RISK AND CONTROL ANALYSIS xxxxxxxxxx Internal Audit Risk Analysis – Risk Matrix Risk Rating (Very High, High, Medium or Low) is determined from the combination of Likelihood and Consequence assigned to the risk behind each finding. Consequence Likelihood RISK MATRIX 1 (Insignificant) 2 (Minor) 3 (Moderate) 4 (Major) 5 (Critical) Medium High High Very High Very High 4 (Likely) Low Medium High High Very High 3 (Possible) Low Medium Medium High High 2 (Unlikely) Low Low Medium Medium High 1 (Rare) Low Low Low Medium Medium 5 (Almost Certain) Criteria for Response to Risk Risk Rating VERY HIGH Criteria for Management of Risk HIGH MEDIUM LOW Oversight Relevant Executive Manager is accountable where the financial loss risk is deemed “Very High” at the relevant operating unit’s Gross Total Revenue (GTR) level limit AND the consequence is not deemed major or critical under any other risk consequence measure. Vice Chancellor is accountable for any other operating unit risks that are deemed “Very High”. May be tolerated for short periods of time under exceptional circumstances. Executive management attention needed and management responsibilities specified for further action. Relevant Executive Manager is accountable. Regular progress reports to Executive group on the action being taken. May be tolerated for up to 12 months. Action plan required to ensure treatment of risk within 12 months. Intermediary controls where practicable. Risk Owner at relevant operating unit level is accountable. Regular reports to relevant Executive Manager on the action being taken. Retain risk but monitor with a view to prevent escalation. Risk Owner at relevant operating unit level is accountable. Intolerable under any circumstances. Must take immediate action to avoid risk. Page 2 Measures Of Consequence RATING 5 (Critical) 4 (Major) FINANCIAL LOSS In excess of $30 million [or 5% of gross total revenue (GTR)] >$10 million to $30 million [or >2% to 5% of GTR] PEOPLE (OSH risks only) Death or multiple Deaths REPUTATION/ IMAGE PERFORMANCE CORPORATE SOCIAL RESPONSIBILTY (CSR) Damage to reputation at international level; adverse international media coverage; loss of Government, student or community support. Greater than 50% variation in multiple core KPIs. Widespread disruption to the community with significant adverse economic impact to community and/or long term large scale damage to habitat or environment. Regulatory intervention; prosecution; fines, costs or penalties above $1 million. Multiple serious injuries Damage to reputation at national level; adverse national media coverage; Government agency/regulator intervention; significant decrease in community support. Greater than 25% variation in multiple core KPIs OR Greater than 50% variation in one core KPI. Disruption to community with adverse economic impact on community and/or severe impact on environment requiring remedial damage to habitat or environment. Breach of licenses, legislation, regulation or mandated standards; fines, costs or penalties from $500K to $1 million. Breach of external standards, guidelines or impending legislation, or subject raised as a corporate concern through audit findings or voluntary agreements; fines, costs or penalties from $100K to $500K. Breach of internal procedures or guidelines; fines, costs or penalties less than $100K. No breach of licenses, standards, guidelines or related audit findings. 3 (Moderate) >$1 million to $10 million [or >0.2% to 2% of GTR] Individual serious injuries Adverse news in WA state media; decrease in Government, student or community support. Greater than 25% variation in one core KPI. Isolated community disruption with limited adverse economic impact on community and/or moderate impact on environment with no long-term or irreversible damage. 2 (Minor) >$100,000 to $1 million [or >0.02% to 0.2% of GTR] <A$100,000 [or < 0.02% of GTR] First Aid Adverse news in local media; concerns on performance raised by Government, students or the community. Greater than 25% variation in multiple non core KPIs. No injuries Public awareness may exist, but there is little public concern; issue resolved promptly by day to day management process. Greater than 25% variation in non core KPI. Isolated community disruption with low economic impact on community and/or breach of environmental policy with low impact on environment. Isolated community disruption with negligible economic impact on community and/or technical breach of environmental policy with negligible impact on environment. 1 (Insignificant) LIABILITY & COMPLIANCE Measures Of Likelihood Or Frequency RATING 5 (Almost Certain) LIKELIHOOD 4 (Likely) The event is expected to occur in most circumstances. OR Has occurred and is expected to continue to impact upon Curtin. The event will probably occur in most circumstances. 3 (Possible) 2 (Unlikely) 1 (Rare) The event could occur at some time. Not expected but the event may occur at some time. The event may occur only in exceptional circumstances. FREQUENCY More than one event per year. One event in every 1 to 3 years. One event in every 4 to 10 years. One event every 11 to 100 years. Once every 100 years+ Page 3 RISK AND CONTROL ANALYSIS Business Activity, Function or Area: Risk No. x.x x.x x.x x.x x.x x.x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx What Can Happen Consequences xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx Risk Owner: Risk Analysis (Before Controls) Risk Identification Business Activity, Function or Area: Risk No. Audit: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxx Likelih. Rating Cons. Rating Risk Rating x x x xxxxxxxxx xxxxxxxxx xxxxxxxxx x x x xxxxxxxxx xxxxxxxxx xxxxxxxxx x x x xxxxxxxxx xxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx What Can Happen xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxx Consequences xxxxxxxxx Likelih. Rating Cons. Rating Risk Rating x x x xxxxxxxxx xxxxxxxxx xxxxxxxxx x x x xxxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxxxxx x x xxxxxxx. Xxxxxxx. x X xxxxxxx. xxxxxxx. xxxxxxx. X xxxxxxx. xxxxxxx. xxxxxxx. xxxxxxx. Audit Testing Req? (Y or N) X xxxxxxx. Xxxxxxx. xxxxxxx. X xxxxxxx. xxxxxxx. xxxxxxx. xxxxxxx. xxxxxxx. Residual Risks to be Reported xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key Controls Currently in Place Audit Testing Req? (Y or N) X xxxxxxx. Risk Owner: Risk Analysis (Before Controls) Risk Identification xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key Controls Currently in Place Date: xxxxxxxxxx X Residual Risks to be Reported xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx Page 4