurring

Determining the risk consequence is a two-step process. First, the risk owner should consider

whether the impact of the risk on the department or business area will be:

Financial

Service delivery

Reputation

People or workplace health and safety

Environmental

Second, consult the DSITIA risk assessment matrix (refer to Appendix C) and use the

consequence definitions to find the most suitable consequence level.

Calculate the Risk Rating

The risk rating is the combination of the likelihood of the risk occurring and the size of the consequence of the risk event. For DSITIA, the risk rating can either be ‘low’, ‘medium’, ‘high’ or ‘extreme’ (refer to Appendix C). The risk rating determines how to treat a risk as well as any requirement for reporting or escalation.


of 28

Step 5: Risk assessment – Evaluate

risk


The purpose of risk evaluation is to make decisions

based on the outcomes of risk analysis about

which risks are acceptable, which risks need

treatment and the treatment priorities. The highest

priority should be given to those risks that are evaluated as being the least acceptable. To treat

unacceptable risks, we may improve existing controls or develop and implement new controls.

How do we do it?

The risk evaluation stage involves the following key steps:

determine treatment actions using risk rating responses

determine the risk target

determine the treatment decision

Determine treatment actions using risk rating responses

The risk rating of ‘extreme’, ‘high’, ‘medium’ or ‘low’ calculated during analysis of the risk will

determine the required response. The risk rating responses can be found in Appendix D.

Determine the risk target

The risk target is the level of risk after treatment that is tolerable to the department or business area. Risk targets should be determined by the risk owner.

When identifying the risk target for each risk it is important to consider the following:

the risk appetite of the department or business area

the determination of the acceptable level for each risk given:

o the nature of the risk and the level of control the department or business area has over the causes of the risk

o the benefits of expending cost and effort to mitigate the risk effectively.

Determine the treatment decision

The decision about how to treat a risk is based on the relationship between the current risk rating

and the target risk rating.

Where the current risk rating is higher than the target risk rating, risk treatment actions should be undertaken to reduce the risk to the required target.

Where the current risk rating is the same or lower than the target risk rating, the risk can be accepted and monitored.

It is important that risks are treated appropriately to reduce the risk to a level that is tolerable to the

department or business area. It is also important that mitigation efforts are focussed on priority risk

areas. In some instances the risk target may be high despite the risk tolerance of the Department


of 28

or business area. This could occur in situations where no amount of reasonable mitigation

treatment will effectively reduce the risk to a normally tolerable level.

When determining the treatment decision consider:

The causes of the risk and whether they are within the department’s or business area’s ability to manage

The effectiveness of existing detective and preventative controls to manage the causes of the risk

What resources would be required to implement treatment actions and what is the expected change in risk level?

The cost of implementing each treatment option against the benefits derived from it

The gap between the current risk rating and the risk target

The following treatment decisions are possible:

Treatment Definition

Reduce Apply a risk treatment that reduces either the likelihood or consequence of the risk occurring. Also known as risk mitigation or modify.

Avoid An informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk.

Share

The agreed distribution of risk with other parties.

Legal or regulatory requirements can limit, prohibit or mandate risk sharing.

Risk sharing can be carried out through insurance or other contracts.

The extent to which risk is distributed can depend on the reliability and clarity of the sharing arrangements.

Risk transfer is a form of risk sharing. Note: The accountability for meeting business objectives or achieving outcomes cannot be transferred.

Accept Acceptance of the potential benefit of gain or burden of loss from a risk. The risk is monitored in case the risk rating changes, possibly resulting in the need for a different treatment strategy.


of 28

Step 6: Treat risk


The purpose of the risk treatment step is to ensure

that risks considered to be unacceptable are

treated appropriately to reduce the risk to an

acceptable level. This is achieved through the

development of appropriate actions, known as a

risk treatment plan.

How do we do it?

The DSITIA risk rating responses table (refer to Appendix D) indicates the course of action

required for risks in response to their risk rating. Once it is determined that a risk level is

unacceptable and needs to be reduced, the next step is to develop the treatment plan.

Treating risks involves selecting one or more options to reduce the likelihood and/or the

consequence. Treatments could also include the redesign and re-implementation of existing

controls that are currently deemed to be ineffective. Some risk is unavoidable and it is not within

the ability of the department or business area to completely manage all risks to a level

commensurate to the risk appetite of the department or business area. For example, agencies

have limited control over risks associated with terrorist activity or natural disasters. In these

instances, the only action that can be taken by the agency is the preparation of contingency plans

for business continuity. A business continuity plan should include appropriate crisis management

plans that can be activated as required and these plans should be tested periodically to ensure

their effectiveness.

Consider the following when planning for the most appropriate treatment of a risk:

1. Attempt to reduce the likelihood of the risk occurring by treating the cause/s of the risk

2. If the cause/s are not able to be treated, or their implementation still causes the risk rating to

remain at an unacceptable level, treat the level or size of the consequence by putting in place a

contingency plan

3. Balancing the costs and efforts of treatment against the benefits derived

4. Be aware of the possible introduction of new or secondary risks as a result of implementing

treatments.

Fraud Controls

The department has adopted the Crime and Misconduct Commission’s 10 point best practice fraud control model. Point 2 requires that fraud and corruption risk assessments are conducted on a regular basis. The fraud risk should not be looked at in isolation from the general business of the department, and may be integrated with business risk assessments. Particularly as there is considerable overlap between business risk, audit risk, security risk and fraud risk.

For fraud and corruption-related risks the risk treatment is the fraud control plan. The Auditor-

General of Queensland’s Results of audits – Internal control systems report 5:2012 states that

“departments should provide specific fraud training to staff, customised to their particular fraud

risks”. Based on this recommendation, all treatment plans for fraud and corruption-related risks

should include a training component related to the specific risk.

http://www.qao.qld.gov.au/report-5-for-2012


of 28

Step 7: Monitor and Review


Risks must be monitored and reviewed regularly to

ensure a proactive approach to managing risks as

new risks emerge and existing risks change.

The purpose of the monitor and review step is to

ensure that departmental and business area risks are effectively managed, appropriately reported,

and that the changing nature of risk is taken into account. This will ensure that risk registers are a

dynamic, current and accurate record of departmental and business area risk exposure, and that

risks are escalated to appropriate senior management when required.

How do we do it?

The Corporate Assurance and Risk Management (CARM) unit owns the departmental risk register

and will request business area’s to provide an update of their ‘extreme’ and ‘high’ risks on a

quarterly basis for reporting to the DSITIA governance committees and Board of Management.

Business areas should therefore ensure that they are vigilant in monitoring their high-level risks.

Business area’s should also review and update their risk registers consistent with the schedule of

their own governance committee meetings.

Reviewing the risk register

At a minimum the following elements of risks should be reviewed to ensure the risk register

remains current and accurate:

Risk cause/s

o Are these still relevant?

o Are there any additional causes?

Risk consequence/s

o Has this changed from last review?

Existing controls

o Are these still in place and effective?

o Are there any additional controls?

Status and effectiveness of treatments

o Has there been any progress?

o Are the treatment actions still effective or has something changed that would mean another action may be more effective?

Consequence rating

o Has the completion of risk treatment actions or any other factor reduced the consequence of the risk or have additional causes or impacts been identified which have increased the risk?

Likelihood rating

o Has the completion of risk treatment actions or any other factor reduced the likelihood of the risk or have additional causes or impacts been identified which have increased the risk?


of 28

Additional risks

o Have any new risks emerged since the last review?

Reporting

When reporting risks consider the audience and their requirements:

Do they want to know all the risks or just the significant ones?

Do they want to know the risks under control or just the exceptions, i.e. those not responding to treatment?

Do they just want to know new risks or variances in the risk rating?

Do they want to know risks relating to a specific category?


of 28

Appendix A Risk identification techniques

Brainstorming

The term brainstorming is often used very loosely to mean any type of group discussion. However, effective facilitation is very important to the success of this technique and includes stimulation of the discussion, prompting and capture of the issues arising from the discussion.

Structured or Semi-structured interviews

In a structured interview individual interviewees are asked a set of prepared questions which encourages the interviewee to view a situation from a different perspective, and therefore identify risks from that perspective. A semi-structured interview is similar but allows more freedom for a conversation to explore issues which arise.

SWOT (Strengths, Weaknesses, Opportunities, Threats) Analysis

SWOT is a strategic planning tool used to evaluate the strengths, weaknesses (internal), opportunities and threats (external) to an organisation. It involves considering objectives and identifying the internal and external factors that are favourable and unfavourable to achieving those objectives.

PESTLE (Political, Economic, Sociocultural, Technological, Legal, Environmental) Analysis

PESTLE analysis is a technique which can be used in conjunction with a SWOT analysis. It is used to help organisations identify and understand the external environment in which they operate and how it is perceived to operate in the future in relation to Political, Economic, Sociocultural, Technological, Legal and Environmental categories.

Check lists

Check lists are lists of hazards, risks or control failures that have been developed usually from experience, either as a result of a previous risk assessment or as a result of past failures. A check list can be used to identify hazards and risks or to assess the effectiveness of controls. They can also be used at any stage of the lifecycle of a product, process or system.

Scenario Analysis

Scenario analysis is a name given to the development of descriptive models of how the future might turn out. It consists of defining a simplified model of a real system, and using the model to consider what might happen given various possible future developments. Scenario analysis may be used to anticipate how both threats and opportunities might develop and may be used for all types of risk with both short and long term time frames.

Business Impact Analysis (BIA)

The BIA provides an analysis of how key disruption risks could affect an organisation’s operations and identifies and quantifies the capabilities that would be required to manage it. The BIA is used to determine the criticality and recovery timeframes of processes and supporting resources (people, equipment, ICT) to ensure the continued achievement of objectives. It is typically used for business continuity planning. For further details on risk management techniques refer to the Standards Australia HB 89–2012 Risk Management – Guidelines on risk assessment techniques.

http://www.standards.org.au/Pages/default.aspx



of 28

Appendix B Risk cause categories

Cause category Including: Report risks to

committee

Asset management

Performance of assets Protection of assets Potential for fraud and corruption Finance

Budgeting & resource allocation Budget management Resource allocation Finance

Change management Departmental culture Organisational and Government changes People

Changing demographics Changing demographics of the organisation or the wider community BoM

Communications

Marketing Publication and Web Management Internal and External Communication Public Affairs Management People

Compliance with laws, regulations & policies

compliance with whole-of-Government and departmental regulatory and legislative requirements and policies BoM

Environmental protection Environmental protection BoM

Expenditure management Financial expenditure Finance

Financial management

Corporate Finance Financial Strategy and Policy Grants Management Financial reporting Finance

Governance

Strategic Management Risk Management Accountability Legislation, Regulation and Policy Policy development & implementation BoM

Government priorities Government priorities BoM

Human resources

Workforce relations Attraction and retention Recruitment and selection Staff development Diversity Payroll Services HR Policy People

ICT asset management

Performance of ICT assets Protection of ICT assets Potential for fraud and corruption ISC

Industry developments Industry developments BoM

Information & knowledge

Information and knowledge management Loss of information Damage to information Modification of information Disclosure of information Inaccessibility of information

ISC

Information technology

Information and communication technology Business systems

ISC

Inventory management Inventory management Potential for fraud and corruption Finance

Legal liabilities & litigation Legal BoM

Machinery of government changes Machinery of government changes BoM

Management skills Management skills People

Media relations Media relations BoM

Natural disasters Natural disasters BoM

Performance management Performance Planning and Reporting Finance


of 28

Cause category Including: Report risks to

committee

Planning & priority setting

Achieving the policy outcomes required Effectiveness of the policy Implementation of policy Unintended consequences of the policy Strategic Planning Operational Planning BoM

Procurement & contracting

Compliance with State Procurement Policy Procurement capability Procurement planning and processes Contract management Sourcing Potential for fraud and corruption Procurement

Program delivery (ICT)

Program deliverables Implementation Unintended consequences

ISC

Program delivery (non-ICT)

Program deliverables Implementation Unintended consequences

BoM

Project delivery (ICT)

Project deliverables Implementation Unintended consequences

ISC

Project delivery (non-ICT)

Project deliverables Implementation Unintended consequences

BoM

Public expectations Public expectations BoM

Reputation Reputation BoM

Revenue & cost recovery Revenue & cost recovery Finance

Security threats & terrorism Security threats & terrorism BoM

Security, privacy & confidentiality Security, privacy & confidentiality ISC

Stakeholder relations

Community Relationship External Stakeholders Client, Industry and Customer Services BoM

Statutory reporting Statutory reporting BoM

Technical skills Technical skills People

Technology trends Technology trends ISC

Workplace health & safety

People Machinery and equipment Manual tasks / ergonomics Facilities/ built environment Accident management WH&S


of 28

Appendix C DSITIA risk assessment matrix Likelihood level

Unlikely

Occurrence is

conceivable, but not expected to

occur.

A < 30% chance of this risk

eventuating

Possible

The event may

occur at some time

A 30-60%

chance of this risk eventuating

Likely

The event may

occur at least once over the

coming year

A 61-90% chance of risk

eventuating

Almost certain

Can probably

expect it to occur in most

circumstances.

A >90% chance of this risk

eventuating

DSITIA Consequence Description

Co

ns

eq

ue

nc

e l

evel

Severe Threatens the department’s ability to meet government priorities, deliver public value or achieve strategic objectives.

Financial – Long term impact on departmental finances. Losses not recoverable beyond the next financial budget jeopardising

critical business functionality and services. Or, exposure of >$500k to unfunded financial commitments3 .

Service Delivery – Disruption to multiple critical deliverables4. Causes acute and protracted problems for clients and

stakeholders.

Reputation – Affects the department’s long term credibility with clients and stakeholders. Loss of public trust. Severe political

consequences that incur Parliamentary enquiries or prolonged public scrutiny / media attention.

People/WHS – Reduced workforce capability /capacity threatens long term service viability. Death or permanent disablement.

Environmental – Permanent damage to the environment.

Medium High Extreme Extreme

Major Financial – Impact on departmental finances. Losess not recoverable within current financial budget. Or, exposure of between

$100-$500k to unfunded financial commitments3.

Service Delivery – Disruption to a critical deliverable2. Threaten the completion of strategic program/project and business case

benefits. Causes problems for clients and stakeholders in fulfilling their obligations.

Reputation – Have a detrimental effect on the department’s short term credibility with clients and stakeholders. Political

consequences for the department, incurring independent enquiry or short term public scrutiny / media attention.

People/WHS – Reduced workforce capability/capacity unable to support key services. Serious bodily injury or work caused

illness.

Environmental – Long term detrimental impact on the environment.

Medium High High Extreme

Moderate Financial – Impact on departmental finances. Losses recoverable within the current financial budget. Or, exposure of <$100k

to unfunded financial commitments3.

Service Delivery – Interruption to essential support deliverables and associated service performance targets. Threatens the

realisation of some program or project benefits.

Reputation – Cause client and stakeholder dissatisfaction, and has a detrimental affect on the business area’s credibility and

stakeholder relations. Incur significant review or change manner of delivery.

People/WHS – Reduced workforce capability/capacity affects service quality. Injury/illness requires medical treatment.

Environmental –Short term impact on the environment. Able to be contained with specialist assistance.

Low Medium High High

Minor Financial – Noticeable impact on departmental finances. Losses recoverable within current financial budget. It would have

some minor financial implications requiring a review of financial internal controls.

Service Delivery – Minor interruption to a service/s and associated service performance targets. It would be detrimental for

some aspects of the program or project.

Reputation – It would cause some client or stakeholder complaints requiring additional management.

People/WHS – Reduced workforce capability/capacity affects operational processes. Localised first aid required.

Environmental – Minimal detrimental impact on the environment.

Low Low Medium Medium

3 The $ value is a guide. Where necessary, advice should be sought from DSITIA Finance department to estimate materiality consequences

4 Definitions have been taken from the Business Continuity and Disaster Management Policy and Guideline.


of 28

Appendix D DSITIA risk rating responses

Risk rating Response Risk

acceptability

Extreme

Reported to Director-General via DDG/ADG and existing management structures within 48 hours of identification.

Risk owner assigned.

Risk target established and risk treatment actions developed including contingency plan.

Board of Management/Governance committees to be made aware and provide guidance.

Progress regularly reported to Board of Management.

Unacceptable

High

Reported to Director-General via DDG/ADG and existing management structures.


Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan (where relevant).

Progress reported to Board of Management, DDG/ADG or Functional Heads.

Unacceptable

Medium

Reported to General Manager/ Executive Director/Director via existing management structures.


Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan, (where relevant).

Progress reported regularly to GM/ ED/ Director or Functional Heads.

Risk

eventuation

may be

tolerable

under certain

circumstances

Low

Monitor the risk.

Should be managed via routine procedures and internal reporting mechanisms


Acceptable


of 28

Appendix E Risk controls and treatments

The effective management of risk involves considering risk treatment and control effectiveness.

Controls are typically the department’s policies and procedures and should effectively modify the

risk level by either reducing the consequence of the risk, should it occur, or the likelihood of the risk

occurring. The current risk rating is initially based on the level of risk with controls implemented and

effective.

When the current risk level is deemed to be intolerable by the department, treatments need to be

applied to further modify the risk to an acceptable level. Treatments need to be analysed when

implemented to check that they are assisting to manage the risk at a tolerable level.

Control Effectiveness

Controls are mechanisms that modify risk and can exist at the organisational and process level.

There can be more than one control for each identified risk. They are designed to address the root

cause of risk and are (typically) policies, processes, procedures, and strategies. Controls are used

to calculate the current risk level and identify the extent to which controls are modifying the risk.

Controls need to be:

regularly monitored and/or updated

reconsidered when a change occurs which might impact on the objectives and associated risks

measured for effectiveness.

Controls may not always achieve the desired modifying effect. Control gaps or ineffective controls

can lead to the same outcomes as having no controls at all.

Controls require ongoing monitoring, and informal and formal testing (where practical) to review

their effectiveness. As a quick guide to control effectiveness, the department uses a simple set of

descriptors that focus on the design and application of controls as well as management confidence

in the reliability of the control.

Control rating Description

Adequate Controls address the risk. Little scope for improvement. No convincing cost/benefit justification to change approach

Opportunities for improvement

Controls have deficiencies. Improvements identified. Some cost/benefit justification to change approach.

Inadequate Controls do not appropriately address the risk. Immediate need for improvement actions. Significant cost/benefit justification to change approach.


of 28

Appendix F Fraud and corruption risk assessment

A complete identification of fraud and corruption risk exposure will only come from a thorough

search for all potential risks. The DSITIA Fraud and Corruption Control Gap Analysis Tool can be

used as a starting point for identification of fraud risks. The tool acts as a check or prompt list,

identifying the common inherent risks in work areas susceptible to fraud and corruption, and

suggesting standard controls that could be used to manage the risks.

The broader the range of stakeholders involved in this process the more likely it is that all potential

risks will be identified.

Fraud and corruption may be perpetrated by:

departmental employees or contractors

clients, suppliers or members of the public or

collusion involving both departmental employees and external parties.

To identify fraud and corruption risks consider the following questions:

How could fraud and corruption occur?

What circumstances or events could cause this?

What would be the impact or consequence?

Sources of information which can be used to identify fraud and corruption risks include:

1. Contextual information

For example:

the current goals and strategies of the business area

main business activities and processes

organisational levels and locations e.g. remote location vs. central business district

major cost or revenue items

significant things happening in the business area’s environment

risks and issues identified in audit reports

reasons for material losses (recorded in the Material Losses Register)

circumstances of officers being offered or receiving gifts and benefits (recorded in the Gifts and

Benefits Register)

feedback from stakeholders e.g. Assistant /Deputy Directors-General, client agencies,

Queensland Audit Office.


of 28

2. Past instances of fraud and corruption in government departments

Types of fraud experienced by government departments have included:

Misappropriation e.g. changing account details on a departmental system to deposit funds into

a personal account

Falsifying official documents e.g. purposely recording inaccuracies on a timesheet to obtain a

benefit, falsely claiming for overtime, falsifying medical certificates to obtain paid sick leave

Collusion e.g. staff colluding with a contractor to approve invoices (knowing that the work had

not been undertaken) in return for kickbacks from the contractor.

3. Areas of perceived high fraud and corruption risk in the public sector

The CMC survey “Profiling the Queensland public sector” outlines operational areas and functions

perceived to have high fraud and corruption risk, including:

financial functions such as the receipt of cash, revenue collection and payment systems,

salaries and allowances and entertainment expenses

construction, development and planning functions ranging from land rezoning or development

applications to construction and building activities

regulatory functions involving the inspection, regulation or monitoring of facilities; and

operational practices, including the issue of fines or other sanctions

licensing functions such as the issue of qualifications or licences to indicate proficiency or

enable the performance of certain activities

demand-driven or allocation-based functions where demand often exceeds supply, including

the allocation of services or grants of public funds; or the provision of subsidies, financial

assistance, concessions or other relief

procurement and purchasing functions including e-commerce activities, tendering, contract

management and administration

other functions involving the exercise of discretion, or where there are regular dealings

between public sector and private sector personnel (especially operations that are remotely

based or have minimal supervision).

Other items to consider when considering fraud and corruption risks

Please keep the following points in mind when undertaking fraud and corruption risk assessment.

1. Analyse risks and consider further prevention opportunities in relation to:

the allocation of grants (and subsidies) of public funds

relationships and dealings with the private sector

inspecting, regulating or monitoring standards of premises, businesses, equipment and

products

the issuing of fines or other sanctions


of 28

the training and support of staff working specifically in high risk areas

falsifying official documents e.g. timesheets, leave forms

misuse of departmental resources e.g. car, phone, computer misappropriation, including in

relation to:

misuse of corporate credit cards

misuse of Cabcharge vouchers

failure to return departmental property after a person has left the department.

2. Encourage managers to be proactive in supporting disclosers and initiating strategies for

dealing with misconduct rather than relying on and reacting to complaints.

3. Raising awareness about conflicts of Interest and other/secondary employment.

4. Raising awareness about responsibilities for identifying and reporting misconduct.


of 28

Appendix G Glossary

These definitions are consistent with the terms used in AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines

Term Description

Business area

A departmental unit that reports to an Assistant/Deputy Director-General

Business area risk

Risks that relate to the business areas purpose, objectives and operations. Also see Operational risk.

Cause Something that results in an event.

Consequence The outcome of an event or circumstance affecting the achievement of objectives. Note 1: An event can lead to a range of consequences Note 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives Note 3: Consequences can be expressed qualitatively or quantitatively Note 4: Initial consequences can escalate through knock-on effects.

Control Measure that is modifying risk. Note 1: Controls include any process, policy, device or practice, or other actions which modify risk Note 2: Controls may not always exert the intended or assumed modifying effect.

Corruption Involves a breach of trust in the performance of official duties and includes conduct which does or could adversely affect the honest or impartial exercise of official functions by an employee, whether or not for the benefit of the person. It also includes conduct by an employee involving dishonesty or failure to impartially exercise an official function.

Current risk The risk remaining after risk treatment. It is the level of risk that remains after assessing the effectiveness of the controls, treatments and any management strategies and other mechanisms currently in place to modify a particular risk. Note: this is the same definition as ‘residual risk’ in the ISO Guide 73. Efforts have been made to use everyday language rather than purist risk management speak.

Departmental risk

Operational risks that relate to the department as a whole, sometimes referred to as 'corporate risk'. These risks are common across multiple business areas or potentially interagency.

Division A group of service areas that report to a Deputy/Assistant Director-General.

Division Head

Deputy Director-General or Assistant Director-General responsible for a number of service areas.

Existing control

Controls that are in place at the time of risk identification and at the time of initial risk rating.

Fraud Refers to an intentional dishonest act or omission done with the intent of deceiving. It may have the object of obtaining a benefit for some person or causing a detriment. It includes the situation where a person makes a false representation about something and lacks belief in the truth of the representation or makes it recklessly, not caring whether it is true or false.

Hazard Possible source of danger or conditions physical or operational that have a capacity to produce a particular type of adverse effect.

Impact See “Consequence”

Interagency A risk that relates to more than one agency (for example, collaborative projects)


of 28

Term Description

risk and requires treatment by multiple agencies to be effective.

Level of risk The magnitude of a risk measured in terms of the combination of the consequences and likelihood.

Likelihood The chance of something happening.

Operational risk

Those risks that arise in day to day operations, and which require specific and detailed response and monitoring regimes. If not treated and monitored organisational risk could potentially results in major adverse consequences for the department. The Treasury’s guide to risk further expands on this definition, stating: A risk that may arise in day to day operations and could have an impact on the achievement of:

the department’s strategic objectives from the perspective of actions undertaken by a particular division, business area, branch or work unit.

Program or project management objectives Also see Business Area risk.

Program A grouping or list of projects and activities planned and managed in a coordinated way in order to achieve outcomes and realise benefits.

Project A temporary process or endeavour which has a clearly defined start and end time, a structured set of activities and tasks, a budget and a specified business case.

Project management

The management of the full project life cycle to ensure stakeholders are fully engaged, risk is actively managed and outputs are delivered. It is the planning, monitoring and control of all aspects of the project to achieve the project objectives on time and to the specified cost, quality and performance.

Residual risk See Current risk

Risk The effect of uncertainty on objectives. Note 1: An effect is a deviation from the expected – positive and/or negative Note 2: Objectives can have different aspects and can apply at different levels (such as strategic, organisation wide, project, product and process) Note 3: Risk is often characterised by reference to potential events and consequences or a combination of these Note 4: Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

Risk acceptance & monitoring

Acceptance of the potential benefit of gain or burden of loss from a risk. The risk is monitored in case the risk rating changes, possibly resulting in the need for a different treatment strategy.

Risk analysis The systematic process to comprehend the nature of risk and level of risk.

Risk appetite The amount and type of risk the department/service area is prepared to pursue or take to achieve an objective.

Risk assessment

The three process steps of risk identification, risk analysis and risk evaluation form the risk assessment.

Risk avoidance

An informed decision not to be involved in, or to withdraw from, an activity in order to not be exposed to a particular risk.

Risk category A way of categorising a risk to enhance risk identification and analysis and risk reporting.

Risk criteria Terms of reference against which the significance of a risk is assessed.

Risk description

Statement of risk, which describes the risk in terms of the risk event, causes and consequences of the risk.


of 28

Term Description

Risk escalation

Process facilitating a change of risk ownership to a next higher management level in cases where the approval and management of additional controls is beyond the delegation/authority of the management level at which the risk was identified.

Risk evaluation

Process of comparing the results of the risk analysis against risk criteria to determine the level of risk and whether it is tolerable or not.

Risk event An uncertain occurrence or set of circumstances, that should it occur will have an effect on the achievement of an objective. Note 1: An event can consist of something not happening Note 2: An event can be one or more occurrences, and can have several causes.

Risk management

Coordinated activities to direct and control an organisation with regard to risk.

Risk Management Framework

Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

Risk owner Person or entity with the accountability and authority to manage the risk.

Risk rating Magnitude of a risk or combination of risks expressed in terms of the combination of consequence and their likelihood.

Risk reduction

Application of a risk treatment that reduces either the likelihood or consequence of the risk occurring. Also known as risk mitigation.

Risk register record of information about identified risks.

Risk sharing the agreed distribution of risk with other parties.

Legal or regulatory requirements can limit, prohibit or mandate risk sharing.

Risk sharing can be carried out through insurance or other contracts.

The extent to which risk is distributed can depend on the reliability and clarity of the sharing arrangements.

Risk transfer is a form of risk sharing. Note: The accountability for meeting business objectives or achieving outcomes cannot be transferred.

Risk tolerance

Organisation or stakeholder readiness to bear the risk after risk treatment in order to achieve its objectives (risk tolerance can be influenced by legal or regulatory requirements).

Risk treatment action

Any specific action designed to reduce the likelihood or consequence of a risk.

Strategic risk Risks that may affect the department’s ability to meet its overall purpose and strategic objectives and require direct oversight by the Board of Management.

References

AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines

Standards Australia HB 89–2012 Risk Management – Guidelines on risk assessment

techniques

ISO Guide 73:2009 – Risk Management - Vocabulary

A Guide to Risk Management

Results of audits – Internal control systems report 5:2012

http://www.iso.org/iso/home.html





http://www.treasury.qld.gov.au/office/knowledge/docs/risk-management-guide/index.shtml

http://www.qao.qld.gov.au/report-5-for-2012

Risk Management Guideline - Queensland Government risk management guideline Page 3 of 28...

Documents

Transcript of Risk Management Guideline - Queensland Government risk management guideline Page 3 of 28...