Risk Management in the S.A. Risk Management in the S.A. Public Sector Public Sector

Darryl Bruhn

Risk Management Coordinator

SAFA (SAICORP)

Phone 8226 3429

Bruhn.Darryl2@saugov.sa.gov.au

SAFA (SAICORP)SAFA (SAICORP)

1/7/1994 South Australian Insurance Corporation (trading as SAICORP)established. Insurance cover for all agencies of the Crown Whole of Government catastrophe reinsurance Provide risk management advice & assistance

1/7/2006 SAICORP amalgamated with South Australian Financing Authority (SAFA).

Part of Dept. Treasury & Finance

Risk Management Advice & Risk Management Advice & AssistanceAssistance

Coordinating risk management training Assisting agencies with risk management policy &

framework development Providing funding for specific risk management initiatives Coordinating networks and forums Developing manuals & workbooks Publishing the SAICORP Newsletter Promoting AS/NZS4360 Risk Management Standard &

RMIA

Session OutlineSession Outline

1. Risk & Risk Management Context

2. Reasons for implementing risk management

policy & frameworks.

3. Developing risk management policy &

frameworks – agency considerations.

RISK MANAGEMENT STANDARD AS/NZS 4360

Developed with the objective of providing a guide to establishing a risk management framework using the risk management process.

The standard specifies the elements of the risk management process only.

It is a generic framework and independent of any specific industry or economic sector.

Definitions in 4360

Risk is “the CHANCE of something happening that will have an IMPACT on OBJECTIVES”

Risk = DEGREE of UNCERTAINTY as to the potential for gain as well as exposure to loss.

Risk Management is the “CULTURE, PROCESSES AND STRUCTURES that are directed towards realising potential opportunities, whilst managing adverse effects.”

Built-in continuous improvement cycle

Risk Assessment

= Identify, Analyse & Evaluate Risks

Define Context first

Opportunities as well

RISK MANAGEMENT PROCESS

Subset of the Risk Management process

Managers involved in this

Define Context and clear focus for risk assessment.

E.g. Strategic, business or project plan

3 years, 1 year, 6 months

J &PS Outcomes

Objectives – Impacted upon

Degree of Uncertainty

RISK ASSESSMENT

Unexpected Events

Expected Events

Uncertainty = at what rate will it occur

Will it Impact on Objectives?

Staff turnover, absences, workers compensation costs

Consider scenarios

RISK ASSESSMENT (continued)

Uncertainty-based Risks

Characteristics Extremely hard to

quantify Catastrophic in nature Out of our control Always negative

outcomes Restorative planning &

actions

RM Response Business Continuity Emergency Response Disaster Recovery

Planning

Question of balance.

Hazard type risks

Characteristics Insurable type risks Extensive data available SOP’s used to manage Accident rate that is

uncertain Treat by reducing

likelihood/consequence or both - Preventative

Examples OH & S / Workers Comp. Property Financial management Clinical

Opportunity type risks

Characteristics Often non insurable

type risks Assessment is

qualitative Performance related Treat by avoidance, risk

sharing etc. Integrated into business

Examples Strategic Business, Project

planning Opportunity costs Relationship, reputations Efficiency & effectiveness

2. Rationale for Implementing a2. Rationale for Implementing aRisk Management Policy & Framework?Risk Management Policy & Framework?

1) Compliance

2) Protection

3) Improve Organisational Performance

2.12.1 COMPLIANCE ISSUES COMPLIANCE ISSUES

S. A. Government : Risk Management Policy – Re-issued November 2003

CE’s Accountable to their Ministers Protect & enhance Govt. resources Protect well being of citizens & environment SAICORP to provide advice to the Crown

“Premiers Safety Commitment Statement” & DAIS - “Workplace Safety Management in the SA Public Sector 2004 - 2006 – Implementation Plan.”

Annual SAICORP Declarations – to meet our duty of disclosure to our insurers (re-insurers)

Corporate Governance Expectation

2.22.2 Protection Provided on Two Protection Provided on Two Levels :Levels :

1) Reduce likelihood of things going wrong and / or when things do go wrong, the consequences should be less severe.

2) Due diligence defence - will be able to demonstrate that all reasonable efforts have been made using a systematic, consistent approach to identify, rate and treat risks.

2.3 To improve organisational performance2.3 To improve organisational performance

1. Improve strategic and business planning

2. Improve information for decision making

3. Maximise the benefits of opportunities that arise

4. Improve operating efficiency due to targeting of resources, less time fire-fighting and avoidance of costly mistakes.

5. Provide an early warning system enabling preventative action to be taken

3.1 3.1 Policy & Framework – Policy & Framework – Agency ConsiderationsAgency Considerations

Central coordinating body responsible for Risk Management. Communication & Consultation on risk management Risk Management Policy & Framework

Criteria, categories of risks Likelihood & consequence indicators Risk Matrix Annual,Half Yearly, Quarterly, needs based risk assessment

Risk Assessment Tools & reporting requirements How to assist managers meet their risk management

responsibilities

Likelihood DescriptorsLikelihood Descriptors

  LIKELIHOOD OF OCCURRENCE

RATING Description

Almost Certain 5 This event will almost certainly occur within the next six months

Likely 4It is likely that this event will occur at least once in the next year or it is moderately likely that this event will occur at least once in the next two years

Moderate 3 It is moderately likely that this event will occur at least once in the next two years

Unlikely 2 It is possible, though unlikely, that this event may occur once in a 2 year period

Rare 1May occur only in very unusual circumstances. Remote possibility of occurring once every 2 to 5 years

Consequence DescriptorsConsequence Descriptors

Example Detail Description

 AREA OF IMPACT

RATING Financial Organisational Impact Reputation & ImageHuman

Resources

Insignificant 1Financial loss up to $50,000

Small delay, internal inconvenience only.

One off media coverage only

Minor injury. Temporary local poor morale.

Minor 2

Financial loss >$50,000 and < $100,000

Easily remedied, some impact on external stakeholders. Business objectives delayed.

Temporary negative impact on reputation

Lost time injury. Local but lingering poor morale. Skill mix issues

Moderate 3Financial loss >$100,000 and < $500,000

Considerable remedial effort required with widespread disruption to the organization extending for period up to 3 months. Some business objectives will not be achieved.

Temporary breakdown in key relationship. Widespread negative reporting in media. Premier or Ministerial involvement.

Serious permanent injury. Ongoing widespread morale issues. High staff turnover.

Major 4Financial loss > $500,000 and< $1 million

Permanent loss of critical information, substantial disruption to organization or external intervention extending over 3 months or more. Major goals not achieved.

Ongoing widespread negative reporting in media. Leads to a high-level independent investigation with adverse findings.

Death. Entrenched morale problems. Inability to recruit staff with necessary skills.

Catastrophic 5Financial loss > $1 million

Organisation is totally dysfunctional requiring appointment of an administrator.

Total loss of confidence within community leading to dismissal of Board.

 

Level of Risk MatrixLevel of Risk Matrix

Risk Analysis(Level of Risk

- LOR)

CONSEQUENCES

Insignificant1

Minor2

Moderate3

Major4

Catastrophic5

LIKELIHOOD

Almost Certa

in5

High High Extreme Extreme Extreme

Likely4

Moderate High High Extreme Extreme

Possible3

Low Moderate High Extreme Extreme

Unlikely2

Low Low Moderate High Extreme

Rare1

Low Low Moderate High High

3.2 3.2 What does a Risk Management What does a Risk Management Policy & FrameworkPolicy & Framework help to achieve?help to achieve?

A systematic and consistent approach to considering risk and opportunity integrated into all planning and business activities.

Cultural change – Reactive to Proactive to become embedded into the departmental culture.

Risk Assessment Training

Duration (three hours) for all managers and risk assessment facilitators on all aspects of risk assessment including: defining the risk assessment context; Identifying, analysing & evaluating risk; completing risk registers and developing risk treatment plans.

NOTE: Registration fee of $55 (incl. GST)

QUESTIONS ???????QUESTIONS ???????

www.treasury.sa.gov.au