ENTERPRISE RISK MANAGEMENT IN THE
DEPARTMENT OF EDUCATION
GUIDELINES
July 2015
COPYRIGHT
© NSW Department of Education
All rights reserved. No part of this work may be reproduced or copied in any form or by any means,
electronic or mechanical, including photocopying without the written permission of the publisher.
Published by the NSW Department of Education
Direct all enquiries to the Enterprise Risk Management Unit - contact details as follows:
Level 2, 35 Bridge Street
SYDNEY NSW 2000
GPO Box 33 Sydney NSW 2001
Internet and intranet references
www.dec.nsw.gov.au
https://detwww.det.nsw.edu.au/lists/directoratesaz/erm/index.htm
https://www.det.nsw.edu.au/policies/general_man/erm/implementation_1_PD20040036.shtml?level=
Version no. 1.6
Enterprise Risk Management Guidelines
Contents
Introduction ..................................................................................................................... 3
1. Enterprise Risk Management Principles.................................................................... 5
2. The Enterprise Risk Management Framework .......................................................... 6
3. The Risk Management Process .................................................................................. 8
3.1 Communication and Consultation .................................................................................... 8
3.2 Establishing the context .................................................................................................... 9
3.2.1 Key Stakeholders ............................................................................................. 10
3.2.2 The Business Objective ................................................................................... 10
3.2.3 Key Phases and Key Processes ..................................................................... 11
3.3 Risk Assessment .............................................................................................................. 12
3.3.1 Risk Identification ............................................................................................ 12
3.3.2 Risk Analysis .................................................................................................... 14
3.3.3 Risk Evaluation ................................................................................................. 22
3.4 Risk Treatment .................................................................................................................. 23
3.4.1 General .............................................................................................................. 23
3.4.2 Selection of Risk Treatment Options ............................................................. 24
3.4.3 Preparing and Implementing Risk Treatment Plans ..................................... 26
3.5 Monitoring and Review .................................................................................................... 26
3.5.1. Scanning Risk Sources .................................................................................. 27
3.5.2 Executive Risk Monitoring and Reporting ..................................................... 27
3.5.3 Executive Meetings .......................................................................................... 28
3.5.4 Review of the Risk Profile ............................................................................... 28
3.5.5 Monitoring and Reviewing Risk Appetite ...................................................... 29
3.5.7 Communication with the ERM Group and the Business .............................. 30
3.5.8 Executive Risk Reporting ................................................................................ 30
3.5.9 Review of the Risk Management Framework ................................................ 31
3.5.10 Reporting to the Audit and Risk Committee ................................................ 31
3.5.11 Other Risk Management Monitoring and Reporting Mechanisms ............ 32
4. References ..................................................................................................................33
Appendix 1 - Risk Reporting Templates .......................................................................34
Appendix 2 – Sample - Risk Escalation Report Template ...........................................35
Appendix 3 – Risk Register ...........................................................................................36
Appendix 4 - Sample Risk Record Template ................................................................42
Appendix 5 - Sample Risk Assessment Worksheet......................................................43
Appendix 6 - Sample Risk Assessment Template ........................................................45
Appendix 7 - Aligning Risk Management to Strategic and Business Planning,
Budgeting and Performance Management ...................................................................46
Appendix 8 – Definition of Terms ..................................................................................53
Appendix 9 - Executive Meeting Agenda Items ............................................................54
Appendix 10 – Roles and Responsibilities ...................................................................55
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
2 of 55
Enterprise Risk Management Guidelines
INTRODUCTION
The Department of Education (the Department) is committed to a structured and systematic
approach to the management of risk across the whole organisation in accordance with
current industry standards and best practice.
Enterprise Risk Management (ERM) involves the management of risks that impact (either
positively or negatively) on the organisational strategies used to achieve corporate
objectives.
During our normal day to day activities we face internal and external factors and influences
that make it uncertain whether, when and the extent to which we will achieve or exceed our
objectives. The effect this uncertainty has on our objectives is “risk”.
Each and every one of us has a responsibility for managing risk.
All our activities involve risk. We manage risk by anticipating, understanding and deciding
whether to modify it. Throughout this process we communicate and consult with stakeholders
and monitor and review the risk and the controls that are modifying the risk.
Risks will always continue to emerge due to the increasing complexity and scope of our
operations, the changing nature of our environment and our relationships with stakeholders,
and the increasing need for accountability.
Risk Management is an integral part of good business practice and involves the
implementation of cost effective strategies such as foreseeing opportunities and/or potentially
damaging events, implementing risk treatment actions, and providing decision makers with
information to effectively assess potential risks.
ERM encapsulates the extension of risk management from a purely business unit focus to an
organisational wide operational and strategic focus. This is designed to identify the whole
range and relative priority of risks that have to be managed by the organisation as a whole
and allow all reasonable steps including any necessary action at Executive level to help
ensure these risks are adequately managed.
When effectively implemented and maintained, the management of risk enables us to a) increase the likelihood of achieving objectives
b) encourage proactive management
c) be aware of the need to identify and treat risk throughout the Department
d) improve the identification of opportunities and threats
e) achieve compatible risk management practices between our own business units and
between us and other organisations
f) comply with relevant legal and regulatory requirements and good practice
g) improve financial reporting
h) improve governance
i) improve stakeholder confidence and trust
j) establish a reliable basis for decision making and planning
k) improve controls
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
3 of 55
Enterprise Risk Management Guidelines
l)
m)
n)
o)
p)
q)
r)
effectively allocate and use resources for risk treatment
improve operational effectiveness and efficiency
enhance health and safety performance as well as environmental protection
improve loss prevention and incident management
minimise losses
improve organisational learning
improve organisational resilience.
The intent of these guidelines is to facilitate the implementation of the ERM policy by
providing a framework that integrates the process for managing risk into our overall
governance, strategy and planning, management, reporting processes, policies, values and
culture, in a manner that is holistic, inclusive and consistent.
Risk Management is compulsory as part of the Enterprise Risk Management in the
Department of Education policy. These guidelines are provided to assist in the
implementation of this Policy. These guidelines and the policy are located on both the
Department’s intranet and the Internet.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
4 of 55
Enterprise Risk Management Guidelines
1. ENTERPRISE RISK MANAGEMENT PRINCIPLES
The following principles have been endorsed by the Executive for use throughout the
Department.
1. The Executive is committed to a management culture that embeds enterprise risk
management in all departmental processes.
2. The Executive and each division will manage risk consistent with the agreed set of
ERM principles and the Department’s ERM guidelines.
3. ERM forms part of all policy and operational decision making.
4. ERM is integral to planning and budgetary processes and is reflected in performance
management agreements of senior executive staff.
5. Executive and division level risks are monitored, reviewed and subject to regular
reporting based on the best available information.
6. ERM addresses uncertainty and at the Executive level means ‘aim for no surprises’.
7. Stakeholder relations and engagement will be risk managed in relation to any change
management activity1.
8. ERM processes and tools will focus on ‘ease of use’ and integration into existing
activities
The above principles are in addition to the eleven listed in Australian Standard AS/NZS ISO
31000:2009 Risk management - Principles and Guidelines.
Risk Management
 creates and protects value
 is an integral part of all organizational processes
 is part of decision making
 explicitly addresses uncertainty
 is systematic, structured and timely
 is based on the best available information
 is tailored
 takes human and cultural factors into account
 is transparent and inclusive
 is dynamic, iterative and responsive to change
 facilitates continual improvement of the organization.
1
For assistance or support with managing stakeholder relations contact the Communication and Engagement
Directorate on 9561 8088
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
5 of 55
Enterprise Risk Management Guidelines
2. THE ENTERPRISE RISK MANAGEMENT FRAMEWORK
The ERM Framework helps to ensure that risk is managed across the Department in a
holistic manner, is integrated into our culture, business practices and business plans, is
inclusive of all levels of staff and is applied in a consistent manner.
ERM supports the needs of the Department at both the Executive level as well as the
division level. A two-tier collaborative risk model is shown in Figure 1, which involves
strengthening and enhancing risk governance and management practices at both
Executive and division levels.
The approach to governing the risks at the division level recognises the diverse nature of
the divisions’ activities and risks and therefore, should be tailored to the division’s
operations.
A principles-based approach (see previous page) to managing risks within the divisions
will provide the required flexibility at division level while still enabling us to achieve a
minimum required consistency of risk management across the Department and enabling
divisions to demonstrate effectiveness of risk management activities.
Figure 1: Two Tier Collaborative Risk Model
Risks are escalated to the Executive based on consideration of the Department-wide risk
environment including stakeholder expectations, community concerns, government
reputation, senior management interventions, and as identified by the Executive, the
Audit and Risk Committee and the ERM Group.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
6 of 55
Enterprise Risk Management Guidelines
The ERM framework has focus in the following areas:

Strategic or Transient Risks – risks associated with: carrying out our business
objectives as articulated in high level plans; major programs/initiatives; risks that
are associated with strategies that are transient or relatively short term in nature.

Operational or Business-As-Usual Risks – this relates to the management of risks
associated with day to day business or operational activities. Although all risks are
linked (either directly or indirectly) to one or more strategic objectives, operational
risks could always be present regardless of changes to strategic objectives e.g.
risks related to staff and student safety.
Risks are identified, documented (usually in a risk register), and managed using
structured processes at all business unit levels (Department-wide, division, directorates
and other business units). Corporate reporting systems are used to report achievement of
objectives and management of identified risks. For information and guidance on reporting
templates and how to create a risk register refer to Appendix 1, 2, 3 and 4.
To support both strategic and operational risk management, we have established specific
policies, procedures and guidelines to help ensure effective management of risks which
include but are not limited to:
o
business continuity
o
child protection
o
corruption prevention
o
emergency planning & response
o
work health & safety
o
school excursions
o
school safety and security
o
serious incidents
o
offsite activities, including work placement
The ERM framework provides for consistent and ongoing processes for identifying,
analysing, treating/responding to, monitoring and reporting on risk so that any changes in
risk exposures or areas requiring immediate action are highlighted promptly so that
appropriate improvement actions can be implemented.
The framework provides for the identification and assignment of risk ownership to those
who have the authority and responsibility to help ensure it is managed effectively.
The following section illustrates the risk management process itself.
For information and guidance on how to integrate risk management with strategic and
business planning, budgeting and performance management refer to Appendix 7.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
7 of 55
Enterprise Risk Management Guidelines
3. THE RISK MANAGEMENT PROCESS
ERM involves the management of risks that impact on the organisational strategies used
to achieve corporate objectives.
The process described in this section can be used as a methodology for conducting
strategic or operational risk assessments.
Details of all risks within a business unit or initiative should be recorded in a risk register.
The ERM process that we use is based on Australian Standard AS/NZS ISO 31000:2009
Risk management - Principles and Guidelines. This Standard provides the steps of the
risk management process as shown in the diagram below. Definition of Terms relating to
risk management is contained in Appendix 8. The numbers in the diagram represent the
sections in this document.
Figure 2: Risk Management Process
(Adapted from AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines)
3.1 COMMUNICATION AND CONSULTATION
Communication and consultation with internal and
external stakeholders should take place during all
stages of the risk management process.
Therefore,
plans
for
communication
and
consultation should be developed at an early stage.
These should address issues relating to the risk
itself, its causes, its consequences (if known), and
the measures being taken to treat it.
Effective internal and external communication and
consultation should take place to help ensure that
stakeholders
and
those
accountable
for
implementing the risk management process
understand the basis on which decisions are made,
and the reasons why particular actions are required.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
8 of 55
Enterprise Risk Management Guidelines
A consultative team approach may:








help establish the context appropriately
help ensure that the interests of stakeholders are understood and considered
help ensure that risks are adequately identified and defined
bring different areas of expertise together for analysing risks
help ensure that different views are appropriately considered when defining risk
criteria and in evaluating risks
secure endorsement and support for a treatment plan
enhance appropriate change management during the risk management process
develop an appropriate external and internal communication and consultation
plan.
Communication and consultation with stakeholders is important as they make judgements
about risk based on their perceptions of risk. These perceptions can vary due to
differences in values, needs, assumptions, concepts and concerns of stakeholders. As
their views can have a significant impact on the decisions made, the stakeholders'
perceptions should be identified, recorded, and taken into account in the decision making
process. Communication and consultation should facilitate truthful, relevant, accurate and
understandable exchanges of information, taking into account confidential and personal
integrity aspects.
Communication and consultation in the Department includes business units:


reporting untreated risks through existing corporate reporting frameworks
communicating the results of the risk assessment to stakeholders.
For assistance or support with managing stakeholder
Communication and Engagement Directorate on 9561 8088.
relations
contact
the
3.2 ESTABLISHING THE CONTEXT
The purpose of this step is to define the context and
scope for the risk assessment.
This involves understanding the internal and external
environment in which risks occur including strategic,
operational, financial, competitive, stakeholder, social,
cultural and legal aspects of your functions.
This will provide the structure for the risk assessment
tasks that follow.
In this step you will need to identify the business
objectives and the strategies or key processes
developed to achieve the business objectives.
Below are some possible environmental characteristics that may affect the risk context:
1. Short timeframe to achieve actual results
2. Untried technology
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
9 of 55
Enterprise Risk Management Guidelines
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Dispersed across a large number of sites 2,000+
In-house capacity limits in resources and skills/expertise to undertake all aspects
of project.
Long gestation period for the major deliverables around retention rates and student
levels of attainment.
Interdependencies with other major initiatives.
Cross division impacts
Reliance on infrastructure capacity external to the organisation
Impact of unforeseen circumstances on school communities
Market trends and competition
Economic factors
Completion of capital works
Environmental conditions or influences
Sport and recreation centres and stadia impacts
Community awareness and support.
3.2.1 Key Stakeholders
Key stakeholders have a significant role in risk identification as they have a vested
interest in the outcomes. They include but are not limited to the following:
1. Students
6. Community
11. Disabled
2. Teachers
7. Government
12. Indigenous
3. Parents
8. Unions
13. Aged
4. Youth
9. Associations
14. Sponsors
5. Veterans
10. Lobby Groups
15. Industry Partners
3.2.2 The Business Objective
The risk process is a recognition that in striving for a specific goal or outcome there are
often elements or risks associated with the achievement of those outcomes. If these risks
are not considered or addressed at the time of developing business plans they can delay,
frustrate or cause unexpected outcomes to arise affecting the achievement of the
objectives, or there may be opportunities that are missed.
The primary purpose of this step is to gain some assurance we will be focusing on the
correct risks, barriers, and opportunities in achieving our stated business objectives.
Part of the business objective step involves ensuring we are very clear about what we are
trying to achieve through the program and involves ensuring the business objective
addresses the following SMART criteria:
Specific
Measurable
Achievable
Relevant
Timely
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
10 of 55
Enterprise Risk Management Guidelines
3.2.3 Key Phases and Key Processes
The following key phases are essential for any initiative to be effective:




Planning
Implementation
Monitoring and reporting
Evaluation and Review.
Planning – this represents any key process relied on to outline how an activity is
intended to be carried out (e.g. policies, procedure manuals, guidelines, business cases
that identify needs, business plans that set out targets, deliverables and key milestones,
implementation plans etc.).
Implementation – this phase represents those key processes relied on to implement the
plans from the planning phase (e.g. application of a project management discipline,
application of resource allocation criteria, training, variations and change management,
accountabilities, recording of actions/decisions, meetings and actioning, matching of skills
to tasks, succession planning.
Monitoring and Reporting – this phase represents those key processes relied on to
monitor performance and progress against business plans which include targets,
deliverables at key milestones on the activity and some reporting on the same. This
monitoring and reporting might be in terms of KPI’s and other performance criteria set.
Evaluation and Review – this phase is sometimes more commonly understood as
continuous improvement and relates to some form of improvement on past mistakes,
what went well, or lessons learnt. It can relate to new and innovative methods and
technologies being adopted to replace existing approaches.
To help you identify the type of key processes that might fall under each of the four
phases the table below shows some examples.
EXAMPLES OF KEY PROCESSES
Planning
Implementation
Monitoring &
Reporting
Review
Governance
structure
Consultation on changes
and decisions made
Regular meetings with
stakeholders key players
Reviewing best practice
Consultation with
stakeholders
Compliance with guidelines, Monitoring and reporting
business rules
requirements
Adopting new methods,
technologies
Policies/guidelines
available to staff
Application of Project
management discipline
Capture and reporting
performance against KPI’s
Abandoning failed
strategies
Critical
milestones/targets
set
Allocation and matching of
resources and skills
Prompt remedial action on
poor performance, delays,
and budgetary issues
Criteria for budget
allocations
Roll out of training
Reporting requirements
followed up
Responsibilities and
accountability
requirements
assigned
Recording of decisions,
meetings, action records
succession planning,
accountability for outcomes
Analysis of data conducted
These phases can be used to help identify where there might be gaps in key processes
for the initiative which can point to potential sources of risk to the activity under
consideration.
Once these have been worked through we can conduct a risk analysis and risk response
for the initiative.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
11 of 55
Enterprise Risk Management Guidelines
3.3 RISK ASSESSMENT
3.3.1 Risk Identification
Describing risks involves two elements namely an
event (or cause) and an impact (or consequence).
The context and key processes defined above will set
the boundaries for which risks will be included.
It is critical that all risks impacting on the achievement
of the business objectives are identified, whether or not
they are under the control of the Department.
If risks are not identified they will be excluded from
analysis from this point onwards.
To identify risks for each of the key business processes identified above, ask the following
questions:



What can go wrong (event or cause)?
or
What opportunities are available – how can we achieve our objectives more easily
(event or cause)?
and
What does this lead to (impact or consequence)?
It is important that you consult with people who are knowledgeable about the activity
being assessed. You can identify risks through individual staff interviews or by conducting
focus group meetings and workshops. The latter is recommended if the activity is
complex and involves staff in more than one area.
In describing risks, you should always relate the event and impact to the business
objective. It helps to use terms such as “resulting in” or “due to” which link the event to the
impact. An example is “Failure to meet Commonwealth objective deadline, resulting in
withdrawal of current funds, loss of future funds, damage to relationship with the
Commonwealth, negative media, and damage to the Department’s reputation”. This
example shows that there are a number of potential impacts due to one event. This could
then lead to a number of possible risk treatment options.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
12 of 55
Enterprise Risk Management Guidelines
3.3.1.1 Risk Categories
The following ten risk categories can be used to facilitate easy identification of risks.
These categories are the sources of risk i.e. where the risk can arise (see also Section
3.5.1). Examples of risk themes that would be grouped in each category are also
provided. Note: the list is not exhaustive, it is provided as a guide.
Service delivery
 delivery, achievement, assessment & reporting of
educational and services objectives & outcomes
 provision of quality learning environments
 Aboriginal community outcomes
 provision of information & communication
technologies
 school leavers with School Certificate & or Higher
School Certificate









Corruption & Fraud
 theft
 misappropriation
 conflicts of interest
 bribery
 falsification of records
 academic fraud
 favouritism in recruitment
 misuse of resources including
communication devices
corporate governance
business development outcomes
marketing & promotion of core activities
product development
service delivery
market share
client needs
equity
Human Resources
 attracting & maintaining key staff
 staff skills & qualifications
 staff disputes
Financial
 revenue
 expenditure
 assets & liabilities
 corporate credit cards
Stakeholder
 changes in government
 community expectations
 legislative changes
 unions
 media
 staff associations & councils
Legal & Legislative
 breaches of contract
 public liability
 professional liability
 legislative non-compliance
 industry partnerships
Reputation
 product & or service delivery
 stakeholder, employer & customer perceptions and
expectations
 brand protection
Health & Safety
 child protection
 student welfare
 staff welfare
 work health & safety
Business Continuity
 technological change
 natural disasters
 strikes
 computer breakdowns
Security
 intellectual property
 privacy of information
 property & equipment
 data integrity
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
13 of 55
Enterprise Risk Management Guidelines
3.3.2 Risk Analysis
3.3.2.1 Assess Consequence and Likelihood
The purpose of this step is to rank the identified risks
so that resources to treat risks are allocated to those of
greater priority. We will formally analyse and assess
risks to our strategy, business plans, major
organisational change, major projects and programs.
All risks identified at the Department and division level
will be assessed in the residual terms using the
Department-wide risk consequence and likelihood
criteria.
To evaluate the risk level, you will need to first assess the risk consequence by
identifying the potential consequences of a risk event occurring. The 'Department-wide
consequence criteria’ is used to estimate a potential impact which a risk might have on
the achievement of the Department/division objectives (both in terms of negative
consequence (threats – see Tables 1 & 2) or positive consequence (opportunities – see
Tables 3 & 4). Select the appropriate table. The risk consequence is either positive or
negative – not both.
The percentage of appropriate baseline amount as indicated in the ‘Financial’
consequence category should be applied to the Department budget or a division budget
accordingly to facilitate an appropriate calibration of the risk consequence across the
Department.
The consequence is the impact or effect that the risk could have on the outputs or
outcomes in the listed Risk Focus areas. The Risk Focus areas may be different than the
Risk Categories used for identification of the risks (Section 3.3.1.1) because they are
more to do with the results of the risk eventuating rather than the source of the risk.
The risk likelihood will then be considered using the ‘Department-wide likelihood criteria’
by determining the probability of the risk occurring with the identified consequences.
Existing or planned controls should be taken into consideration when determining the risk
likelihood.
The risk consequence and likelihood criteria are provided in the tables below. Additional
risk consequence tables have been provided to facilitate an assessment of
project/program specific risks.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
14 of 55
Enterprise Risk Management Guidelines
Risk Focus
Table 1 - Department-Wide Negative Consequence Criteria (Threats)
(The potential negative impact on the objectives and resources)
Service /
Program
delivery
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
Virtually no change in
operations
Can be accommodated with
existing resources
Impact can be absorbed with
treatment but will require additional
resources to be allocated
 Delivery of academic or
community/program outcomes
compromised for identified groups
 Significant review/changes to
programs required
The Department/Business unit may not meet its
objectives and will require considerable additional
resources from other areas
 Outcome of a major program not achieved resulting
in decline of academic/community outcomes
 Significant review of implementation of program
required
 Interrupt the development of essential infrastructure
 Ministerial inquiry
 Loss, error or omission > 10% to 15% of the
appropriate baseline amount, e.g.:
o
Program budget
o
Annual budget
o
Projected revenue
The Department will not meet its
objectives
 Academic or community/
 Academic or community/


program outcome
compromised
Resolved by routine
operations
A
Financial
B
Management
Effort
C
Health & Safety
 Loss, error or omission up  Loss, error or omission > 1%  Loss, error or omission > 5% to
to 1% of the appropriate
baseline amount, e.g.:
o
Program budget
o
Annual budget
o
Projected revenue
 An event, the impact of
which can be absorbed
through business as usual
activity
 First Aid treatment
 Graffiti, vandalism
E
Reputation /
External
relationships
F
to 5% of the appropriate
baseline amount, e.g.:
o
Program budget
o
Annual budget
o
Projected revenue
 An event, the consequences



D
Legal /
Compliance
program outcome
compromised
Minor impact on efficiency or
effectiveness, managed
internally
of which can be absorbed but
management effort is required
to minimise the impact
Potential reallocation of
resources within a division
Significant but reversible
disability requiring
hospitalisation
Situation requiring lockdown
in school, or cessation of
operations in offices
10% of the appropriate baseline
amount, e.g.:
o
Program budget
o
Annual budget
o
Projected revenue
 Permanent disabling injury or
 Single fatality and/or irreversible disability to one or
 Series of fatalities or significant



 Pandemic effect in a few schools,
between the divisions




fine

operations



Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01

public, limited / localised
media interest, specific
internal reporting
Local industrial action
 Requiring Treasury approval
 An event so severe in nature it
 Additional resources required
 Significant management effort in a contingency mode
under normal circumstances
 Little or no effect on
stakeholder with no
publicity, only routine
internal reporting
15% of the appropriate baseline
amount, e.g.:
o
Program budget
o
Annual budget
o
Projected revenue
 Additional resources required
 Potential reallocation of resources

 Local adverse publicity
 Visible dissatisfaction from

 Loss, error or omission is above
 An event, which with proper management can be
 Minor legal issues, non-
 Little or no publicity
 Attention from minor

in significant decline in
academic/community outcomes
Significant damage to reputation of
public education
Ministerial inquiry
 An event that can be managed
 Minor compliance issues
 Offence punishable by
compliances and breaches of
regulation
Offence possibly punishable
by fine
Effect managed at local level
 Not requiring Treasury approval
 Programs not delivered, resulting




disabling illness to one or more
persons
Teaching/learning compromised
Litigation
Increasing incidence of injury
Local increase in workers
compensation costs
Breach of regulation with
investigation or report to authority
with prosecution powers
Offence punishable by fine
Effect on the Department’s
operations
Litigation
State wide adverse publicity
Short term damage, public
embarrassment of the Department,
restricted negative publicity from
local media, internal inquiry
State-wide industrial action (e.g.
bans)
endured. May involve some changes in management
more persons
Pandemic effect in a school or corporate office
Breach of school security/destruction of buildings
Widespread increase in workers compensation costs
 Major breach of regulation
 Shutdown of service for non-compliance
 Offence punishable by imprisonment
 Ministerial inquiry
could lead to a significant
restructure of the business or its
major parts or a change in the
management structure
irreversible disability
offices, or centres
 Significant prosecution and fines
 Shutdown of multiple services for
non-compliance
 Major consequences to a person,
agency
 Parliamentary scrutiny
 Sustained state wide adverse publicity
 Mainstream media reports, new oversight required,
 Resignation and or removal of




community dissatisfaction
Ministerial inquiry
Persistent questions in Parliament, external inquiry
e.g. inquest
Industrial action affecting statewide service delivery
Minister and or the Department’s
senior staff
Broad public concern, media
event, senior resignations/
removals, Parliamentary Inquiry
July 2015
15 of 55
Enterprise Risk Management Guidelines
Project / Program Threats
Table 2 – Negative Consequence Criteria (Threats) – Projects / Programs
Risk
Focus
(The potential negative impact on the objectives and resources)
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
No change in projects
Can be accommodated with
existing resources
Impact can be absorbed with
treatment but will require
additional resources to be
allocated
The program will require
considerable additional
resources from other areas
The program may not be
delivered
Negligible quality issues with no
effect on objective
Quality
Objective achieved but quality
diminished slightly
Objective achieved but quality
diminished substantially
Substantial part of objective not
met for quality reasons
Outputs/outcomes are not
delivered
G
Time
Quality issues lead to nonachievement of objectives
Project/Program/Service
delayed by up to 5%
Project/Program/Service
delayed > 5% to 10%
Project/Program/Service
delayed > 10% to 20%
Project/Program/Service
delayed > 20% to 30%
Delay causes objective to not be
achieved
Up to 1% variance to budget
> 1% to 5% variance to budget
> 5% to 10% variance to budget
> 10% to 15% variance to
budget but not requiring
Treasury approval
Over 15% variance to budget or
requiring Treasury approval
Up to 5% not delivered
> 5% to 20% not delivered
> 20% to 30% not delivered
> 30% to 50% not delivered
> 50% not delivered
H
Cost
I
Benefits
J
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
16 of 55
Enterprise Risk Management Guidelines
Risk Focus
Table 3 - Department-Wide Positive Consequence Criteria (Opportunities)
(The potential positive impact on the objectives and resources)
Service /
Program
delivery
A
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
Negligible improvement in
ability for the
Department/Business unit
to meet its objectives
 Negligible improvement in
academic or community/
program/service outcomes
 Changes implemented by
routine operations
Minor improvement in ability
for the Department/Business
unit to meet its objectives
Moderate improvement in ability for
the Department/Business unit to
meet its objectives
Major improvement in ability for the
Department/Business unit to meet its objectives
Significant improvement in ability
for the Department to meet its
objectives
 Minor improvement in

academic or community/
program/service outcomes
Minor improvement in
efficiency or effectiveness
 Moderate improvement in delivery



Financial
D




community/program/service outcomes
Major improvement in ability to implement program
Major improvement in the development of essential
infrastructure
Major improvement in utilisation of state assets
Major improvement in community participation &
access
E
Reputation /
External
relationships

academic or
community/program/service
outcomes
Significant improvement to
reputation of public education
 Saving or benefit > 15% of the
 An event, the impact of
 An event, the impact of which results in a major
 An event, the impact of which
which slightly reduces the
management effort
required
of the appropriate baseline
amount, e.g.:
o Program budget
o Annual budget
o Projected revenue
the appropriate baseline amount,
e.g.:
o Program budget
o Annual budget
o Projected revenue
reduces the management
effort required
Potential to free up resources
within a division
results in a moderate reduction in
the management effort required
Potential to free up resources
between the divisions
 An event, the impact of which  An event, the impact of which


baseline amount, e.g.:
o Program budget
o Annual budget
o Projected revenue

reduction in the management effort required
Resources can be released for other functions
appropriate baseline amount, e.g.:
o Program budget
o Annual budget
o Projected revenue

significantly reduces the
management effort required
Able to free up resources,
reallocate responsibilities, and
significantly realign functions
 Negligible effect on health  Minor preventative measures  Moderate improvements in
and safety
prevention and control
 Minor improvements in site
 Negligible effect on site
security and controls
 Moderate improvements in site
security
security
 Minor improvement in
 Positive improvement in reputation
 Little effect on reputation
reputation
 Major improvements in prevention and control
 Major improvements in site security
 Major improvement in reputation and community/
 Negligible improvement in  Minor improvement in
 Moderate improvement in
 Significant improvement in



 Major improvement in compliance ability
 Large change in behaviours
 Positive cultural change
 Proactive approach
 Sustained state wide positive publicity
 Mainstream media reports, community satisfaction
 Ministerial supportive comments
 Positive reinforcements in Parliament

stakeholder interest
and community interest
Legal /
Compliance
 Significant improvement in
 Saving or benefit > 10% to 15% of the appropriate
of the appropriate
baseline amount, e.g.:
o Program budget
o Annual budget
o Projected revenue
C
Health & Safety
 Major improvement in academic or
 Saving or benefit up to 1%  Saving or benefit > 1% to 5%  Saving or benefit > 5% to 10% of
B
Management
Effort
of academic or community/
program/service outcomes for
identified groups
Moderate improvement in efficiency
or effectiveness
Moderate improvement in utilisation
of state assets
Moderate improvement in
community participation & access
compliance ability
Little effort required
 Modest positive publicity
 Modest positive attention
from minor stakeholders
F
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01

compliance ability
Process improvements assist
with a proactive approach
 Local positive publicity
 Visible satisfaction from
public, limited / localised
media interest
compliance ability
Positive cultural change
Process improvements assist with a
proactive approach
 State wide positive publicity
 Short term improvements, public
interest in the Department, positive
publicity from local media
 Significant improvements in
prevention and control
 Significant improvements in site
security
 Significant improvement in
reputation and community/
stakeholder interest


compliance ability with cultural
change and a proactive approach
Significant improvement in
reputation and community /
stakeholder interest
Significant recognition leading to
major improvement in community
and stakeholder support
Broad public interest, media event
July 2015
17 of 55
Enterprise Risk Management Guidelines
Project / Program Opportunities
Table 4 - Positive Consequence Criteria (Opportunities) – Projects / Programs
Risk
Focus
(The potential positive impact on the objectives and resources)
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Critical (5)
Small change in projects
Minor improvements in
outcomes
Moderate improvements in
outcomes
Major improvements in
outcomes
Significant improvements in
outcomes
 Negligible effect on objective
Quality
 Objective achieved
 Quality starting to exceed
expectations
G
 Objective achieved
 Moderate increase in
outcomes
 Exceeding expectations
 Major increase in quality
 Greatly improved outcomes
 High level of stakeholder

satisfaction
Exceeding expectations
 Significant increase in quality
 Significantly improved
outcomes
 High level of stakeholder
satisfaction
 Greatly Exceeding
expectations
Time
Project/Program/Service
improved by up to 5%
Project/Program/Service
improved by > 5% up to 10%
Project/Program/Service
improved by >10% up to 20%
Project/Program/Service
improved by >20% up to 30%
Project/Program/Service
improved by > 30%
Up to 1% below budget
> 1% to 5% below budget
> 5% to 10% below budget
> 10% to 15% below budget
>15% below budget
Negligible increase in planned
benefits
Minor increase in benefits over
those planned
Moderate increase in benefits
over those planned
Major increase in benefits over
those planned
Significant increase in benefits
over those planned
H
Cost
I
Benefits
J
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
18 of 55
Enterprise Risk Management Guidelines
Department-Wide Likelihood Criteria
How likely is it that the Department will be exposed to this specific risk (looking at both the
event (cause) and the impact (consequence)) considering factors such as:





Anticipated frequency
The external environment
The procedures, tools, skills currently in place
Staff commitment, morale, attitude
History of previous events.
The ‘Description’ column in the following table is to be used as a guide only. Not all initiatives
will align to the time frames shown.
Description of Likelihood Ratings
Likelihood
Rating
Description
Probability
5
Almost
Is expected to occur in most circumstances
> 95% to 100%
Certain
- frequently during the year
4
Likely
Will probably occur
> 70% to 95%
- once during the year
3
Possible
Might occur at some time
> 30% to 70%
– once every 3 years
2
Unlikely
Could occur at some time
> 5% to 30%
– once every 5 years
1
Rare
May only occur only in exceptional
< 5%
circumstances
This event is known to have occurred
elsewhere
– once every 5+ years
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
19 of 55
Enterprise Risk Management Guidelines
3.3.2.2 Determine Risk Level
Having assessed the consequence and likelihood of major risks, a risk level will be
determined using the Department-wide risk matrix. Risks which may have a larger
consequence and a higher likelihood on business operations will have a higher priority rating
than those with a minor consequence and lower likelihood.
Likelihood/consequences matrix
L
I
K
E
L
I
H
O
O
D
Almost
Certain
5
Extreme Risk
Likely
4
High Risk
Medium Risk
Possible
3
Unlikely
2
Low Risk
Rare
1
Insignificant
1
Minor
2
Moderate
3
Major
4
Critical
5
CONSEQUENCE
Risk treatment and escalation/delegation guidelines:
Risk
Level
Extreme
High
Medium
Low
Risk Treatment Guidelines
Division Risk
Escalation
Guidelines
Department-Wide
Risk Delegation
Guidelines
Immediate action required to actively
manage risk and limit exposure
Escalate to the division
head and the Executive
The Executive
responsibility and
accountability
Cost / benefit analysis required to
assess extent to which risk should be
treated - monitor to help ensure risk
does not adversely change over time
Escalate to the division
head
The Executive
responsibility and
accountability
Constant / regular monitoring required
to help ensure risk exposure is
managed effectively, disruptions
minimised and outcomes monitored
Escalate to the General
Manager, Executive
Director, and Directors.
Specify risk management
responsibility and
accountability
Assign accountability to the
General Manager,
Executive Director, and
Directors
Effectively manage through routine
procedures and appropriate internal
controls
Monitor and manage at the
middle and operational
management level
Monitor and manage at the
middle and operational
management level
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
20 of 55
Enterprise Risk Management Guidelines
3.3.2.3 Cognitive Bias
The effectiveness of risk management is dependent on sound risk assessments. Even if we
have all the well-designed processes, methods and tools for risk management, risk
assessment is ultimately an activity that requires subjective judgement. Although there may
be other causes for faulty risk assessments, cognitive biases can be particularly pervasive.
If unchecked, these biases can lead to systematic decision-making errors and faulty risk
assessments. Cognitive biases include:





Anchoring: relying too heavily, or ‘anchoring’, on one aspect or piece of information
when making decisions
Bandwagon (or herd) effect: doing (or believing) something because many other
people do (or believe) the same
Confirmation bias: looking for evidence to justify preconceived ideas
Framing effect bias: arriving at conclusions based on how information is presented
Optimism (or over-confidence): overestimating the likelihood of favourable
outcomes.
Recognising these biases is the first step in minimising their impact on your risk assessment.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
21 of 55
Enterprise Risk Management Guidelines
3.3.3 Risk Evaluation
The purpose of this step is to develop a prioritised list of
risks requiring attention.
When the risk has been rated, the risk level needs to be
compared with management’s acceptable level of risk
(tolerance).

If the level of a risk with a negative consequence (threat) is at or below
management’s acceptable level then the risk is at an acceptable level and no
additional risk treatment is required at this stage. This risk would be managed by
ongoing monitoring and be subject to review in the next risk assessment.

If the level of a risk with a negative consequence (threat) is above management’s
acceptable level of risk then the risk is at an unacceptable level and additional risk
treatments may be required to reduce the risk to management’s acceptable level.

If the level of a risk with a positive consequence (opportunity) is low or medium but
could be increased (improved) with reasonable steps (subject to cost/benefit
analysis) then it is at an unacceptable level and additional risk treatments may be
required.

If the level of a risk with a positive consequence (opportunity) is high or extreme it
may be at an acceptable level so no additional risk treatment may be required
(subject to cost/benefit analysis) at this stage. This risk would be managed by
ongoing monitoring and be subject to review in the next risk assessment.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
22 of 55
Enterprise Risk Management Guidelines
3.4 RISK TREATMENT
3.4.1 General
The purpose of this step is to identify the most
appropriate treatments for risks that are at an
unacceptable level.
Risk treatment involves selecting one or more options
for modifying risks, and implementing those options.
Once implemented, treatments provide or modify the
controls.
Risk treatment involves a cyclical process of:




assessing a risk treatment
deciding whether residual risk levels are tolerable
if not tolerable, generating a new risk treatment
assessing the effectiveness of that treatment.
Risk treatment options are not necessarily mutually exclusive or appropriate in all
circumstances. Select the best options in terms of feasibility and cost effectiveness. The
options can include the following:







Avoiding the risk by deciding not to start or continue with the activity that gives rise
to the risk
Taking or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing the consequences
Changing the likelihood
Sharing the risk with another party or parties (including contracts, insurance, and
risk financing)
Retaining the risk by informed decision.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
23 of 55
Enterprise Risk Management Guidelines
3.4.2 Selection of Risk Treatment Options
3.4.2.1 Cost / Benefit Analysis
Selecting the most appropriate risk treatment option involves balancing the costs and efforts
of implementation against the benefits derived, with regard to legal, regulatory, and other
requirements such as social responsibility and the protection of the natural environment.
Decisions should also take into account risks which can warrant risk treatment that is not
justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low
likelihood) risks.
A number of treatment options can be considered and applied either individually or in
combination. The organisation can normally benefit from the adoption of a combination of
treatment options.
3.4.2.2 Stakeholder Analysis
When selecting risk treatment options, the organisation should consider the values and
perceptions of stakeholders2 and the most appropriate ways to communicate with them.
Where risk treatment options can impact on risk elsewhere in the organisation or with
stakeholders, these should be involved in the decision.
Though equally effective, some risk treatments can be more acceptable to some
stakeholders than to others.
The treatment plan should clearly identify the priority order in which individual risk treatments
should be implemented.
3.4.2.3 Control Effectiveness
Risk treatment itself can introduce risks. A significant risk can be the failure or
ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the
risk treatment plan to give assurance that the measures remain effective.
Risk treatment can also introduce secondary risks that need to be assessed, treated,
monitored and reviewed.
These secondary risks should be incorporated into the same treatment plan as the original
risk and not treated as a new risk. The link between the two risks should be identified and
maintained.
The purpose of a control or treatment is to provide reasonable assurances in terms of
effective management of the risk in meeting the residual risk rating.
At the beginning, and throughout the life of a risk, there will be a need to make judgements
on whether or not existing controls are adequate. It may be useful to reflect on past
experience and examine instances where there has been exposure to loss and why this has
occurred. Alternatively, a simulation of the risk scenario may prove a useful exercise to test
the effectiveness of current controls e.g. emergency fire drill.
There may be a number of controls or treatments in place to manage a particular risk. The
control effectiveness assessment would then apply to the set of controls for that risk. Control
Effectiveness can be either a subjective assessment or an objective assessment of how
effective the control or set of controls is in meeting the risk’s Residual Risk Rating.
2
For assistance or support with managing stakeholder relations contact the Communication and Engagement Directorate on
9561 8088.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
24 of 55
Enterprise Risk Management Guidelines
Subjective Assessment
A subjective assessment can be made by simply deciding, based on current knowledge of
the situation, whether the control effectiveness is Excellent, Good, Fair, or Poor.
Objective Assessment
For a more objective, evidence-based method, perhaps on more critical risks, an
assessment of the control effectiveness could be undertaken by using the Control Practices
Matrix shown below in Table 5. This provides a simple way of objectively determining the
adequacy of your existing controls (adapted from Tasmanian Critical Infrastructure Risk
Management Guidance Manual).
Table 5 - Control Practices Matrix
Does the control
address the risk
effectively?
Is the control
officially
documented and
communicated?
Is the control
in operation
and applied
consistently?
Yes
1
1
1
Partly
3
2
2
No
6
3
3
+
Add Scores
+
=
Total Score
By comparing the total score from Table 5 with the score in the rating table (Table 6), a
quick assessment of the effectiveness (not necessarily efficiency or economy) of controls
may be ascertained.
Table 6 - Control Effectiveness Rating Table
Score
Rating
Description
3
Excellent
Control addresses risk, is officially documented and in operation and
applied consistently.
4
Good
Control addresses risk, but documentation and/or operation of control
could be improved.
5–6
Fair
Control addresses risk, at least partly, but documentation and/or
operation of control could be improved.
7 – 12
Poor
At best, control addresses risk, but is not documented or in operation;
at worst control does not address risk and is neither documented nor in
operation.
Ideally “Excellent” or “Good” ratings should be sought for all controls. Risks that are
well controlled will have a lower consequence or likelihood depending on the control.
The Control Effectiveness assessment is a tool for managing the risk. The results can
be recorded in the Risk Record (see Appendix 4).
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
25 of 55
Enterprise Risk Management Guidelines
3.4.3 Preparing and Implementing Risk Treatment Plans
The purpose of risk treatment plans is to document how the chosen treatment options will
be implemented.
The information provided in treatment plans should include:







the reasons for selection of treatment options, including expected benefits to be
gained
those who are accountable for approving the plan and those responsible for
implementing the plan
proposed actions
resource requirements including contingencies
performance measures and constraints
reporting and monitoring requirements
timing and schedule.
Treatment plans should be integrated with the management processes of the
organisation and discussed with appropriate stakeholders.
Decision makers and other stakeholders should be aware of the nature and extent of the
residual risk after risk treatment. The residual risk should be documented and subjected
to monitoring, review and, where appropriate, further treatment
3.5 MONITORING AND REVIEW
Risk monitoring and review is an integral step
in the risk management process. It enables us
to proactively identify changes on the risk
profile and adjust the organisational response
as required.
It also enables us to understand the
effectiveness (impacts, benefits and costs) of
implementing risk management strategies.
Risk monitoring and review is a continuous
process and is essential that our risk priorities
and risk management plans remain relevant in
the changing environment we operate in.
Risk management is responsive to change.
Continuous monitoring and review of the
external and internal risk environment is
required to help shape the context and
understanding of our risk profile, change in the
risk ratings, identification of new risks, or
taking risks off the radar.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
26 of 55
Enterprise Risk Management Guidelines
3.5.1. Scanning Risk Sources
Environmental scanning is an important part of the monitoring framework and involves
analysis of multiple sources of risk information as depicted in Figure 3 below.
Risk
Profile
Figure 3: Sources of risk information
Environmental scanning by the Executive, senior division officers, and the ERM Group
assists to identify new and emerging risks from external and internal environment
through:





Analysis of Political, Economic, Social, Technological, Environmental factors,
Government policies and other regulatory environment
Interviews or meetings with the Executive and Directors
Interviews or meetings with staff and stakeholders
External reports and papers from recognised subject matter experts
Consideration of our operations, systemic issues arising from incidents analysis,
audit results and other historical risk information.
3.5.2 Executive Risk Monitoring and Reporting
The Executive monitors the risk profile and associated risk treatment strategies (as
detailed in the Executive Risk Register) using the following approaches:




Executive meetings
Formal risk profile and risk appetite reviews
ERM Group reports to the Executive
Early escalation of emerging risks.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
27 of 55
Enterprise Risk Management Guidelines
3.5.3 Executive Meetings
Executive meetings are important forums for tracking movements on the risk profile and
the implementation of key risk treatment strategies. The Executive meets on a regular
basis to monitor performance against the strategic initiatives and monitor the risks. The
Executive considers risks at the following meetings:



Monthly Executive meetings include discussion on performance matters,
emerging threats and opportunities, and major ongoing concerns
The Secretary/division head regular face-to-face meetings include discussion on
major division risks
Monitoring of strategy and major projects includes review of the risk profile and
risk treatment activities quarterly by the Executive. A Risk Escalation Report and
details of overdue/partially completed risk treatment activities in relation to high
and extreme risks are reviewed as part of these meetings. Refer to Appendix 2
for a Risk Escalation Report example.
Refer to Appendix 9 for the Executive risk meetings agendas.
3.5.4 Review of the Risk Profile
The risk profile is an important source of risk information, represented by the Executive
Risk Register, which contains the most significant risks faced by the Department as a
whole and includes the following:




Strategic and operational risks
Major division risks escalated to the Executive via the ERM Group
Risks representing strategic projects or major initiatives
Escalated risks will procedurally progress to the Audit and Risk Committee.
The profile is collaboratively reviewed by the Executive on a quarterly basis.


A formal quarterly refresh of the risk profile includes revision of the risk ratings
taking into account the progress against risk treatment activities. New and
emerging risks are considered for the inclusion on the risk profile
A comprehensive annual review of the risk profile and risk appetite is performed
as part of the Executive Strategy Day.
The profile monitoring is an integral part of monitoring business performance and is
underpinned by the following:




Prioritisation of the major strategic risks which may have impact on the Corporate
Plan
Prioritisation of the top division risks, including risks which may have impact
across the divisions
Identification and prioritisation of new or emerging risks which may have a
significant impact
Monitoring of key performance indicators of major projects and initiatives which
constitute areas of significant risk.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
28 of 55
Enterprise Risk Management Guidelines
To help ensure that the risk profile is relevant, up to date and effectively managed, the
Executive risk review approach addresses the following:








Alignment of the risks to strategic priorities
Risk magnitude
Key treatment strategies in place to manage the risk
Effectiveness of the current risk treatment activities
Movements in the risk ratings
Initiatives to address risks which are above risk appetite or to strengthen risk
management processes
Accountabilities assigned to implement the risk treatment strategies and
associated due dates
Sufficiency of resourcing requirements to implement the risk treatment strategies.
Where the risk rating increases or potential risks are identified, the Executive considers
the adequacy of the current risk treatment activities. The following questions may be
considered:




Are the assumptions relating to the risk context (including environment,
technology and resources) still relevant?
Is the risk treatment activity effective in managing the risk? How it can be
improved?
Are there performance measures or indicators in place to measure key
outcomes?
Does the risk management activity comply with legal requirements, government
and departmental policies?
3.5.5 Monitoring and Reviewing Risk Appetite
The risk appetite is explicitly described in the risk management policy and accurately
reflects the Department’s attitude to the amount of acceptable risk “The Department is committed to delivering long term sustainable academic and
community outcomes by managing effectively and pursuing strategies which include the
safety of students, staff and the community as the Department’s number one priority. In
advancing those strategies, the Department takes due consideration of the protocols
relating to risk identification, assessment and escalation (including consequence and
likelihood determinations based on the risk matrix).”
The risk appetite is reflected in the construct of the risk matrix (the more red, the more
risk averse), and the risk consequence tables (e.g. what impact constitutes a critical
consequence?). The risk consequence tables and risk appetite are reviewed annually by
the Executive in conjunction with the changes in strategic priorities and budget.
Risk tolerance is the variation of risk level that the organisation is prepared to accept
around a specific objective. Risk tolerance is reflected in the risk consequence tables in
conjunction with the escalation / delegation criteria. Risk tolerance is also reflected in the
Executive and Division Risk Registers as the acceptable risk rating (residual or target) for
each of the risks.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
29 of 55
Enterprise Risk Management Guidelines
3.5.6 Emerging Risk Identification
All staff members are responsible for ensuring new and emerging risk areas are
captured, monitored and escalated appropriately through existing communication
channels. Monthly Executive meetings include discussion on emerging threats and
opportunities.
3.5.7 Communication with the ERM Group and the Business
The ERM Group supports the Executive risk monitoring activities by performing an
environmental scan, coordinating management and monitoring of cross-division risks,
and monitoring of the strategic risks.
The Executive consults the ERM Group on practical risk treatment approaches. Where
risks are escalated from the division risk profiles or where risks have a cross-division
effect, the Executive agrees on the high level risk treatment strategies and consults the
ERM Group to determine specific actions to implement identified risk treatment strategies
and to monitor them.
Top down communication from the Executive is performed formally to all appropriate
levels of the business to help ensure that the business remains engaged and informed of
the risk management approach.
3.5.8 Executive Risk Reporting
Risk reporting supports the Executive discussion and decision-making on major risks and
business priorities.
Executive risk reports are prepared by the ERM Group quarterly. The reports are
focussed on high and extreme risks and highlight “hot spots” on the Executive Risk
Profile including:











Risk description
Reference to the strategy (target)
Residual risk ratings
Target risk ratings
Movements in risk ratings
Reference to a division (if applicable)
Reference to a risk treatment strategy
Accountability (risk ownership)
Status of risk treatment strategies
Assurance activities in place to assess the management of the risk
High level overview of the significant risks/risk areas facing the Department
(including emerging threats and opportunities).
For major initiatives, dashboard reports are provided (similar in format to that shown in
Appendix 2) which include details of overdue or partially implemented risk treatment
strategies and the following information:





Description
Commentary
Budget
Accountability and
Due date.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
30 of 55
Enterprise Risk Management Guidelines
The dashboard report is supported by a commentary including highlights of the semiannual environmental scan and analysis of systemic issues and trends arising from
historic information such as incidents and internal audit findings or resource implications
for additional risk treatment activities.
Progress on performance against expected outcomes for major projects by reviewing key
risk performance indicators for major initiatives is reported as part of the business
performance reporting. This information contributes to the monitoring of major risks
associated with these projects.
Full details of the roles and responsibilities of divisions, the Executive and the ERM
Group are outlined in Appendix 10.
3.5.9 Review of the Risk Management Framework
The risk management framework is subject to review to meet the requirements of the
NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector
(TPP 15-03) and current risk management standards (AS/NZS ISO 31000:2009). The
review includes the following:




Annual review of the Department’s risk profile and division risk profiles in
conjunction with the self-assessment of the achievement of strategic objectives
and progress against the strategic initiatives
Self-assessment of the ERM Group performance in accordance with the ERM
Group Charter
An independent review of the risk management function and process every two
years
A review of divisions’ alignment with the risk management principles.
Significant changes to operations should prompt a review and update of the risk
management framework to help ensure that it remains appropriate to support business
needs.
3.5.10 Reporting to the Audit and Risk Committee
The results of the risk management framework review are reported to the Audit and Risk
Committee which will include recommendations for improvement.
The Audit and Risk Committee also reviews an Assurance Plan for the upcoming
financial year and helps to ensure linkage to the following areas:




NSW Treasury
Audit Office of NSW
Internal audit
External accreditation audits.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
31 of 55
Enterprise Risk Management Guidelines
3.5.11 Other Risk Management Monitoring and Reporting Mechanisms
We have a number of mechanisms which assist in the ongoing management of risks.
These include but are not limited to the following:







A summary of the Executive Risk section of the Executive Risk Register is
provided to the Minister on a quarterly basis.
The latest versions of the Executive Risk Register (high and extreme risks only)
and the Division Risk Register (all significant risks) are uploaded to the Executive
Information System (EIS). These are then available at any time to each member
of the Executive and each member of the ERM Group
All risk policy, procedural, and guidelines documents and updates, in addition to
copies of the Executive Risk Register and Escalation Reports are provided to the
Audit and Risk Committee for their review
Strategic priorities are monitored at weekly meetings of the Minister and the
Secretary
Quarterly reports on performance against plans provided to the Minister and
NSW Treasury
The Audit Directorate is responsible for performing reviews on key operational
areas
The Auditor Office of NSW acts as an external assurance provider.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
32 of 55
Enterprise Risk Management Guidelines
4. REFERENCES
AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines
Standards Australia (and related standards and handbooks)
HB 89-2012, Risk management - Guidelines on risk assessment techniques
Standards Australia
Enterprise-Wide Risk Management Better Practice Guide for the Public Sector,
Certified Practising Accountants Australia, 2002
Risk Management Training Program, Queensland Government, February 2003
Risk Management in the Public Sector, Risk Management Workshop conducted by
Business Excellence Australia – Standards Australia 06/02 01.03
Benchmarking Strategic Risk Management against Australian Government,
Australian Public Service Commission’s publication titled: ‘Contemporary
Government Challenges – Building Better Governance’ published 2007
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
33 of 55
Enterprise Risk Management Guidelines
APPENDIX 1 - RISK REPORTING TEMPLATES
The following templates are suggested for use in monitoring, reporting, and managing risks.
Each report carries different levels of detail appropriate for its own use.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
34 of 55
Enterprise Risk Management Guidelines
APPENDIX 2 – SAMPLE - RISK ESCALATION REPORT TEMPLATE
Summary:
Key Comments:
Risk Profile
Health
Governance
Budget
Stake
Holder
WH&S
Child
Welfare
State
Targets
Business
Continuity
LMBR
EIM
Other
This Report
Last Report
No major risks
Major risks but treatment in place
Major risks – ineffective or no treatment
Governance
Risk
Triggers
Impact
Treatment
Triggers
Impact
Treatment
Triggers
Impact
Treatment
Triggers
Impact
Treatment
Budget
Risk
Stakeholder
Risk
Work Health & Safety
Risk
Student Welfare and Child Protection
Risk
Triggers
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
Impact
Treatment
July 2015
35 of 55
Enterprise Risk Management Guidelines
APPENDIX 3 – RISK REGISTER
(See also Recording Risk Information – Appendix 7 Section 8)
The purpose of a risk register is to provide a central repository or focal point of identified risks
that can be monitored and reviewed on a regular basis by both internal and external
stakeholders.
Risk information gained through conducting risk assessments should be documented and
maintained in the register. The Executive Risk Register following is included as a guide only.
The risk assessment will provide managers with information to assist them to manage risks
remaining at an unacceptable risk level.
The strategic and operational risk assessments should be updated at least annually and or at
times when new and emerging risks may arise for example, the introduction of new business
products, processes, systems and or services.
The creation and application of a risk register leads to improved management decision
making as it helps to:




identify managed and unmanaged risks especially during the planning cycle
evaluate the severity of any identified risk
apply possible solutions to those risks through a systematic approach
monitor and analyse the effectiveness of actions taken to treat the risks.
When risks are effectively managed, the confidence level in achieving goals and objectives is
increased. By creating and maintaining risk registers across the Department, stakeholder
engagement will increase through communication and the accountability and escalation of
risks.
There is no standard list of components that should be included in the risk register.
The Department’s Executive Risk Register (ERR) is being used here as a model. The format
of the detailed ERR is shown below.
Item
no.
Risk
Type
1
1a.
Corporate
Strategic Services
Threat
C L
Residua
l Rating
A4 3P High
B4
C4
F4
Maj
Division
Target
(Strategic
Objective)
Planned Action (to Risk
achieve objective) No.
New & Better Effective
66
Ways of Doing management of
Business
the implementation
of the program.
R Additional
Target
Treatments Risk
Needed
Rating
Continue to High
monitor.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
T Exec
Owner
KPI
Identified Risk
Existing Treatments
ABCD Program
does not deliver
timely services
or.......
Development of
program
assurance...
Continued
Revision of strategic
focus...
Internal
Audit
Assurance
DepSec Program delivery KPIs - Project
CS
- Successful introduction 9999
of ABC.
Shared
service risk
- Development and
assessment
implementation....
/ audit....
Program Mgt KPIs...
- Project
8888 – Gap
analysis...
Other
Internal
Assurance
External Assurance
- DoE
ABCD
Audit &
Risk SubCommittee
oversight....
- CPMG has been
engaged in....
- Audit Office of
NSW conducted....
July 2015
36 of 55
Enterprise Risk Management Guidelines
The Detailed Register is sorted in the following sequence –
‘Risk Type’ = Strategic Risk (threat or opportunity) first, listing the highest ‘Residual Rating’,
then grouped by ‘Division’ in alphabetical order. Operational Risk follows, then Division Risk.
The columns are described below:
1. Item no. – This number relates to the item number on the detailed Executive Risk Register.
This number may change as risks are removed, added, escalated or de-escalated.
2. Risk Type – Strategic Threat or Opportunity, Operational Threat or Opportunity, and Division
Threat or Opportunity.
3. Division – The Division responsible for the risk.
4. Target or Strategic Objective – A brief description of the target or strategic objective that the
risk relates to. This may come directly from the State Plan, Corporate Plan, or other high level
sources.
Currently we have a list of 5 Strategic Objectives. Each risk should be aligned to one of these
objectives.
a. Fostering Opportunity and Partnership with Aboriginal People
b. High Expectations, Closing the Gap
c. New and Better Ways of Doing Business
d. Quality Teaching and Leadership
e. Safety & Welfare of our People
5. Planned Action – The action(s) required to achieve the target or strategic objective. This is a
brief description of the planned actions or initiatives that are being undertaken to achieve the
strategic objective. This is not the risk. However, it could be used to help identify a risk. For
example, what could stop us from achieving our objective? What could prevent us from
completing the planned action?
6. Risk No. – A unique number given to each individual risk. There may be more than one risk
linked to each strategic objective. These numbers are not necessarily sequential in the listings
as the risks may be removed, added, escalated or de-escalated as time progresses.
7. Identified Risk – In describing risks, you should always relate the event and impact to the
business objective. It helps to think of an event “resulting in” an impact, or an impact “due to”
an event. An example is “Failure to meet Commonwealth objective deadline, resulting in
withdrawal of current funds, loss of future funds, damage to relationship with the
Commonwealth, negative media, and damage to the Department’s reputation”. This example
shows that there are a number of potential impacts due to one event. This could then lead to a
number of possible risk treatment options.
The previous example had the event first. You could also have the impact first, e.g. “Loss of
funding due to failure to meet Commonwealth objective deadline”. The first example is better
suited to multiple impacts.
The description should relate to each of the consequences that are identified in the
consequence rating column (Service/Program Delivery, Financial, Management Effort, Health &
Safety, Legal/Compliance, Reputation/ External Relationships etc.).
8. Existing Treatments – Relates to current or existing treatments, strategies or controls either
in-place or planned to achieve the Residual Risk rating. Each risk should include treatments for
each of the consequences referred to in the consequence rating column (although one risk
treatment may cater for more than one consequence).
9. C – Consequence Rating from the DEC Enterprise Risk Management Guidelines (see Legend
on page 2). There can be multiple consequence ratings as a risk can affect multiple categories
e.g. financial, reputation, compliance etc. Each of these consequences should be referred to in
the ‘Identified Risk’ description, with treatments for each included in the ‘Existing Treatment’
column.
10. L – Likelihood (Rating) of the risk occurring with the predetermined Consequence Rating and
with the risk treatments, strategies or controls either in-place or planned – from the DEC
Enterprise Risk Management Guidelines (see Legend on page 2).
11. Residual Rating – The estimated risk rating based on the predetermined consequence and
likelihood ratings with the current or existing treatments, strategies or controls (planned or inplace).
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
37 of 55
Enterprise Risk Management Guidelines
12. Additional Treatment Needed – If the Residual Rating is unacceptable, additional treatments,
strategies or controls will need to be put in place to reduce the rating to an acceptable Target
Risk Rating. Once these additional treatments are put in place, or included in approved plans,
they become Existing Treatments/Strategies and the residual rating can be revised.
13. Target Risk Rating – If the Residual Rating is unacceptable, additional treatments or
strategies will be put in place to reduce the rating to an acceptable Target Rating.
14. Executive Owner – The member of the Executive (one person) accountable for ensuring that
the risk is managed as effectively as possible.
15. KPI – The Key Performance Indicators which are a measure of how well the risk is being or
could be managed.
16. Internal Audit Assurance – Internal audit activity that the department’s Audit Directorate will
undertake to assess the management of the risk.
17. Other Internal Assurance – Other internal mechanisms or departmental groups (steering
committees etc.) who have oversight of the management of the risks or related objectives.
18. External Assurance – External bodies or organisations with a role in assuring the effective
management of the risk (Audit & Risk Committee, Audit Office of NSW etc.).
LEGEND for reading the Risk Register
Key to Columns - C, L and Rating
C (Consequence)
L (Likelihood)
A = Service/Program Delivery
B = Financial
C = Management Effort
D = Health & Safety
E = Legal / Compliance
F = Reputation / External Relationships
G = Project / Program Quality
H = Project / Program Time (schedule)
I = Project / Program Cost
J = Project / Program Benefits
1 = Ins = Insignificant
2 = Min = Minor
3 = Mod = Moderate
4 = Maj = Major
5 = Crit = Critical
1 = R = Rare
2 = U = Unlikely
3 = P = Possible
4 = L = Likely
5 = AC = Almost Certain
Residual or
Target Risk
Rating
Low
Medium (Med)
High
Extreme (Extr)
How to Develop a Risk Register
Risk registers are designed to capture risk information and is a primary tool for risk
monitoring, reporting and follow up action.
The steps taken to create a risk register are outlined in the following table and are in parallel
to the risk register development process shown below.
Steps in the Creation of a Risk Register
Step
Step Descriptor
Comments
1
Risk register awareness and readiness
Initial planning by business unit manager and key
staff
2
Meet with business unit key stakeholders
Building the contextual framework
3
Conduct business unit risk identification
meetings (e.g. brainstorming)
Take into consideration all points of view
4
Stakeholder engagement with teams develop
the risk register (see next table)
Populating the risk register
5
Development of risk register entries
Coordination of risk evaluation and treatments
6
Sign off and assigning ownership of risks
Agreement of budgets to control risks
7
Updating risk registers
Reviewing and monitoring Escalation and/or deescalation process may need to be enacted
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
38 of 55
Enterprise Risk Management Guidelines
Risk Register Development Process
Step
No.
Process
Component
Key Questions to be Asked
Linkages
1
Establishing the
context
 Have the business objectives been taken into account?
 Has an environmental scan been conducted?
 Have the risk criteria been defined?
 Monitoring and review
 Communication and
consultation
2
Risk identification
 What do you want to achieve, what will stop it being
 Monitoring and review
achieved (threat), or what will help it being achieved
 Communication and
(opportunity)?
consultation
 What is the potential cost to time, money and performance?
 How likely is it to happen?
 What are the impacts of each risk?
 What is the source of the risk?
 What can be done to reduce/control the risk?
3
Risk analysis
 Are there any existing controls?
 Have the consequences of the risk been considered?
 Have the impacts been evaluated on a ‘gut feel’ or an
evidence-based approach?
 Has the likelihood criteria been applied?
 Monitoring and review
 Communication and
consultation
4
Risk evaluation
 Have the risk tolerance levels been considered in
accordance with legal, regulatory and other requirements?
 Has a decision been made to treat the risks?
 If yes, go to Step 5. If no, continue to monitor and
review the risks.
 Monitoring and review
 Communication and
consultation
5
Risk treatment
 Have all treatment options been identified?
 Have all options been assessed?
 Have treatment plans been prepared and ready for
implementation?
 Have residual risks been analysed and evaluated?
 Monitoring and review
 Communication and
consultation
6
Monitoring and
review
 Have the established procedures been followed?
 Is there is a requirement to escalate or de-escalate risks to
the next level?
 Risk management plan, if
held
The risk register when complete should be brought to the attention of all staff working in the
business unit in a clear and understandable manner taking into account their level of training,
knowledge and experience as well as their responsibility of managing the risks.
Continuous Improvement
A risk register is a ‘living document’, and not a one-off process. Accordingly, it should be
regularly updated and used actively during planning and related activities. To align with
departmental requirements, industry standards and best practice, business units are required
to regularly review their risk register for accuracy and currency.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
39 of 55
Enterprise Risk Management Guidelines
Sample Template 1 - Risk Register
(1)
(2)
Item Risk
no. Type
1
(3)
Division
(4)
Target
(Strategic
Objective)
1a.
Corporate New & Better
Strategic Services Ways of
Threat
Doing
Business
(5)
(6)
(7)
Planned Action (to Risk Identified Risk
achieve objective) No.
Effective
66
management of
the implementation
of the program.
(8)
Existing
Treatments
(9) (10)
C
L
(11)
(12)
(13)
(14)
Residual R Additional Target T Exec
Rating
Treatments Risk
Owner
Needed
Rating
ABCD Program Development A4 3P High
does not deliver of program
B4
timely services assurance... C4
or.......
F4
Revision of
Maj
strategic
focus...
Escalate to Med
Exec.
ERM Unit
meeting
with ERM
Group
Members
to support
faster
progress
(15)
KPI
DepSec Program
delivery
CS
KPIs
Successful
introduction
of ABC.
(16)
(17)
(18)
Internal
Other
External
Audit
Internal
Assurance
Assurance Assurance
- Project
9999
Shared
service risk
assessment
/ audit....
- Project
8888 – Gap
Developme analysis...
nt and
implementa
tion....
- DoE
ABCD
Audit &
Risk SubCommittee
oversight...
.
- CPMG has
been
engaged in....
- Audit Office
of NSW
conducted....
Program
Mgt KPIs...
Note: An explanation of each numbered column is shown earlier in this appendix.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
40 of 55
Enterprise Risk Management Guidelines
Sample Template 2 – Risk Register
Risk
Risk Description
No.
Residual
Management
Additional Risk Management
Target
Responsibility
Timetable for
Implementation
Reviewed
Risk
Action
Strategies / Controls
Risk
for
Implementation
Update
Date
Rating
Implementation
Rating
A
Assets may be lost or
Low
No Major Concern
No further strategies required
Low
n/a
n/a
High
Active Management
Branch Manager to check and
Medium
Branch Manager
15/X/YY
damaged
B
Cash transactions are
subject to theft, loss or
authorise monthly reconciliations and
misuse at remote locations
ensure secure safe is installed
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
41 of 55
Enterprise Risk Management Guidelines
APPENDIX 4 - SAMPLE RISK RECORD TEMPLATE
Risk Number:
Communication and Consultation
Identify Key Stakeholders and who has been
Target (Strategic Objective)
involved in the consultation of the identification
and assessment of the risk.
Planned Action (to achieve objective)
Division
Context / Assumptions
Identified Risk (risk description)
Existing Treatments/Strategies
Control
Conseq- LikeliEffectiveuence
hood
ness
Residual
Exec Risk
Completion
Risk
Budget
Owner
Manager
Date
Rating
Risk Triggers (or indicators), Risk
Sources, Introduced Risks / Residual
Risks
Additional Treatments Needed
Control
Conseq- LikeliEffectiveuence
hood
ness
Target
Risk
Rating
Executive Action Required
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
Funding
Approved /
Required
Risk Treatment KPI's
Due Date
Status
KPI's
July 2015
42 of 55
Enterprise Risk Management Guidelines
APPENDIX 5 - SAMPLE RISK ASSESSMENT WORKSHEET
Division / Business Unit / Project
1. Communicate and Consult:
Key Stakeholders:
Which internal and external
stakeholders have been consulted
in developing the risk assessment?



Deputy Secretary
Finance Manager
Branch staff



2. Operating Environment & Context:
Identify the key internal and external factors influencing the operating environment:

The function is new therefore no policies or procedures and no history of performance

Budget allocation to be determined

Staff in remote locations

Contracted staff with no knowledge of corporate policies and procedures

Specialist equipment to be purchased and installed
3. Risk Identification
Risk No. and Identification
Category:
Risk Description:
1.Security
2.Legal & Legislative
3. Financial
A. Assets such as computers, TV’s,
specialist equipment and mobiles
may be lost or damaged resulting in
financial loss; specialist equipment
difficult to replace; disruption to
operations.
B. Cash transactions will be conducted at
the remote locations raising the risk of
theft, loss or misuse by external or
internal parties resulting in theft being
reported to the Police; bad publicity
for the Department; disruption to
operations; financial loss; effect on
staff morale.
4. Risk Assessment
Triggers / Risk Sources:
Identify those factors that
might lead to the risk
occurring
A. poor asset records; no stocktakes;
lack of security; mobiles have a
history of being lost or damaged.
Existing Controls:
A. assets recorded in asset register;
regular stocktakes; require security
card to enter the work area; contract
exists for ready supply of specialist
equipment
B. lack of security; no reconciliations;
the nature of cash makes it very
vulnerable
B. no safe for securing cash; no
reconciliations; but receipts are
recorded and staff are aware of
requirements of Treasurer’s Directions
Control Effectiveness Rating: A. Good (4)
Are the current controls
B. Poor (8)
effective? Are they being
complied with?
Consequence Rating:
A. A2 (minor)
B. E4 (major)
Likelihood Rating:
A. 2 (unlikely)
B. 4 (likely)
Residual Risk Rating:
Consequence rating
combined with Likelihood
rating
A. L ow
B. High
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
43 of 55
Enterprise Risk Management Guidelines
5. Risk Treatment
Management Action:
As described in the
Guidelines
A. Monitor & manage at
operational level
B. Escalate to Executive
Additional Risk
Treatments Needed:
Identify those strategies in
addition to the existing
controls that will be
implemented to further
manage this risk.
A. No further strategies required
B. Manager to check and authorise
monthly reconciliations and ensure
secure safe is installed
New Control Rating:
A. Good (4)
B. Good (4)
New Consequence:
Rating:
A. A 2 (minor)
B. E 3 (moderate)
New Likelihood Rating:
A. 2 (unlikely)
B. 3 (possible)
Target Risk
Rating:
Consider the effect of the
additional strategies / controls
on the risk
A. Low
B. Medium
Responsibility:
The position supervising the
implementation of this risk
treatment strategy.
A. n/a
B. Manager
Timetable:
When will implementation of
the strategies be completed?
A. n/a
B. 15/X/YY
Risk Assessment Undertaken by:
Risk Management Strategies Approved by:
Date of Approval
Date of Review
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
44 of 55
Enterprise Risk Management Guidelines
APPENDIX 6 - SAMPLE RISK ASSESSMENT TEMPLATE
Risk
No.
Risk Description
(short version)
A
Assets may be lost or
damaged
B
Cash transactions are
subject to theft, loss or
Residual
Consequence
Rating
Residual
Likelihood
Rating
Residual
Risk
Rating
Target
Consequence
Rating
Target
Likelihood
Rating
Target
Risk
Rating
A2
Minor
2
Unlikely
Low
A2
Minor
2 Unlikely
E4
Major
4
Likely
High
E3
Moderate
3 Possible Medium
Low
Responsibility
n/a
Branch Manager
misuse at remote
locations
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
45 of 55
Enterprise Risk Management Guidelines
APPENDIX 7 - ALIGNING RISK MANAGEMENT TO STRATEGIC AND BUSINESS
PLANNING, BUDGETING AND PERFORMANCE MANAGEMENT
1. RISK MANAGEMENT AT THE STRATEGIC LEVEL
Risk Management at the strategic level involves identifying circumstances and events that
could have an impact (positive or negative) on the achievement of corporate objectives.
Risk and strategy are linked and whenever there is a change in strategies, the risk
assessment will also change.
The risk process is a recognition that in striving for a specific goal or outcome there are
often elements or risks associated with the achievement of those outcomes. If these risks
are not considered or addressed at the time of developing strategic plans they can delay,
frustrate or cause unexpected outcomes to arise affecting the achievement of the
objectives, or there may be opportunities that are missed.
Strategic plans and the risks impacting the outcomes in those plans are not likely to
remain static due to changing priorities, new initiatives, government decisions, stakeholder
issues, etc. and these risks along with the division strategies may need re-assessment at
the time division plan progress is being monitored regularly throughout the year.
There two distinct stages when risk needs to be considered at the strategic level:
 At the time strategic plans are first being developed and
 At the time progress is being monitored and reported on against the strategic plans.
2. STRATEGIC AND BUSINESS PLANNING
Understanding how risks align with the planning processes enables us to effectively
integrate risk management into our governance and management structures.
Risks are addressed as part of any planning process including the Total Asset
Management (TAM) Plan, Funding Plan submissions to the Treasury, the Corporate Plan,
project and program plans, and any other strategic, business or operational plan. The
integration of risk management into strategic and business planning processes is a key
component of the Department’s risk governance and business improvement processes.
Strategic risk management applies to the process of considering and managing the
strategic risks on the Executive Risk Profile (risks included on the Executive Risk Register)
which may impact the Department as a whole. However, this process can also be
generally applied to all business unit levels.
Strategic risks are those that may have a direct and significant impact on the
organisation’s strategic objectives. The strategic risks are given formal consideration by
the Executive collectively and the division heads individually.
Business plan risk management applies to the process of considering and managing risks
to the delivery of major projects and services. Business plan risks include strategic and
operational risks. Major projects and initiatives risks generally relate to the delivery of
infrastructure projects.
The starting point for embedding risk management is to link the risk identification process
to the corporate strategic and business plan objectives, using risk assessment as an input
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
46 of 55
Enterprise Risk Management Guidelines
to the plans. Risk and performance are managed and monitored in an integrated manner
to help achieve better overall governance.
Effective risk management provides increased confidence that we can deliver the desired
outcomes, manage threats to an acceptable degree and make informed decisions about
opportunities. Alignment of risk management to strategic planning, budgeting and
performance management can deliver a range of benefits by:
a. Improving the quality of decision making (appropriate, fast, accurate, and effective)
b. Effective execution of decisions (improved confidence, known quantity)
c. Embedding risk management within the day-to-day operation of your organisation
(part of business as usual, not additional task or process burden)
d. Integrating risk management with business strategy (help ensure decisions are
informed and based on sound judgment)
e. Improving planning processes by enabling the key focus to remain on core business
and helping ensure continuity of service delivery
f. Reducing the likelihood of potentially costly ‘surprises’
g. Preparing for challenging events and improving overall resilience
h. Prioritising budgeted resources
i. Optimising performance through efficiencies in service delivery, major change and
quality assurance initiatives and
j. Contributing to the development of a positive organisational culture of improved
governance, clear purpose, roles and accountabilities for all staff.
3. BUDGETING
Risk information provides an input to the identification of the resourcing requirements and
assists in the prioritisation of available resources as follows:
 Risk information and estimates of resource requirements for the treatment of major
risks are included in program and project proposals and considered by senior
management
 Risk management resource implications are included in the appropriate approved
plans
 The budget prioritisation process takes into account the Department-wide and
division risk profiles.
The risk management framework allows escalation of risks throughout the year, with any
financial considerations being subject to the Executive, Minister or Treasury decision as
appropriate. However, the identification and assessment of risks will not necessarily be a
trigger for additional funding. If additional funding is available, then this can be used to
accommodate the additional risk treatment activities required to manage the risk. In most
cases however, the reduction of the risk exposure in a particular area, will be
accommodated by reprioritising the available activities, resources, funds or other
investment in that area.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
47 of 55
Enterprise Risk Management Guidelines
4. THE ALIGNMENT PROCESS
Risk management is integrated in strategic and business planning and budgeting
activities as follows:
Step
1
2
3
4
Action
Review any current in-use planning policies, procedures and checklists to
help ensure that content is aligned with these guidelines as well as any
reference to the latest standards (e.g. risk matrix, consequence and likelihood
tables). If inconsistencies exist, the appropriate action should be taken by
either developing or updating risk related documentation/or references to risk
terminology
Clearly state the strategic objective (e.g. launch a new As you would
product or service, new school, meet a corporate target, etc.) normally do
in your
Describe the planned actions to achieve the objective
planning
Clearly state all assumptions (e.g. market size, resources process
9
required, competition, safety, etc.)
Identify the risks related to the objectives, planned actions, and the
assumptions (are the assumptions correct? what if they’re not? what if the
situation changes? etc.)
Perform a high level assessment of the risks (consequence, likelihood, risk
rating)
Describe a high level treatment strategy for the higher rated risks (treatment
options, cost/benefit analysis, decide whether to proceed)
Undertake a detailed assessment and plan the management of the accepted
risks as per Section 3 of these guidelines
Monitor the risks and the situation for changes
10
Monitor the plan to address the changes.
5
6
7
8
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
48 of 55
Enterprise Risk Management Guidelines
5. STEPS TO INTEGRATE (EXAMPLE)
Integration of ERM into the Department’s strategic planning process (see Figure 4 below)
Timeline
Business / Strategic
Planning Process
(example)
Risk Management
Process
Performance
Management
Process
Management
Planning Session
to set broad
strategy
April
Individual
Business Plans
May
Management
Strategy
Development of
Budget
Requirements
Approval of
Funding Plan
Priority Projects
for Strategy
Implementation
 Identify risks to achieving
strategic and operational
objectives
 Treatment Strategies
Determine Budget Implications
Detail Action Plans to Implement
Treatment Strategy
Major Risks Considered in
Identification of Priority Projects
Working Draft of
Strategy Endorsed by
Management
June
Management
Meeting to
Validate Strategy
July
Responsibility for Carriage
of Objectives & Strategies
Assigned
Develop KPI’s to Measure
Achievement of Objectives
Responsibilities Assigned to Action
Plans
Develop High Level Risk Profile
Management Performance
Agreement Incorporate Risk
Management Objectives
Monitor, Review & Report
Progress against the Plan
Figure 4: Integration of ERM into the Department’s Strategic Planning Process (timeline is an
example only)
a. At the Management Planning Session in April the broad strategy is set, providing a
strategic direction for preparation of individual business plans, the management plan,
and the development of future years’ budget requirements
b. Individual business streams begin drafting their business plans in May to inform the
management meeting (held in July). The following business plan risk assessment
actions are carried out by the business streams:
i.
Business streams articulate their objectives contributing to the overall strategy,
describe the planned actions to achieve the objective, state the assumptions, and
identify risks to achieving the business plan objectives
ii.
Risks are identified by the business stream in the context of the business as
usual (service delivery) objectives, and major projects and initiatives
iii.
Risks are assessed by the business stream in accordance with the Enterprise
Risk Management Guidelines
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
49 of 55
Enterprise Risk Management Guidelines
iv.
Treatment strategies required to manage the risks are developed
v.
Budget implications (high level) are estimated for each high and extreme risk
vi.
Risk treatment strategies and budget implications are documented in the risk
records (refer to the Sample Risk Record template – Appendix 4)
vii.
Risk treatment strategies and the budget implications are then prioritised taking
into account the risk ratings
viii.
Summary of high and extreme risks, treatment strategies and budget implications
are documented in a prioritised order in the business plans
ix.
Upon approval of the funding plan the detail action plans to implement risk
treatment strategies are developed taking into account the available budget and
the risk priority
x.
Business plans are finalised to include detailed action plans for each risk
including due dates
xi.
Responsibilities are assigned after the strategy is validated in July
xii.
Detailed action plans, due dates, associated costs and responsibilities are
documented for each high and extreme risk (refer to the Sample Risk Record
template – Appendix 4).
c. The management strategy is set, reflective of the strategic direction
d. Prioritised budget requirements in excess of available resources, are promoted to
management for inclusion in the development of the next budget period
e. Major risks on the risk profile are considered in the identification of priority projects
before a working draft of the strategy is endorsed by management in June.
The following risk related questions are considered during the strategy setting
process:
i. What are the major assumptions to each of the strategic objectives?
ii. What are the strategic and operational risks inherent in the strategy, and are in
accordance with our appetite to risk?
iii. Can we meet the resources requirements of this strategy and associated risks,
now and in the foreseeable future?
iv. Will our values and ethics be compromised in any way by execution of this
strategy?
v. Priority projects for the strategy are refined in May taking into account the
requirements to manage major risks on the risk profile
vi. Existing structures, resources and risk appetite are aligned to the strategy and the
risk profile.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
50 of 55
Enterprise Risk Management Guidelines
6. AN INTEGRATED FRAMEWORK
Risk Management is an integral part of the strategic planning and budgeting processes.
An integrated business planning and ERM framework should contain the following
elements:
a. Evidence of communication and consultation with key stakeholders in developing
strategic plans
b. Objectives should be set so that achievement of them can be measured. Tools
such as “SMART” criteria (i.e. objectives should be Specific, Measurable,
Achievable, Relevant and Timely) reflect good practice in this regard (see Section
3.2.2)
c. Linking of operational plans back to higher level strategic plans to help ensure they
are consistent with higher level vision/mission
d. Evidence of identification and consideration of risks that impact on the
achievement of strategic and operational objectives
e. Evidence of strategies designed to achieve objectives and manage the risks that
could affect the achievement of those objectives
f. Evidence of responsibilities for carriage of objectives and strategies having been
assigned to divisions/areas
g. Development of Key Performance Indicators to measure achievement of objectives
h. Evidence that operational plans include identification, appropriate costings and
assignment of resources to undertake them
i.
Evidence of formal processes for identification of emerging risks and issues that
impact plans and mechanisms for implementation of remedial action as appropriate
j.
Evidence of formal processes in place to monitor, review and report progress
against plans
k. Evidence that the annual report includes reporting in terms of key risks identified
for the Department and management of those risks and legislative requirements
l.
Policy and guidelines to support the above processes.
7. RISK MANAGEMENT AND PERFORMANCE MANAGEMENT
Risk management objectives are linked with performance management at all levels of the
organisation. Appropriate risk culture is supported by ensuring that risk management
objectives and overall performance objectives are aligned. This is supported in the
following ways:

Management’s individual Performance Agreements incorporate risk
management objectives such as high and extreme risks, target (or acceptable)
risk ratings, risk management strategies, KPIs and due dates

Identification of the people component of major business risks: leadership,
knowledge, capabilities, behaviour, staff turnover, succession planning, training
and development, and culture. Relevant risk management strategies are
developed to address root causes of these risks.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
51 of 55
Enterprise Risk Management Guidelines
8. RECORDING RISK INFORMATION
For each individual risk, the risk information is documented on a risk record (see sample
in Appendix 4) which incorporates links to the strategic management, budgeting and
performance management as follows:

Reference to a strategic area/objective

Risk management accountability which indicates an overall responsibility for
managing a particular risk

Risk triggers - an event, activity or early warning signal or indicator likely to
highlight or result in an emerging risk occurring

Key performance indicators (KPIs) for future treatment strategies which are
included in the individual performance agreements

Budget required to implement the risk treatment strategies.
See also the Risk Register – Appendix 3, Risk Assessment Worksheet – Appendix 5,
and Risk Assessment Template – Appendix 6
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
52 of 55
Enterprise Risk Management Guidelines
APPENDIX 8 – DEFINITION OF TERMS
Acceptable level of risk
The acceptable level of risk reflects the decision by management to accept the likelihood and
consequences of a risk. This is also known as risk tolerance.
Consequence
The outcome or impact associated with a risk occurring e.g. the loss, injury, disadvantage or gain.
Control
Any measure or action that changes the consequence or likelihood of a risk materialising.
Likelihood
The qualitative description of the probability or frequency of a risk occurring.
Operational Risks
Those risks that may have a direct and significant impact on the organisation’s business as usual
activities, functions, roles and/or operations.
Residual Risk Level
The level of risk calculated using likelihood and consequence criteria after treatments have been put
in place.
Risk
The effect of uncertainty on objectives. The chance of something happening that will have an impact
(positive or negative) on achieving the organisation’s objectives. It is measured in terms of the
magnitude of the consequences and the likelihood of occurrence.
Risk Appetite
The risk appetite (see Section 3.5.5) reflects the Department’s overall acceptable level of risk. This is
articulated in the construct of the consequence tables and the risk matrix. The Department’s
Enterprise Risk Management Policy also includes a Risk Appetite statement which describes the
Department’s focus on acceptable risk.
Risk Register
The documented repository of risk information gained from risk assessments.
Risk Level
The risk rating calculated using likelihood and consequence criteria after considering the existing
control environment.
Risk Management
Co-ordinated activities to direct and control an organisation with regard to risk.
Stakeholders
Those people and organisations who may affect, be affected by, or perceive themselves to be
affected by, a decision or activity of the Department.
Strategic Risks
Those risks that may have a direct and significant impact on the organisation’s strategic objectives.
Tolerance
Tolerance is a management decision on whether the current level of risk is acceptable or not
(decision to ‘tolerate’ the risk). Tolerance is also reflected in the Executive and Division Risk Registers
as the acceptable risk rating (residual or target) for each of the risks.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
53 of 55
Enterprise Risk Management Guidelines
APPENDIX 9 - EXECUTIVE MEETING AGENDA ITEMS
Agenda Items
Meeting focus: Annual risk profiling
1. Discuss summary of corporate plan objectives
2. Reassess the risk appetite in accordance with strategic priorities and budget
3. Review the draft risk profile prepared by the ERM Group and consider:






The relevance of existing risks and their context
Progress against key risk treatment activities, note potential movements in the risk ratings
Results of the environmental scan performed by the ERM Group (external trends, systemic
issues arising from incidents, risks to the major projects and initiatives, new and emerging
risks)
Confirm new or emerging risks
Assess residual risks and prioritise the risks
Highlight risks with a cross-division impact
4. Consider revisions to risk treatment initiatives:





Improvements to the existing initiatives
New treatment strategies required for current or new risks
Consider strategies for the cross-division risks
Reassess resourcing requirements to fulfil risk treatment initiatives
Consider “what should we stop doing?” taking into account the prioritised risks
Meeting focus: Annual review of the risk management framework
1. Review relevance of the Enterprise Risk Management Policy and Framework
2. Review NSW Treasury Policy attestation pack including:


Internal Audit and Risk Management Survey
Internal Audit and Risk Management Attestation
Meeting focus: Quarterly review of the Department-wide risk profile
 Review each risk on the Executive Risk Register
 Relevance of existing risks and their context
 Progress against key risk treatment initiatives, note potential movements in the risks
 New or emerging risks
 Refresh residual risk ratings
 Amendments to current risk treatment activities
 Risk treatment initiatives for new and emerging risks
Meeting focus: Monthly risk discussions at the Executive meetings
 New and emerging threats and opportunities
 Major concerns or other matters escalated early through the existing communication channels
 Potential impact of these matters and response to them
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
54 of 55
Enterprise Risk Management Guidelines
APPENDIX 10 – ROLES AND RESPONSIBILITIES
ROLE OF DIVISIONS
Consistent with the Department’s Risk Management Principles, divisions will

Identify, assess, develop and rate success indicators and treatment strategies for
risks to be included in the Executive and Division Risk Registers

Help ensure major risks align with policy, budgets, business plans and performance
management arrangements

Help ensure risks are escalated (on a needs basis) for Executive consideration when
there is danger of a risk not being appropriately managed by existing strategies,
treatments and resource allocation

Provide recommendations for dealing with escalated risks (escalated risks rated high
or extreme will procedurally progress to the Audit and Risk Committee).
ROLE OF THE EXECUTIVE

Help ensure ERM is embedded in the Department’s budget and planning processes
and appropriately monitored

Monthly discussions of emerging threats and opportunities

Formal consideration of the risk profile and associated risk treatment strategies on
the Executive Risk Register facilitated through quarterly Executive meetings

Annual review of the risk management framework, the risk profile, and the risk
appetite

Risk Management is a standing item for Executive meetings as part of Issues
Management

Consideration given to Executive level risks of a cross-division nature and a risk
owner designated (e.g. Executive governance, ERM, business continuity,
procurement, etc.)

The designated risk owner will help ensure that cross division risks are effectively
managed consistent with division requirements.
ROLE OF ERM GROUP

Regular monitoring of the Enterprise Risk Register and escalation as appropriate to
the Executive through the Deputy Secretary, Strategy and Evaluation

Provide / coordinate support across divisions

Executive support for ERM items at Audit and Risk Committee meetings and the
Executive Work Program

Work with all internal (and external) stakeholders to help ensure effective adoption of
the ERM framework.
ROLE OF THE MANAGER, ENTERPRISE RISK MANAGEMENT

For the purposes of Treasury Policy TPP 15-03 the Manager, Enterprise Risk
Management is nominated as the Department’s Chief Risk Officer.
Enterprise Risk Management Guidelines
Policy document reference; PD/2004/0036/V01
July 2015
55 of 55