CheckUP Risk Management Manual
(O034)
CheckUP Ltd. ABN 56 123 426 111 trading as CheckUP Australia
TABLE OF CONTENTS
1.0
Definition of Risk ................................................................................................................. 4
2.0
Guidance and compliance ................................................................................................... 5
3.0
Responsibilities of Risk Management within CheckUP ....................................................... 7
4.0
Structure of Risk Management Process .............................................................................. 8
5.0
Context of Risk Management within CheckUP ................................................................... 9
6.0
Identifying and Assessing Risks ........................................................................................ 10
6.1
Types of Risk ..................................................................................................................... 10
6.1.1
Opportunity risk ................................................................................................................. 10
6.1.2
Hazard risk ........................................................................................................................ 10
6.1.3
Uncertainty risk .................................................................................................................. 10
6.2
Process of Determining Risk ............................................................................................. 10
6.2.1
Risk Analysis ..................................................................................................................... 10
6.2.2
Likelihood .......................................................................................................................... 11
6.2.3
Consequence .................................................................................................................... 11
6.3
Assessment of Controls .................................................................................................... 13
7.0
Risk Management Strategies/Treatment ........................................................................... 14
7.1
Risk Matrix ......................................................................................................................... 14
7.2
Risk Register ..................................................................................................................... 14
7.3
Risk Control and Strategies Register ................................................................................ 15
7.4
Risk Action Plans – Items Requiring Active Management ................................................ 15
8.0
Monitoring and Measuring Performance of Risk Management Processes ...................... 15
9.0
Continuous Quality Improvement of Risk Management .................................................... 16
10.0
Information for Decision Making ........................................................................................ 17
11.0
Document Management .................................................................................................... 17
Document1
Nov 2012
Document1
Nov 2012
THE RISK MANAGEMENT PROCEDURE MANUAL
This document forms part of CheckUP Risk Management Framework. It should be read in
conjunction with the CheckUP Board Policy – Risk Management.
The risk standard used by CHECKUP AS/NZS 4360:2004 to inform and guide risk management in
the organisation has been updated to AS/NZS ISO 31000:2009, an internationally sourced
standard..
1.0
Definition of Risk
In accordance with the AS/NZS ISO 31000:2009 standard risk is defined as the effect of uncertainty
on objects, where effect may be either positive or negative..
A risk is often specified in terms of an event or circumstances and the consequences that may flow
from it. Risk is measured in terms of a combination of the consequences of an event and their
likelihood of occurrence.
‘Risk Management refers to the “co-ordinated activities to direct and control an organisation with
regard to risk”. . AS/NZS ISO 31000:2009
Risk is inherent in business and managing risks involves:
 Identifying both threats and opportunities
 Rigorous thinking
 Forward thinking
 Accountability in decision making
 Communication
 Balanced thinking
(
Benefits of Risk Management
‘Management of risk is an integral part of good business practice and quality management.
Learning how to manage risk effectively enable managers to improve outcomes by identifying and
analysing the wider range of issues and providing a systematic way to make informed decisions. A
structured risk management approach also enhances and encourages the identification of greater
opportunities for continuous improvement through innovation’.
Some benefits of risk management include: (AS/NZS ISO 31000:2009)
 Increase the likelihood of achieving organisational objectives
 Improved governance
 Improved financial reporting
 Improved stakeholder confidence and trust
 Improved operational effectiveness and efficiency
 Better decision making and planning
 Better allocation of resources for the management of risks Improve organisational resilience
 Minimize losses
Risk management within CheckUP encompasses an approach designed to:
 Identify all strategic, operational and project risks using a risk management process
 Ensure risk management becomes part of day-to-day business
 Ensure staff awareness of risks and how to manage them
 Provide staff with policies and procedures to manage risks
 Assign accountability for risks
Document1
Nov 2012

2.0
Monitor the risk profile and implement a continuous improvement approach to risk
management
Guidance and compliance
CheckUP’s Risk Management Framework is based on the principles outlined in the Risk
Management Standard (AS/NZS ISO 31000:2009). The main compliance principles in accordance
with the Standard are as follows:
2.1 Risk management creates and protects value.
Risk management contributes to the demonstrable achievement of objectives and improvement of
performance in, for example, human health and safety, security, legal and regulatory compliance,
public acceptance, environmental protection, product quality, project management, efficiency in
operations, governance and reputation.
2.2 Risk management is an integral part of all organizational processes.
Risk management is not a stand-alone activity that is separate from the main activities and
processes of CHECKUP. Risk management is part of the responsibilities of management and an
integral part of all organizational processes, including strategic planning and all project and change
management processes.
2.3 Risk management is part of decision making.
Risk management helps decision makers make informed choices, prioritize actions and distinguish
among alternative courses of action.
2.4 Risk management explicitly addresses uncertainty.
Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it
can be addressed.
2.5 Risk management is systematic, structured and timely.
A systematic, timely and structured approach to risk management contributes to efficiency and to
consistent, comparable and reliable results.
F
2.6 Risk management is based on the best available information.
The inputs to the process of managing risk are based on information sources such as historical
data, experience, stakeholder feedback, observation, forecasts and expert judgement. However,
decision makers should inform themselves of, and should take into account, any limitations of the
data or modelling used or the possibility of divergence among experts.
2.7 Risk management is tailored.
Risk management is aligned with CHECKUP's external and internal context and risk profile.
2.8 Risk management takes human and cultural factors into account.
Risk management recognizes the capabilities, perceptions and intentions of external and internal
people that can facilitate or hinder achievement of CHECKUP's objectives.
2.9 Risk management is transparent and inclusive.
Document1
Nov 2012
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels
of CHECKUP, ensures that risk management remains relevant and up-to-date. Involvement also
allows stakeholders to be properly represented and to have their views taken into account in
determining risk criteria.
2.10 Risk management is dynamic, iterative and responsive to change.
Risk management continually senses and responds to change. As external and internal events
occur, context and knowledge change, monitoring and review of risks take place, new risks emerge,
some change, and others disappear.
2.11 Risk management facilitates continual improvement of CHECKUP.
Organizations should develop and implement strategies to improve their risk management maturity
alongside all other aspects of their organization.
Risk Management AS/NZ 4360:2004
Document1
Nov 2012
3.0
Responsibilities of Risk Management within CheckUP
The roles and responsibilities for risk management within CheckUP are as follows:
Role
Board of Directors





CEO











Chief Finance Officer





Business Managers


Staff



Responsibility
Setting level of business risk acceptable for CheckUP through sound policy
Communicate risk tolerance to CEO
Identification of strategic risks
Endorse Risk Management plan and define the level of Board reporting
required
Monitor and review risk management processes within CheckUP through the
receipt of timely risk management reports
Proactively manage risk where Board is assigned risk ownership
Implement Board policy on risk management
Inform the Board of operational risks
Provide advice to the Board regarding risk management
Ensure all relevant information is presented to the Board to enable annual
sign-off of risk management framework
Design and development of risk management systems in the organisation.
Identification, assessment and mitigation of organisational operational risks
in particular employment, work place health and safety, governance and
contract management.
Ensure risks are identified, monitored and mitigated and provide reports to
the Board.
Responsible for approving Risk Action Plans.
Charged with the management of risk, including the day-to-day reporting and
monitoring of risk management
Responsible for maintaining CheckUP Risk Register and Risk Action Plans.
Design and development of risk management systems in the organisation.
Identification, assessment and mitigation of organisational operational risks
in particular financial, governance and contract management.
Responsible for approving Risk Action Plans
Charged with the management of risk, including the day-to-day reporting and
monitoring of risk management
Responsible for maintaining CheckUP Risk Register and Risk Action Plans
Management of operational risks with involvement of operational staff
May also undertake risk ownership for specific strategic, operational and
project risks
Awareness of the importance of risk management and operate within the
CheckUP Risk Management Framework
Required to identify and report operational/project risks as they arise within
their work environment
May also undertake risk ownership for specific operational and/or project
risks
Document1
Nov 2012
4.0
Structure of Risk Management Process
1.
2.
3.
4.
5.
6.
7.
establish a context of risk management within CheckUP
identify and assess business risks
develop business risk management strategies
design and implement risk controls
monitor and measure performance
continuously improve
information for decision making
Document1
Nov 2012
5.0
Context of Risk Management within CheckUP
5.1 General
By establishing the context, CHECKUP articulates its objectives, defines the external and internal
parameters to be taken into account when managing risk, and sets the scope and risk criteria for
the remaining process. While many of these parameters are similar to those considered in the
design of the risk management framework; when establishing the context for the risk management
process, they need to be considered in greater detail and particularly how they relate to the scope
of the particular risk management process.
5.2 Establishing the external context
The external context is the external environment in which CHECKUP seeks to achieve its
objectives. Understanding the external context is important in order to ensure that the objectives
and concerns of external stakeholders are considered when developing risk criteria. It is based on
CHECKUP-wide context, but with specific details of legal and regulatory requirements, stakeholder
perceptions and other aspects of risks specific to the scope of the risk management process.
The external context can include, but is not limited to:
the social and cultural, political, legal, regulatory, financial, technological, economic, natural and
competitive environment, whether international, national, regional or local; key drivers and trends
having impact on the objectives of CHECKUP; and relationships with, perceptions and values of
external stakeholders.
5.3 Establishing the internal context
The internal context is the internal environment in which CHECKUP seeks to achieve its objectives.
The risk management process should be aligned with CHECKUP's culture, processes, structure
and strategy. Internal context is anything within CHECKUP that can influence the way in which an
organization will manage risk. It should be established because:
a) risk management takes place in the context of the objectives of CHECKUP;
b) objectives and criteria of a particular project, process or activity should be considered in the light
of objectives of CHECKUP as a whole; and
c) some organizations fail to recognize opportunities to achieve their strategic, project or business
objectives, and this affects ongoing organizational commitment, credibility, trust and value.
The internal context can include, but is not limited to:
governance, organizational structure, roles and accountabilities; policies, objectives, and the
strategies that are in place to achieve them; capabilities, understood in terms of resources and
knowledge (e.g. capital, time, people, processes, systems and technologies); the relationships with
and perceptions and values of internal stakeholders; CHECKUP's culture; information systems,
information flows and decision making processes (both formal and informal); standards, guidelines
and models adopted by CHECKUP; and form and extent of contractual relationships.
The goals and objectives of risk management within CheckUP are articulated within the Board
Policy - Risk Management.
The infrastructure comprises:


Risk Management Policy and Procedure documents. These are available with all other
organisational policies, and the document is part of staff induction process
Annual risk assessment process for risks. Strategic risks are identified in a process involving
the Management Team, key operational staff and Board. Operational risks are identified in a
workshop involving operational staff and relevant Manager, and through staff meetings
Document1
Nov 2012




throughout the year. Project risks are identified as part of the project planning methodology of
CheckUP
Ongoing risk assessment of operational and project risks
Maintenance of a risk register
Development and monitoring of risk action plans for risks determined to require active
management
Maintenance of a risk controls and strategies register
6.0
Identifying and Assessing Risks
Risk should be identified, assessed and managed on a continual basis. This involves all levels of
CheckUP including Board, CEO, Management and staff. However a comprehensive assessment of
business risk will be undertaken annually to coincide with the CheckUP planning.
Risks can be identified at any level within the organisation. It is the responsibility of all staff to
report any risks identified to a Manager. Risk Management is a standing agenda item on the
weekly staff meeting and Management Team meeting.
6.1
Types of risk
In determining risk, CheckUP considers the following types of risk:
6.1.1 Opportunity risk: can be the possibility of positive things not happening. Opportunity risk,
where conservatism takes over and things do not occur because of inertia or slow decision making,
is a common occurrence in not-for-profit organisations that rely too heavily on committees for
decision-making.
6.1.2 Hazard risk: can be the threat of negative things happening. Hazard risk is the most
commonly addressed type of risk, but is too narrow in its scope to provide a true picture of the risks
faced by the not-for-profit organisation.
6.1.3 Uncertainty risk: can be the potential, that actual results do not equal anticipated results.
Uncertainty risk is particularly prevalent in those not-for-profit organisations that rely on one source
of income, and when this does not eventuate to the level expected, puts at risk the very existence of
the organisation.
Types of risk are evaluated at the following levels within the organisation:



Strategic – impacts on the strategic direction of CheckUP, as a whole; strategic risks are high
level and impact on the mission, vision and strategic objectives
Operations – impacts on specific operational areas within CheckUP
Project – impacts on the success of specific projects. Risks associated with a particular project
are identified during the feasibility phase of the project, prior to its acceptance. The risks are
reported on an exception basis, on the monthly reporting schedule
6.2
Process of Determining Risk
6.2.1
Risk Analysis
A review of the organisation’s activities is required to identify the potential risks to the organisation.
Potential risk areas may include:


Political
Governance
Document1
Nov 2012







Financial
Relationship
Human Resource
Compliance
Products/services
Stakeholders/suppliers
Information
6.2.2
Likelihood
An assessment of the likelihood of the risk occurring needs to be determined. The timeframe for
assessing the likelihood of risk occurring is:



Strategic Risks assessed on a 1-5 year timeframe
Operational Risks assessed on the next 12 months
Project Risks assessed on the life of the project
Likelihood
Rating
6.2.3
Description
Concern
5
Almost Certain
The event is expected to occur
4
Likely
The event will probably occur
3
Possible
The event may occur
2
Unlikely
The event would probably not occur
1
Rare
The event would only occur in exceptional circumstances
Consequence
The consequence of the risk occurring to the organisation is assessed based on the consequence
table, with the consequence being from catastrophic/extreme to minor. The consequences are
determined based on the business functions of the organisation, and the impact to the organisation
should the consequence occur. In the event that the consequence has differing ratings dependent
on the business function, some moderation may be necessary to determine the rating.
6.2.4
Inherent Risk
The inherent risk is determined from analysing the risk, that is likelihood score plus consequence
score (inherent risk = likelihood + consequence).
Document1
Nov 2012
Consequence Table
CheckUP Reputation
and
Stakeholder/Member
Confidence
Financial
Service Provision
Legal/
Regulator
HR
Loss of ability to
carry on primary
business /
deregistration /
liquidator appointed
Breach resulting in
public hearing/
profound sudden
loss of staff
Termination of
core contract
Loss of key
personnel in close
succession /
breach of
regulations
resulting gin legal
action
Loss of multiple
staff in quick
succession /
breach regulations
resulting in
investigation
Loss of staff
followed by period
to recruit / internal
policy breach
Loss of staff
time/restricted duty
Loss of one
large contract
or small
multiple
contracts
5
Catastrophic/
extreme
Profound influence on
reputation
$1m financial
impact
4
Significant
Significant influence on
CheckUP’s reputation
resulting in loss of
stakeholder/ member
confidence
$500k - $1m
financial
impact
Inability to provide
adequate levels of
services for sustained
period or profound
sustained degradation
of value and quality
Substantial interruption
and delays in the
provision of services
3
Major
Loss of reputation
resulting in a moderate
loss of stakeholder/
member confidence
$250k $500k
financial
impact
Services unable to be
delivered for a period
that causes moderate
inconvenience
Loss of control –
appointment of
Administrator /audit
qualification /
vicarious liability
involving court
action
Varied conditions of
registration /
litigation requiring
legal intervention
2
Moderate
Mild damage to CheckUP
reputation
<$250k
financial
impact
Transitory problems –
minor inconvenience
Increased reporting
to regulator
1
Minor
Minimal impact on
CheckUP reputation
Increase in
administratio
n costs not in
line with
budget
Minimal/ undetectable
reduction in service
capability
Enquiry by
regulator
Document1
Nov 2012
Contract
Loss of at least
2 small
contracts
Loss of a minor
contract
Loss of a small
contract
6.3
Assessment of Controls
CheckUP’s evaluation of effectiveness of controls to mitigate the risks is based on:
 Adequacy of controls
 Level of implementation of controls
The following table assists in determining the control rating for the risk.
Control Rating
Definition
1 or 2
Excellent
3 or 4
Good
5 or 6
7 or 8
Ineffective
Poor
9 or 10
No controls
Description
The system is very effective in mitigating the risk. Systems and
processes exist to manage the risk and management
accountability is assigned. The systems are well documented
and regular monitoring and review indicates high compliance
with the process.
Systems and processes exist which manage the risk. Some
improvement opportunities have been identified but not yet
actioned
Systems and processes exist which partially mitigates the risk
The system and process for managing the risk has been
subject to major change or is in the process of being
implemented and its effectiveness cannot be confirmed
No system or process exists to manage the risk
Document1
Nov 2012
7.0
Risk Management Strategies/Treatment
7.1
Risk Matrix
The scores of the inherent risk (likelihood + consequence) and the control rating for each risk are
plotted on a Risk Matrix. The plotted information will determine whether the risk requires:
 Active management
 Control monitoring
 Periodic monitoring
 No major concern
Some moderation of the results may be necessary to ensure that all key risks will be adequately
addressed.
Inherent Risk Rating (Likelihood +
Consequence)
9
8
Active Management
Control Monitoring
Required
7
6
5
4
3
Periodic Monitoring
No Major Concern
2
1
1
2
3
4
5
6
Control Rating
7
8
9
The action taken to manage each risk depends on where it is placed on the risk matrix:
Risk Matrix Quadrant
Active Management
Control Monitoring Required
Periodic Monitoring
No Major Concern
7.2
Action Required
Develop a Risk Action Plan to manage the risk.
Controls to be monitored and reviewed monthly as part of
management meetings (eg review Risk Register).
Existing internal controls are considered adequate and are to
be reviewed 6-monthly as part of management meetings (eg
review Risk Register).
Risk and controls are adequate and are to be reviewed
annually as part of management meetings (eg review Risk
Register).
Risk Register
All identified strategic and operational risks are to be recorded in the CheckUP Risk Register
(refer example in appendix 1).
The Risk Register is maintained by the CEO, Chief Finance Officer, Executive Officer, and
Business Managers.
Document1
Nov 2012
7.3
Risk Control and Strategies Register
The risk assessment process includes identification of existing mitigating treatments and controls
that are in place for the strategic and operational risks. These are documented in the CheckUP
Risk Control and Strategies register (appendix 2). The register keeps a record of the controls and
mitigating treatments currently in place.
Risks determined to require active management require a Risk Action Plan (refer 7.4). As Risk
Action Plans are completed, they are transferred to the Risk Control and Strategies register to
ensure that a current record of risk controls is maintained
After risk analysis and evaluation has taken place, there is a need to determine whether the risk
is accepted or rejected by the organisation. The organisation may determine the following
actions in treating a risk:
 Avoid the risk
 Reduce the likelihood of the occurrence
 Reduce the consequences
 Transfer the risk
 Retain the risk
CheckUP will select the most appropriate option by balancing the cost of implementing each
option against the benefits derived from it. A ‘cost/benefit’ analysis’ indicates whether the
benefits obtained from managing risks is commensurate with the costs.
Refer appendix 2: Sample Risk Controls and Strategies Register
7.4
Risk Action Plans – Items Requiring Active Management
For risk items that have been identified in the risk matrix to require active management, an action
plan (refer example appendix 3) is to be prepared and maintained by the risk owner. This is to
provide a process/plan on how the risk will be actively managed by the organisation. The Risk
Action Plan (RAP) outlines the tasks to be undertaken and milestones to be achieved in order to
mitigate the likelihood and/or consequence of the risk occurring
Risks requiring control monitoring or periodic monitoring may be addressed by periodic internal
auditing.
8.0
Monitoring and Measuring Performance of
Risk Management Processes
The mechanisms in place for monitoring and measuring risk management performance within the
organisation include:
Reporting
How often
By whom
To whom
Maintain a Risk Register containing a
high level summary of all identified risks
Ongoing
CEO, CFO,
EO, BM
Board and
Management Team
Maintaining a Risk Control and
Strategies Register
Ongoing
CEO, CFO,
EO, BM
Board and
Management Team
Document1
Nov 2012
Reporting
How often
By whom
To whom
Maintain and regularly monitor a Risk
Action Plan Register containing a high
level summary of all Risk Action Plans
tasks and deadlines.
Ongoing
CEO, CFO,
EO, BM
Board and
Management Team
Report at all Board meetings on the
status of strategic risks to the Board of
Directors
Regular
CEO, CFO,
EO, BM
Board
Report at all Board meetings on the
status of strategic risks requiring Active
Management with a Risk Action Plan to
the Board of Directors
Scheduled
Board
meetings
CEO, CFO,
EO, BM
Board
Report on regular basis on the status of
risks requiring Active Management on
the Risk Action Plan and strategic and
operational risks at Management Team
meetings
Scheduled
Management
Meetings
CEO, CFO,
EO, BM
Management Team
Meetings
Regular discussion on the status of
tasks on the Risk Action Plans
Ongoing
CEO, CFO,
EO, BM
CFO
Reporting on a monthly basis on the
status of risks requiring Control
Monitoring at Management Team
Meetings
Monthly
CEO, CFO,
EO, BM
Management Team
Meetings
Reporting on a 6 monthly basis on the
status of risks requiring Periodic
Monitoring at Management Team
Meetings
6 monthly
CEO, CFO,
EO, BM
Management Team
Meetings
Reporting on a annual basis on the
status of risks that are of No Major
Concern at Management Team
Meetings
Annually
CEO, CFO,
EO, BM
Management Team
Meetings
Monitoring of project risks over the life of
the project, and exception reported by
the responsible Business Coordinator or
Business Advisor in monthly report
Ongoing
Business
Coordinator
Business Managers
9.0
Continuous Quality Improvement of Risk Management
All staff will participate in annual risk identification sessions, and this will provide an
understanding of the risk management process.
Document1
Nov 2012
Risk management is a standing agenda item at the fortnightly staff meeting.
All project plans will include a risk management section.
10.0
Information for Decision Making
The annual risk management assessment is aligned with annual strategic and business planning,
to enable Board and management to consider identified risks and opportunities during the
planning process.
Report Type
Risk Register
Risk Action Plan Status
Control and Strategies Register
11.0
Reporting
Annual risk assessment
Monthly Management Team meetings
Board Meetings
Annual Risk Assessment
Operational reporting from risk owner on
monthly basis
Annual risk assessment
Monthly Management Team meetings
Document Management
This document is controlled as described in the CheckUP Procedure for Document Management.
The content of the Risk Register, Risk Controls and Strategies Register and the Risk Action Plans
are contained in the Appendix of this document to ensure ease of access however the content of
these registers/plans are updated regularly by the CEO and CFO without affecting the revision
status of the document as a whole.
Document1
Nov 2012
Basic Flowchart for CheckUP Risk Management Process
Identify Risk – enter into risk control and strategies register
Analyse Risk

Determine Likelihood and consequence using CheckUP tables
Determine Inherent Risk (Likelihood + Consequence)
Enter into Risk Controls and Strategies Register
Identify Controls
Including control rating (use table)

Enter into Risk Controls and Strategies Register
Plot inherent risk and control rating on risk matrix. Determine if: active management; control
monitoring; periodic review; or no major concern

Enter assessed risk level into Risk Controls and Strategies Register
Is risk assessed requiring Active Management?
YES
NO
Complete Risk Action Plan
Risks to be monitored as per
reporting schedule
Report Monthly on Status
Document1
Nov 2012
Version number
28
Changes Last Made:
Feb 13
Approved by:
Changes to this version:
Review and update strategic risks by Board
Superseded on:
N/A
Last Review Date:
Feb 13
Next Review Date:
Document1
Nov 2012
Dec 13
Appendix 1: Risk Register
Last Updated: [ Feb 2013]
Risk
Risk Level
No.
Strategic
S1
Strategic
Strategic
S2
S3
Strategic
Strategic
S4
S5
Strategic
S6
Strategic
S7
Strategic
S8
Strategic
S9
Strategic
S10
Strategic
Strategic
S11
S12
Strategic
S13
Strategic
S14
Strategic
S15
Strategic
S16
Strategic
S17
Strategic
Strategic
S18
S19
Strategic
S20
Strategic
S21
Risk
Risk Owner
Sustainability
Threat to solvency of the organisation
Increased competition for funding
CheckUP
Business
model
not
sustainable
Legal and Regulatory
Exposure to litigation and claims
Regulatory changes create
unsustainable administrative or financial
burden
Regulatory changes impact on CheckUP
taxation status
Political
Federal election announcement
heightens uncertainty and restricts
government decision-making
Change of federal government may
create significant change in health and
other policy directions
CheckUP directions do not align with
state government priorities and policies
Strategy
Strategic intents not aligned to
opportunities
Strength of competitors underestimated
Failure to determine appropriate
market/s for products and services
Member and Stakeholder Relations
Members don’t identify CheckUP as
relevant and adding value
Control Monitoring
Control Monitoring
Control monitoring
No major concern
Control Monitoring
Control Monitoring
Control Monitoring
Control Monitoring
Control Monitoring
No major concern
Control Monitoring
Control Monitoring
Control Monitoring
Stakeholders perceive the relationship
with CheckUP as being no longer
relevant or important
Loss of key influential relationships with
Governments
Organisational capacity
Insufficient organisational capacity to
achieve strategic priorities
Inadequate or suboptimal financial
monitoring
Loss of and an inability to replace CEO
Loss of corporate knowledge from Board
Control Monitoring
Board members do not fulfill key Board
performance requirements
Board structure and composition does
not provide strategic leadership for the
organisation
No Major Concern
Document1
Nov 2012
Risk Treatment
Option
Control Monitoring
Control Monitoring
Control Monitoring
Control Monitoring
No Major Concern
Control Monitoring
Risk Level
Risk
No.
Strategic
S22
Strategic
S23
Risk
Risk Owner
Organisational Culture
Mismatch in values and behaviours
between Board Directors and staff
Board Directors experience difficulty
adjusting to new organisational
directions and priorities
Operational
O1
Operational
O2
Operational
Operational
O3
O4
Operational
Operational
O5
O6
Operational
Insurance cover does not align with
identified risks to the organisation
Exposure of employees to workplace
induced physical/psychological
injury/harm
Internal conflict between Board/CEO
Poor performance by CHECKUP
representatives damages CHECKUP
reputation
Staff Conflict – move to control
Low staff morale
Operational
O7
Loss of key staff from the organisation
CEO
Operational
O8
CEO,
Operational
O9
Operational
Operational
Operational
O10
O11
O12
Staff losses compromise capacity to deliver
contractual arrangements
Resources (human and financial) inadequate
to meet future business requirements
Failure to achieve recertification ISO:9008
Inadequate security
Insufficient demand for products and services
Operational
O13
CEO
Operational
O14
Operational
O15
Operational
Operational
O16
O17
Operational
O18
Products and services do nor deliver value for
customers
IT system infrastructure performance and
support compromise business continuity
Technology infrastructure inadequate to meet
future business needs
Inadequate protection of CHECKUP IP
Current marketing capacity inadequate to meet
future business needs
Dynamic external environment compromises
stakeholder engagement
Document1
Nov 2012
Risk Treatment
Option
No Major Concern
No Major Concern
CFO
Control Monitoring
CEO
Control Monitoring
CEO
CEO
Control Monitoring
Control Monitoring
CEO
CEO
Control Monitoring
Active
Management
Active
Management
Control Monitoring
CEO
CFO
CEO
CFO
CFO
CEO
CEO
CEO
Active
Management
Control Monitoring
Control Monitoring
Active
Management
Active
Management
Active
Management
Active
Management
Control Monitoring
Active
Management
Control monitoring
Appendix 2: Risk Controls and Strategies Register
Last Update: [Nov 2012]
Risk
No.
Risk
Risk
Owner
Risk Type
Likelihood
Consequence
Inherent
Rating
(L+C)
Sustainability
10
Control
Rating
Risk
treatment and
type
Controls/ Mitigating Treatment in place
Threat to
solvency of the
organisation
Increased
competition for
funding
CheckUP
business model
not sustainable
5
5
4

5
4
9
3
3
3
6
3
Control
monitoring hazard
Control
monitoring hazard
Control
monitoring hazard
2
No major
concern hazard

S1
Financial
Board
S2
Financial
Board
S3
Financial
Board
S4
Legal/Regula
tory
Board
Exposure to
litigation and
claims
3
2
S5
Legal/Regulat
ory
Board
Regulatory changes
create
unsustainable
administrative or
financial burden
4
2
6
2
Control
monitoring
hazard
S6
Legal/Regula
tory
Board
Regulatory
changes impact
on CheckUP
taxation status
2
4
6
2
Control
monitoring hazard
Legal and Regulatory
5
Document1
Nov 2012


Risk
No.
Risk
Risk
Owner
S7
Political
Board
S8
Political
Board
S9
Political
Board
S10
Strategic
Board
S11
Strategic
Board
S12
Strategic
Board
S13
Relationship
Board
Risk Type
Likelihood
Consequence
Control
Rating
Risk
treatment and
type
Controls/ Mitigating Treatment in place
Federal election
announcement
heightens
uncertainty and
restricts
government
decision-making
Change of federal
government may
create significant
change in health
and other policy
directions
CheckUP
directions do not
align with state
government
priorities and
policies
5
5
Inherent
Rating
(L+C)
Political
10
3
Control
monitoring hazard

5
5
10
3
Control
Monitoring uncertainty

3
5
8
3
Control
Monitoring uncertainty

Strategic Intents
not aligned to
opportunities
Strength of
competitors
underestimated
Failure to
determine
appropriate
market/s for
products and
services
3
2
2
3
4
7
4
3
3
6
4
No Major
Concern opportunity
Control
Monitoring hazard
Control
Monitoring opportunity
Members don’t
identify CheckUP
as relevant and
adding value
3
Strategy
5
Member and Stakeholder Relations
3
6
3
Document1
Nov 2012
Control
Monitoring opportunity

Risk
No.
Risk
Risk
Owner
S14
Relationship
Board
S15
Relationship
Board
S16
Strategic
Board
S17
Financial
Board
S18
Strategic
Board
S19
Governance
Board
S20
Governance
Board
S21
Governance
Board
Risk Type
Likelihood
Consequence
3
Inherent
Rating
(L+C)
6
Stakeholders
perceive the
relationship with
CheckUP as
being no longer
relevant or
important
Loss of influential
relationships with
Governments
3
Insufficient
organisational
capacity to
achieve strategic
priorities
Inadequate or
suboptimal
financial
monitoring
Loss of an
inability to replace
CEO
Loss of corporate
knowledge from
Board
Board members
do not fulfil key
Board
performance
requirements
Board structure
and composition
does not provide
strategic
leadership for the
organisation
3
4
3
7
3
5
4
3
3
6
2
Control
monitoringhazard
4
4
8
3
1
2
3
1
Control
monitoringuncertainty
No Major
Concern - ??
3
2
5
2
No Major
Concern - ??
3
3
6
3
Control
monitoring opportunity
Organisational Capacity
9
3
Document1
Nov 2012
Control
Rating
Risk
treatment and
type
Control
monitoringhazard
Control
Monitoring hazard
Control
monitoringhazard
Controls/ Mitigating Treatment in place







Risk
No.
Risk
Risk
Owner
S22
Strategic
Board
S23
Strategic
Board
Risk Type
Mismatch in
values and
behaviours
between Board
Directors and staff
Board Directors
experience
difficulty adjusting
to new
organisational
directions and
priorities
Likelihood
Consequence
Control
Rating
Risk
treatment and
type
Controls/ Mitigating Treatment in place
3
Inherent
Rating
(L+C)
Organisational Culture
2
5
2
No Major
concern hazard

2
2
2
No Major
Concern - ??
4
Document1
Nov 2012
O1
Financial
CFO
O2
Workplace
health and
safety
CEO
Insurance cover
does not align
with identified
risks to the
organisation
Exposure of
employees to
workplace
induced
physical/psycholo
gical injury/harm
2
5
Operational Risks
7
4
5
9
Document1
Nov 2012
2
Control
monitoring hazard
 Annual review of insurance policies,
consistent with risk assessment
 Maintain regular liaison with insurer
3
Control
monitoring hazard
 CHECKUP workplace health and
safety officer receives regular and
appropriate training for the position
 Ensure regular audit and safety check
incorporating common equipment and
potential hazards
 Ensure current workplace health and
safety plan that meets required
standards is available to all staff and
reviewed annually
 Ensure CheckUP is represented at
combined building WHS Committee
meetings and review and implement
meeting recommendations
 Ensure appropriate policy and
procedures are in place within
CheckUP to manage workplace stress
 Budget and maintain employee
assistance scheme.
 Ensue adequate number of employees
have current first aid qualifications.
 Managers to monitor work load and
work hours to prevent occupational
stress.
O3
HR
CEO
Internal conflict
between
Board/CEO
2
4
6
2
Control
monitoring uncertainty
 CEO performance plan documented
and reviewed regularly
 Board accepts responsibility for CEO
recruitment and ongoing monitoring of
performance
 CEO has access to external support,
supervision
 CheckUP has documented procedures
for conflict resolution
 Ensure regular opportunities for
Board/CEO interaction, including faceto-face meetings
 Regularly review and clarify respective
roles and responsibilities for Board and
CEO
04
Reputation
CEO
Poor performance
by CheckUP
representatives
damages
CheckUP
reputation
3
4
7
3
Control
monitoring hazard
05
HR
CEO
Staff Conflict
3
4
7
3
Control
monitoring
 Undertake annual review of
representation database
 Ensure representation policy is
reviewed and updated regularly to
guide selection of representatives
 Ensure all CheckUP representatives
are adequately briefed and provided
with representation agreement
 Ensure regular feedback is provided by
representatives to CheckUP
 Monitor impact on revised approach to
representation.
 Ensure CheckUP maintains values
charter that promotes culture of
working cooperatively
 Maintain and regularly review code of
conduct for staff
 Ensure documented procedures in
place for conflict resolution
 Budget for external counselling or
mediation for staff
Document1
Nov 2012
06
HR
CEO
Low staff morale
5
5
10
6
Active
management
07
HR
CEO
Loss of key staff
from the
organisation
5
5
10
6
Active
management
Document1
Nov 2012
 Build a culture of openness and
transparency
 Ensure all staff take accumulated
leave on a regular basis
 Build processes for key staff
succession planning
 Recognise and reward staff
performance
 Undertake staff team building &
development & ensure adequate
budget exists for these activities
 Ensure adequate staff retention
strategy in place at CheckUP, inclusive
of appropriate remuneration and
working conditions, including
professional development
 Seek sustainable funding that
facilitates staff retention
 Document and annually review staff
remuneration policy
 Implement and regularly review staff
benefits policy, consistent with
remuneration policy and budgetary
constraints.
 Ensure systems and processes are
employed to retain corporate
knowledge within CHECKUP if/when
staff leave the organisation.
08
HR
CEO
Staff losses
compromise
capacity to deliver
contractual
requirements
4
5
9
Document1
Nov 2012
6
Control
monitoring hazard
 Ensure adequate staff retention
strategy in place at CheckUP, inclusive
of appropriate remuneration and
working conditions, including
professional development
 Seek sustainable funding that
facilitates staff retention
 Document and annually review staff
remuneration policy
 Implement and regularly review staff
benefits policy, consistent with
remuneration policy and budgetary
constraints.
 Ensure systems and processes are
employed to retain corporate
knowledge within CHECKUP if/when
staff leave the organisation.
09
Resourcing
CEO
Resources
(human and
financial)
inadequate to
meet future
business
opportunities and
needs
4
5
9
Document1
Nov 2012
6
Active
management
Mitigating actions for loss of human
resources:
 Ensure effective change management
strategy is implemented in the
organisation to minimise staff loss.
 Ensure that the contractual
management system is monitored and
accurately reflects all obligations.
 Reorganise human resources to
counter act any gap in the delivery and
completion of any contract.
 Recruit additional staff on a temporary
basis if required.
 Ensuring workforce skills match or
align to the emerging and future
business needs of the organisation.
Mitigating actions for financial resources:
 Intensify financial and budget analysis
on a monthly basis to determine cash
flow and program continuity.
 Develop a cost reduction strategy for
the organisation to minimise
expenditure over a 12 month period.
 Develop and complete a new product
and service suite for the organisation
on a fee for service basis.
 Undertake regular monitoring and
review of appropriate tenders for which
the organisation can apply.
 Develop a comprehensive revenue
sustainability strategy.
010
Accreditation
CEO
Failure to achieve
recertification to
ISO:9008
2
5
7
1
Control
monitoring
 Assign a staff member/workgroup as
being responsible for ensuring that the
requirements of ISO 9001:2008 are
met at all times
 Ensure regular staff education on
quality and improvement occurs
 Maintain effective continuous quality
improvement processes
 Maintain effective bi-annually internal
quality reviews
011
Security
Business
Managers
Inadequate
security
3
5
8
2
Control
monitoring
 Maintain panic buttons supplied for
staff use.
 Ensure lift lock off maintained
 Ensure Key Policy maintained
 Maintain security arrangements with
Instant Security
 Provide remote computer access for
staff on request
 Monitor staff out of hours work
012
Marketing
CEO
Insufficient
demand for
products and
services
4
5
9
7
Active
management
O13
Marketing
CEO
Products and
services do not
deliver value for
customers
4
5
9
7
Active
management
Document1
Nov 2012
 Undertake market soundingassessment of needs - prior to the
development or expansion of product
and service offerings.
 Undertake a competitor analysis where
demand has diminished.
 Undertake a review of type, price, and
quality of services on offer.
 Development of marketing strategy for
all product and service offerings.
 Ensure that the products and services
offerings meet customer expectation
in regard to price, value and service.
 Establish a clear understanding of the
market for products and services and
in particular customer expectation
and requirements.
014
Technology
CFO
IT System
infrastructure,
performance and
support
compromises
business
continuity
5
5
10
6
Active
management
 Constant monitoring of performance
through technical tools
 Early identification of problems and issues
 Collection of issues in an issues log for
resolution by IT support officer
 Within 48 day turnover in simple issue
resolution
 Upgrades are undertaken on a regular and
methodical basis
015
Technology
CFO
016
Intellectual
property
CEO
017
Marketing
018
Stakeholder
engagement
Technology
infrastructure
inadequate to
meet future
business needs.
Inadequate
protection of
CHECKUP IP
5
5
10
8
Active
management
Assess and align technology and
infrastructure needs for emerging and
future business products and services
3
5
8
2
Control
monitoring
CEO
Current marketing
capacity
inadequate to
meet future
business needs
5
5
10
6
Active
management
 Ensure policies in regard to IP are
current and applied in generation of
knowledge created by CHECKUP.
 Any product or service developed is
protected by copy right, business
regulatory conventions, or trademark.
 Monitor the use of CHECKUPs IP
across the market.
 Develop a comprehensive
understanding of the marketing needs
of the transformed CHECKUP.
 Undertake an assessment of our
marketing resource requirements.
 Recruit or contract additional
marketing resources to grow the
business.
CEO
Dynamic external
environment
compromises
stakeholder
engagement
5
4
9
2
Control
monitoring
Document1
Nov 2012
 Monitor and assess the impacts of the
environmental volatility to CHECKUP.
 Consolidate and expand effective
existing and new stakeholder
relationships.
Risk Action Plan for Identified Active Management Risks
Last Updated: [Nov 2012]
No.
Risk
Risk
Owner
Task
No
S4
Poor business planning for
commercial enterprise
Board
S4.1
Board
S4.2
Board
Mitigating Treatment
Responsibility
Original
Due Date
Current
Due Date
Status
CEO
As required
As required
Ongoing
Review board skills with view
of recruiting commercial
focussed director(s)
Board
?
?
?
S4.3
Assess skills and
competencies of board
directors and senior
management against the
requirements guided by
strategic objectives of the
commercial enterprise
Board
Board
S4.4
Consider outcomes of the
skills and competencies
assessment to plan for
targeted changes to board and
senior management
recruitment and / or up-skilling
planning
Board
Board
S4.5
Seek external strategic
business planning advice to
develop a staged business reorientation plan
Board and CEO
Board
S4.6
Assess financial and
opportunity cost associated
with the change process
Board
STRATEGIC RISKS
Employ external expertise as
required to evaluate and
progress commercial activity
Document1
Nov 2012
No.
S10
Risk
Board structure and
composition does not
provide strategic leadership
for the transition of the
organisation
Risk
Owner
Task
No
Mitigating Treatment
Responsibility
Board
S4.7
Ensure that a commercial
perspective is included in all
discussions
Board
Board
S4.8
Scope what other commercial
organisations are operating in
our space
CEO and Board
Board
S4.9
Ensure high quality external
commercial business planning
and implementation advice
available to Board and
management in timely fashion.
Board and CEO
Board
S4.10
Make sure multiple business
contingencies exist across 1,
2 and 3 year time frames with
appropriate focus on first year
and without diluting focus on
chosen strategies
Board and CEO
Board
S10.1
Appoint additional board
member/s consistent with
company constitution.
Board
Board
S10.2
Regularly review skills and
knowledge of Board members,
consistent with Board member
Position Description and Board
Charter.
Board
Board
S10.3
Clearly define and internally
publish the level and scope of
member support / resources
available through the
CHECKUP organization.
Board
Document1
Nov 2012
Original
Due Date
Current
Due Date
Status
No.
S24
Risk
Insufficient organisational
capacity to achieve
strategic priorities
Risk
Owner
Task
No
Mitigating Treatment
Responsibility
Board
S10.4
Board
Board
S10.5
Board
S10.6
Board
S10.7
Succession plan to mitigate
loss of Board Directors and
Executive
Budget accurately projects and
reviews Board costs.
Ensure board member roles
and responsibilities defined
Chairs leadership group &
EO’s retreat
Board
S10.8
Monitor relevance of chairs
leadership connection training
Board
Board
S24.1
Ensure Board are aware of
capacity issues and when
setting strategic priorities
CEO
S24.2
Develop a long-term strategy
to ensure a viable and
effective workforce to ensure
the achievement of strategic
objectives
CEO
S24.3
Maintain a register of external
consultants who are familiar
with the organisation and can
undertake work at short notice
Proactively use networks to
identify potential staff and
ensure CEO has capacity to
engage
Identify additional resources
through grants, direct state
government funding or
through collaborative projects
with aligned priorities
CEO
S24.4
S24.5
Document1
Nov 2012
Board
Board
Board
CEO
Board and CEO
Original
Due Date
Current
Due Date
Status
No.
S30
Risk
Mismatch in
expectation/perception
between members and
stakeholders
Risk
Owner
Board
Task
No
Mitigating Treatment
Responsibility
S24.6
Undertake a thorough
mapping exercise of strategic
priorities to organisational
capacity
CEO
S24.7
Try and ensure flexible staffing
arrangements to ensure that
we can downsize if necessary
CEO
S24.8
Transition project plan
identifies critical areas of
shortfall in organisational
capacity
CEO
S30.1
Develop communication plans
to manage expectations of
stakeholders
CEO
S30.2
Communicate with
stakeholders regularly
CEO
S30.3
Highlight achievements of
CHECKUP in transition and
link with new purpose
CEO
S30.4
Highlight achievements of
CHECKUP in transition and
link with new purpose
Develop a discussion paper
describing a new
organisational focus and
direction
CEO
Clearly define and externally
publish the time-frame for
transition
CEO
S30.5
S30.6
Document1
Nov 2012
CEO
Original
Due Date
Current
Due Date
Status
No.
Risk
Risk
Owner
Task
No
Mitigating Treatment
Responsibility
S30.7
Develop a new value
proposition for customers
CEO
S30.8
Continue to engage with
members and stakeholders
about our direction
CEO
S30.9
Ensure good continuous
feedback with our stakeholders
and members
CEO
S30.10
Ensure comprehensive and
responsive communication
plan to communicate new role
in altered landscape with new
state level responsibilities
shifting to National body and
new entities in state health
taking on new responsibilities.
CEO
S30.11
Develop clear parameters
around new organisational
entity whilst transitioning
current responsibilities from
existing CHECKUP
Communicate clearly the over
delivery that CHECKUP has
offered in the past and
transition to new partnerships
and self reliance
CEO
S30.12
OPERATIONAL RISKS
06
Low staff morale
O6.1
Build a culture of openness
and transparency
Document1
Nov 2012
CEO
Original
Due Date
Current
Due Date
Status
No.
O7
Risk
Loss of key staff from the
organisation
Risk
Owner
Task
No
Mitigating Treatment
O6.2
Ensure all staff take
accumulated leave on a
regular basis
O6.3
Build processes for key staff
succession planning
O6.4
Recognise and reward staff
performance
O6.5
Undertake staff team building
& development & ensure
adequate budget exists for
these activities
O7.1
Ensure adequate staff
retention strategy in place at
CheckUP, inclusive of
appropriate remuneration and
working conditions, including
professional development
07.2
Seek sustainable funding that
facilitates staff retention
07.3
Document and annually
review staff remuneration
policy
07.4
Implement and regularly
review staff benefits policy,
consistent with remuneration
policy and budgetary
constraints.
Document1
Nov 2012
Responsibility
Original
Due Date
Current
Due Date
Status
No.
O9
Risk
Resources (human and
financial) inadequate to
meet future business
opportunities and needs
Risk
Owner
Task
No
Mitigating Treatment
07.5
Ensure systems and
processes are employed to
retain corporate knowledge
within CHECKUP if/when staff
leave the organisation
CEO
O9.1
CEO
CEO
O9.2
CEO
O9.3
CEO
O9.4
Mitigating actions for loss of
human resources:
Ensure effective change
management strategy is
implemented in the
organisation to minimise staff
loss
Ensure that the contractual
management system is
monitored and accurately
reflects all obligations
Reorganise human resources
to counter act any gap in the
delivery and completion of any
contract
Recruit additional staff on a
temporary basis if required.
CEO
O9.5
BM
CEO
O9.6
Ensuring workforce skills
match or align to the emerging
and future business needs of
the organisation
Mitigating actions for financial
resources:
Intensify financial and budget
analysis on a monthly basis to
determine cash flow and
program continuity.
Document1
Nov 2012
Responsibility
BM
BM
BM
CFO
Original
Due Date
Current
Due Date
Status
No.
O12
Risk
Insufficient demand for
products and services
Risk
Owner
Task
No
CEO
O9.7
Develop a cost reduction
strategy for the organisation
to minimise expenditure over
a 12 month period.
CFO
CEO
O9.8
Develop and complete a new
product and service suite for
the organisation on a fee for
service basis.
CEO, CFO, BM,
CEO
O9.9
Undertake regular monitoring
and review of appropriate
tenders for which the
organisation can apply.
CEO, CFO, BM,
CEO
O9.10
Develop a comprehensive
revenue sustainability strategy
CEO
CEO
O12.1
Undertake market soundingassessment of needs - prior
to the development or
expansion of product and
service offerings.
CEO
O12.2
O12.3
O12.4
O13
Products and services do
not deliver value for
customers
CEO
O13.1
Mitigating Treatment
Undertake a competitor
analysis where demand has
diminished
Undertake a review of type,
price, and quality of services
on offer
Development of marketing
strategy for all product and
service offerings
CEO
Ensure that the products and
services offerings meet
customer expectation in regard
to price, value and service.
CEO and BM
Document1
Nov 2012
Responsibility
CEO
CEO
Original
Due Date
Current
Due Date
Status
No.
O14
Risk
IT System infrastructure,
performance and support
comprise business
continuity
Risk
Owner
CEO
Task
No
Mitigating Treatment
Responsibility
O13.2
Establish a clear
understanding of the market
for products and services and
in particular customer
expectation and requirements
CEO and BM
O14.1
Constant monitoring of
performance through technical
tools
CFO
O14.2
Early identification of problems
and issues
Collection of issues in an issues
log for resolution by IT support
officer
Within 48 day turnover in simple
issue resolution
Upgrades are undertaken on a
regular and methodical basis
CFO
O14.3
O14.4
O14.5
CFO
CFO
CFO
015
Technology infrastructure
inadequate to meet future
business needs.
CEO
O15.1
Assess and align technology
and infrastructure needs for
emerging and future business
products and services
CFO
O17
Current marketing capacity
inadequate to meet future
business needs
CEO
O17.1
Develop a comprehensive
understanding of the
marketing needs of the
transformed CHECKUP.
Undertake an assessment of
our marketing resource
requirements
Recruit or contract additional
marketing resources to grow
the business.
CEO, CFO, BM,
O17.2
O17.3
Document1
Nov 2012
CEO, CFO, BM,
CEO, CFO, BM,
Original
Due Date
Current
Due Date
Status