Policy guide and checklist
This front page is to guide users in creating your Policy and Procedure.
Delete this table once your Policy and Procedure has been approved and finalised.
Before submitting this Policy and Procedure for approval, check that you have completed the following:


Read the HSQF Framework
Read the HSQF User guide - for Certification, or User Guide – Self-Assessable, depending on
your service agreement and what applies to your organisation.

Referred to the most recent HSQF Version Control Register and Log of Changes

Updated or deleted all the yellow highlighted sections in this document

Updated the document code and version number to suit your organisation’s naming
convention

Updated the supporting documents section (where relevant)

Updated the header and footer of this document

Added a review date

Logged any changes of your internal policies in your register

Removed QCOSS branding and replace with your organisation’s

Removed this page/table from your final version.
Risk Management
Policy and Procedure
Document Code / Version Number
Policy Statement
Risk management is an essential component of the organisations quality management system.
{Organisation Name} follows a structured approach to risk that identifies, analyses and treats risks. Risks
are communicated to the {Board/Governing Body}.
Our risk management approach is consistent with the requirements of ISO 31000:2018 Risk Management.
Scope
This Policy and Procedure apply to {Organisation Name} as a whole.
HSQF References
●
Human Services Quality Standards Indicator 1.4
Related Legislation
●
ISO 31000:2018 Risk Management
●
Support for people with vulnerabilities in disasters | Community support |
Queensland Government (www.qld.gov.au)
Best Practice
●
Anti-Cyberbullying Taskforce - Adjust our Settings: A community approach to
address cyberbullying among children and young people in Queensland
Queensland Anti-cyberbullying Taskforce (premiers.qld.gov.au)
Child Protection
Placement
Services
●
Child Protection Act 1999
Common
●
○
Principles
○
Section 126(h)
Individual Placement and Support Agreement (IPSA)
1
Definitions
Acceptable level of
risk, or ‘valid’ risk.
The acceptable level of risk reflects the decision by the organisation’s management
and Board to accept the risk (likelihood and consequences of a risk).
In some cases it may be more appropriate for a not-for-profit to consider a risk
‘valid’. This is also known as the organisation’s risk appetite.
Communication
and consultation
Continual and iterative processes that an organisation conducts to provide, share or
obtain information, and to engage in dialogue with stakeholders regarding the
management of risk.
Consequence
The outcome of an event affecting objectives.
Control
A measure that modifies (usually, reduces) risk.
Likelihood
The chance of something happening.
Residual risk level
The risk remaining after risk treatment.
Risk
The effect of uncertainty on objectives.
Risk appetite
The amount and type of risk that an organisation is willing to retain.
Risk assessment
The overall process of risk identification, risk analysis and risk evaluation.
Risk level
The risk rating calculated using likelihood and consequence criteria after
considering the existing control environment.
Risk management
Coordinated activities undertaken by an organisation to control or reduce risk.
Risk Management
Framework
This broadly articulates how risk management is integrated into and aligned with
your organisation’s policies, procedures, practices and values.
Risk Management
Policy
An organisation’s formal statement of its overall intentions and direction regarding
risk management.
Risk Management
Process
The systematic application of management policies, procedures and practices to
the activities of communicating, consulting, establishing the context, and identifying,
analysing, evaluating, treating, monitoring and reviewing risk.
Risk matrix
A tool for ranking and displaying risks by identifying ranges for consequence and
likelihood.
Risk Register
A record of risks identified and how they’re managed.
Risk retention
Acceptance of the potential benefit, or burden, of a particular risk.
Risk tolerance
An organisation’s or stakeholder’s readiness to bear the risk after treatment in order
to achieve its objectives.
Risk treatment
The process of selecting and implementing measures or ‘treatment options’ to
modify risks or their potential consequences.
Stakeholder
A person or organisation that may affect, be affected by, or perceive themselves to
be affected by, a decision or activity.
2
Principles
{Organisation Name} risk management approach incorporates the following principles:
●
Risk minimisation
●
Risk management - deliver safe and high-quality services to clients and staff
●
Consistency - risk management applies to all parts of our organisation
●
Continuous improvement - risk management supports continuous improvement and accountability in
governance.
Procedure
Risk management occurs at two levels:
●
●
●
Organisational level (high-line, compliance and organisational risks):
o
These are risks that, if realised, may have a significant impact on the future of the organisation and its
ability to provide service
o
These risks are entered into the risk register
o
The register is regularly reviewed by {include: Position Title} and endorsed by the
Board/Governance body
Process level (operational risks):
o
These are risks that are identified and treated with Policies and Procedures
o
These risks are regularly reviewed via external and internal audits
o
These risks include vehicle and travel safety, fatigue management, work-related trauma/stress, office
incidents and purchasing.
{Organisation Name} risk process is:
1. Identify risk sources, areas of impact, causes and possible consequences of potential and
presenting risks
2. Assess presenting and potential risks for opportunities, impact and probability of occurring using
a probability/impact matrix that identifies the impact of risk from very low to very high
3. Capture risks in the risk register
4. Respond to the risk, taking into consideration:
○
Cost of risk response
○
Probability and impact of the risk
o
Likelihood of the risk response triggering further and more complex risks
5. Treat the risk to reduce potential losses or increase gains by:
o
Avoiding risk
o
Reducing risk
o
Transferring risk
o
Sharing risk
o
Exploiting delays
o
Rejecting the risk
3
6. Implement, monitor and review risks to ensure:
o
Treatment is matching or exceeding expected outcomes
o
All new risks are captured and responded to on time
o
At the beginning of each calendar year, the risk register is rolled over
o
Changing circumstances do not alter risk priorities or the effectiveness of control measures
o
Factors that may affect the likelihood and consequences of an outcome are monitored, and risk
controls are amended as needed.
Roles and Responsibilities
The {Board/Governance Body} is responsible for:
●
Ensuring that {Organisation Name} has strategic guidance regarding risk management
●
Considering risk as part of their regular Board meetings
●
Reviewing and endorsing the entire risk register on an {include: timeframe} basis.
The {include: Position Title} is responsible for:
●
Ensuring identified risks are registered and the appropriate treatments are applied to mitigate or
minimise risks
●
Monitoring risks on a day-to-day basis.
The Management Team is responsible for:
●
Formally reviewing the organisation's risk register every {include: timeframe}
●
Monitoring the risk audit schedule
●
Preparing Board papers
●
Providing a general overview of the organisation's risk profile at Board meetings.
Disaster management and business continuity
●
{Organisation Name} has and maintains Disaster Management and Business Continuity Plans to ensure
that, in the event of an unforeseen incident, we can:
o
Continue to operate and provide services to clients
o
Minimise disruption
o
Support the safety and wellbeing of our clients.
●
The Disaster Management and Business Continuity Plans are reviewed by the {include: Position Title} at
least every {include: timeframe}
●
In unforeseen events, we participate in local disaster management planning to assess and support
vulnerable people
●
The Disaster Management and Business Continuity Plans are managed by the {include: Position Title}.
{Attach or refer to an appendix for Disaster Management and Business Continuity Plan}
4
Related Policies and Procedures
●
Governance Policy and Procedures
●
Financial Management Policy and Procedures
●
Continual Improvement Policy and Procedures
●
Positive Behaviour Support and Child Protection Policy and Procedures
●
Human Rights Policy and Procedures
●
Client Safety and Wellbeing Policy and Procedures
●
Preventing, Reporting and Responding to Harm, Abuse and Neglect Policy and Procedures
●
Incident Management Policy and Procedures
Supporting Documents
{List your supporting documents here, e.g. registers or forms}
Review
This document was last reviewed on {include: date}.
5
Risk Framework
Identifying risks
Risk identification is a continuous activity within the organisation. Risks can exist whether they are under the
control of the organisation or not.
Generally, we categorise risks into:
1. Governance risks
2. Communication and collaboration risks
3. Process and systems risks
4. Financial risks
5. Human resource risk.
The process used for identifying risks is consistent with an integrated management approach.
We identify risks through:
{remove or add as required}
●
Business as usual activities
●
Day to day service delivery
●
Annual external audit
●
{Annual or bi-annual} internal audit
●
Workplace Health and Safety audit
●
Fire and safety audit
●
Financial audit
●
Regular maintenance checks of equipment
●
Program internal audits
●
Compliments and complaints
●
Staff performance review
●
Business / operational plan review
●
Review of contract agreements.
Risk identification is the responsibility of the whole organisation.
{Refer to Table One: Method used to analyse the likelihood of risk}
{Refer to Table Two: The likelihood and consequence of determining the level of risk}
Analysing risk
Risk is analysed using measures of consequence and likelihood:
●
The consequence is the outcome of an event and the impact it has on our organisation.
●
The likelihood is based on the probability of an event occurring in terms of frequency.
When analysing risk, likelihood and consequences are combined to produce a level of risk. The risk level is
defined by the relationship between likelihood and consequence applicable to the area of risk or program
under review:
6
●
Risks are either acceptable or unacceptable
●
Defining risk as acceptable does not imply that the risk is insignificant
●
The risk evaluation considers the organisation's degree of control over each risk and the cost impact,
benefits, and opportunities presented by the risks.
Reasons why a risk may be acceptable:
●
The level of the risk is so low that specific treatment is not appropriate within available resources
●
The risk is such that there is no treatment available
●
The cost of treatment, including insurance, is high compared to the benefit that acceptance is the only
option.
●
The opportunities presented outweigh the threats to such a degree that the risk is justified.
Managing Risks
Risk management involves developing options for mitigating the risk, assessing those options, and preparing
and implementing action plans. The highest-rated risks are addressed as a matter of urgency.
Management of risks is commensurate with the benefits obtained. Depending on the type and nature of the
risk, the following options are available:
Avoid Risk
●
Decide not to proceed with the activity that introduced the unacceptable risk
●
Choose an alternative and more acceptable activity that meets our objectives
●
Choose a less risky approach.
Reduce Risk
●
Implement a strategy that reduces the likelihood or consequence of the risk to an acceptable level.
Share or Transfer Risk
●
Implement a strategy that shares or transfers the risk to others through outsourcing the management of
physical assets, developing contracts with other service providers, or insuring against the risk
●
The third-party must be made aware of and agree to accept this obligation.
Accept the Risk
●
Make an informed decision that the risk rating is at an acceptable level or that the cost of the treatment
outweighs the benefit.
●
No further action is required to treat the risk; however, ongoing monitoring is recommended.
The selection of the most appropriate risk treatment approach is developed in consultation with the
{Management team}.
Communication of Risk
A risk assessment report is completed and submitted to the Board.
The report must:
●
Identify all risks rated "medium" or above
●
Include strategies for addressing the risk
Risks are communicated through the risk register and verbally.
●
Supervisors must be told of any risks rated "high" and "extreme" immediately
7
●
The matter is raised with the {include Position Title/s} as a matter of priority
●
There are no requirements to raise risks rated as "low."
●
Risks rated as "low" are tabled at the next scheduled {include name of meeting} for consideration and
endorsement where appropriate.
Table One: Process of identifying, analysing and evaluating risk
Level
Likelihood
Description
1
Rare
2
Unlikely
Could occur at some time – once every 5 years
5% - 30%
3
Possible
Might occur at some time – once every 3 years
30% - 60%
4
Likely
Will probably occur - once during the year
60% - 90%
5
Almost Certain
May only occur only in exceptional circumstances. This event
is known to have occurred elsewhere – once every 5+ years
It is expected to occur in most circumstances - frequently
during the year
Probability
<5%
> 90% - 100%
8
Table Two: The likelihood and consequence of determining the level of risk
The following table illustrates the level of risk ranging from 'Low" to "Very High".
Almost
certain
Likely
Likelihood
Possible
Unlikely
Rare
Insignificant
Minor
Moderate
Major
Critical
Consequence
Questions to guide the risk management process
In assessing risks and identifying treatment strategies, the following questions must be asked as a minimum
requirement:
1. Are the assumptions, including those made concerning the environment,
technology and resources, still valid?
2. What are the associated risks in implementing the strategy?
3. What are the associated risks if the strategy is not implemented?
4. Are the risk solutions effective in minimising the risks?
5. Are the risk treatments comparatively efficient/cost-effective in minimising risks?
6. If relevant, are the management and accounting controls adequate?
7. Do the risk solutions comply with legal requirements, government and
organisational policies, including access, equity, ethics, accountability?
8. How can improvements be made?
9