Risk and Control Analysis

advertisement
RISK AND CONTROL ANALYSIS
xxxxxxxxxx
Internal Audit
Risk Analysis – Risk Matrix
Risk Rating (Very High, High, Medium or Low) is determined from the combination of Likelihood and Consequence assigned to the risk behind each finding.
Consequence
Likelihood
RISK MATRIX
1 (Insignificant)
2 (Minor)
3 (Moderate)
4 (Major)
5 (Critical)
Medium
High
High
Very High
Very High
4 (Likely)
Low
Medium
High
High
Very High
3 (Possible)
Low
Medium
Medium
High
High
2 (Unlikely)
Low
Low
Medium
Medium
High
1 (Rare)
Low
Low
Low
Medium
Medium
5 (Almost Certain)
Criteria for Response to Risk
Risk
Rating
VERY
HIGH
Criteria for Management of Risk



HIGH
MEDIUM





LOW
Oversight

Relevant Executive Manager is accountable where the financial loss risk is deemed “Very
High” at the relevant operating unit’s Gross Total Revenue (GTR) level limit AND the
consequence is not deemed major or critical under any other risk consequence measure.
Vice Chancellor is accountable for any other operating unit risks that are deemed “Very High”.
May be tolerated for short periods of time under
exceptional circumstances.
Executive management attention needed and
management responsibilities specified for further action.


Relevant Executive Manager is accountable.
Regular progress reports to Executive group on the action being taken.
May be tolerated for up to 12 months.
Action plan required to ensure treatment of risk within
12 months.
Intermediary controls where practicable.


Risk Owner at relevant operating unit level is accountable.
Regular reports to relevant Executive Manager on the action being taken.
Retain risk but monitor with a view to prevent
escalation.

Risk Owner at relevant operating unit level is accountable.
Intolerable under any circumstances.
Must take immediate action to avoid risk.

Page 2
Measures Of Consequence
RATING
5 (Critical)
4 (Major)
FINANCIAL
LOSS
In excess of
$30 million
[or 5% of
gross total
revenue
(GTR)]
>$10 million
to
$30 million
[or >2% to
5% of GTR]
PEOPLE
(OSH
risks
only)
Death or
multiple
Deaths
REPUTATION/ IMAGE
PERFORMANCE
CORPORATE SOCIAL
RESPONSIBILTY (CSR)
Damage to reputation at international
level; adverse international media
coverage; loss of Government, student
or community support.
Greater than 50%
variation in multiple core
KPIs.
Widespread disruption to the
community with significant adverse
economic impact to community
and/or long term large scale
damage to habitat or environment.
Regulatory
intervention;
prosecution; fines,
costs or penalties
above $1 million.
Multiple
serious
injuries
Damage to reputation at national level;
adverse national media coverage;
Government agency/regulator
intervention; significant decrease in
community support.
Greater than 25%
variation in multiple core
KPIs OR
Greater than 50%
variation in one core KPI.
Disruption to community with
adverse economic impact on
community and/or severe impact
on environment requiring remedial
damage to habitat or environment.
Breach of licenses,
legislation, regulation
or mandated
standards; fines, costs
or penalties from
$500K to $1 million.
Breach of external
standards, guidelines
or impending
legislation, or subject
raised as a corporate
concern through audit
findings or voluntary
agreements; fines,
costs or penalties from
$100K to $500K.
Breach of internal
procedures or
guidelines; fines, costs
or penalties less than
$100K.
No breach of licenses,
standards, guidelines
or related audit
findings.
3 (Moderate)
>$1 million
to
$10 million
[or >0.2% to
2% of GTR]
Individual
serious
injuries
Adverse news in WA state media;
decrease in Government, student or
community support.
Greater than 25%
variation in one core KPI.
Isolated community disruption with
limited adverse economic impact
on community and/or moderate
impact on environment with no
long-term or irreversible damage.
2 (Minor)
>$100,000
to $1 million
[or >0.02%
to 0.2% of
GTR]
<A$100,000
[or < 0.02%
of GTR]
First Aid
Adverse news in local media;
concerns on performance raised by
Government, students or the
community.
Greater than 25%
variation in multiple non
core KPIs.
No injuries
Public awareness may exist, but there
is little public concern; issue resolved
promptly by day to day management
process.
Greater than 25%
variation in non core KPI.
Isolated community disruption with
low economic impact on
community and/or breach of
environmental policy with low
impact on environment.
Isolated community disruption with
negligible economic impact on
community and/or technical breach
of environmental policy with
negligible impact on environment.
1 (Insignificant)
LIABILITY &
COMPLIANCE
Measures Of Likelihood Or Frequency
RATING
5 (Almost Certain)
LIKELIHOOD
4 (Likely)
The event is expected to occur in most circumstances.
OR Has occurred and is expected to continue to impact upon Curtin.
The event will probably occur in most circumstances.
3 (Possible)
2 (Unlikely)
1 (Rare)
The event could occur at some time.
Not expected but the event may occur at some time.
The event may occur only in exceptional circumstances.
FREQUENCY
More than one event per year.
One event in every 1 to 3 years.
One event in every 4 to 10 years.
One event every 11 to 100 years.
Once every 100 years+
Page 3
RISK AND CONTROL ANALYSIS
Business Activity, Function or Area:
Risk
No.
x.x
x.x
x.x
x.x
x.x
x.x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
What Can Happen
Consequences
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx









Risk Owner:
Risk Analysis
(Before Controls)
Risk Identification
Business Activity, Function or Area:
Risk
No.
Audit: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxx
Likelih.
Rating
Cons.
Rating
Risk
Rating
x
x
x
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
x
x
x
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
x
x
x
xxxxxxxxx
xxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
What Can Happen
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxx
Consequences









xxxxxxxxx
Likelih.
Rating
Cons.
Rating
Risk
Rating
x
x
x
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
x
x
x
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
x
x
xxxxxxx.
Xxxxxxx.
x
X
xxxxxxx.
xxxxxxx.
xxxxxxx.
X
xxxxxxx.
xxxxxxx.
xxxxxxx.
xxxxxxx.
Audit
Testing
Req?
(Y or N)
X
xxxxxxx.
Xxxxxxx.
xxxxxxx.
X
xxxxxxx.
xxxxxxx.
xxxxxxx.
xxxxxxx.
xxxxxxx.
Residual Risks to
be Reported









xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Controls
Currently in Place









Audit
Testing
Req?
(Y or N)
X
xxxxxxx.
Risk Owner:
Risk Analysis
(Before Controls)
Risk Identification
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Controls
Currently in Place









Date: xxxxxxxxxx
X
Residual Risks to
be Reported









xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
xxxxxxx
Page 4
Download