Add to collection(s) Add to saved
  1. Business
  2. Management

Guide to risk attestation under the Service Agreement

advertisement 
Guide to risk attestation under the Service
Agreement
Table of contents
What is risk management? ............................................................................................................................... 2
What is risk attestation? ................................................................................................................................... 2
Why has the department introduced the risk attestation process? .................................................................. 2
Does my organisation have to attest? .............................................................................................................. 2
What does the online risk attestation involve? ................................................................................................. 3
Question 1: What processes need to be in place to confirm that my organisation is managing risk in
accordance with the Australian/New Zealand Risk Management Standard? .................................................. 3
Question 2: What does my organisation need to do to review its risk management processes? .................... 4
Question 3: Who within my organisation has authority to confirm that risk management practices are in
place? ............................................................................................................................................................... 4
My organisation already undertakes an accreditation or registration process that requires my organisation to
meet risk management standards. Can this be used as evidence for the attestation? ................................... 4
When is the attestation due? ............................................................................................................................ 4
What will happen if my organisation is not able to fully attest that it has appropriate risk management
processes in place? .......................................................................................................................................... 4
Where can my organisation go to get further information about risk management? ....................................... 5
1
What is risk management?
Risk management is the process of identifying events that may affect an organisation meeting its goals and
delivering its services and putting strategies in place to minimise the likelihood of these risks occurring and
the consequences if it does.
Every time your organisation makes a decision to write a plan, change how a service operates, save money
or spend money, your organisation is seeking to manage its risks.
Risk management is an integral part of good management and governance practice and helps your
organisation to meet its aims and objectives and prioritise its resources. Risk management begins with
asking three basic questions:

What could occur that may impact on your organisation meeting its objectives?

What will your organisation do to prevent it?

What will your organisation do if it happens?
Examples of risks an organisation may face include:

a board member being involved in fraudulent activity leading to funds embezzlement affecting the
financial viability of the organisation

a fundraising opportunity through a third party which might result in diminished reputation or financial
loss

an organisation’s computer system failing and staff not being able to access records, or

an employee or person accessing services slipping and hurting themselves on the organisation’s
premises.
Further information on risk management can be found in the Victorian Managed Insurance Authority (VMIA)
Risk Management Guide at: https://www.vmia.vic.gov.au/risk/risk-tools/risk-management-guide.
What is risk attestation?
Risk attestation under clause 20.2(b) of the Service Agreement is about your organisation reflecting on what
it has in place to manage its risks and confirming that these processes are appropriate for your
organisation. The term ‘attestation’ in this context could be used interchangeably with ‘declaration’.
Why has the Department introduced the risk attestation process?
The Department of Health and Human Services and the Department of Education and Training
(departments) provide community service organisations with over $3 billion each year to deliver a range of
community, health and early childhood services to the Victorian community.
The risk attestation process has been introduced by the departments to support and encourage
organisations to manage risk. The attestation is an opportunity for your organisation to consider its risk
management processes and ways they can be improved to help your organisation meet its objectives and
service delivery responsibilities.
Risk management processes can support your organisation to:

improve its decision making and planning to achieve goals and objectives

where possible, prevent and/or reduce the likelihood and consequences of adverse events

ensure staff, volunteers, people accessing services and other stakeholders have confidence and feel
protected when receiving services

focus on identifying ways services can be improved.
Does my organisation have to attest?
In general, if your organisation has a Service Agreement with the Department of Health and Human
Services or the Department of Education and Training you are required to complete the risk attestation each
year.
2
For organisations such as TAFEs and Public Hospitals (established under the Health Services Act 1988)
that are already required to make a similar attestation under the Victorian Government Risk Management
Framework in their annual report, the department will not require an additional online attestation.
What does the online risk attestation involve?
The risk attestation is to be made online on the Service Agreement Module (SAM) on the Funded Agency
Channel website by a Chief Executive Officer, Board/Committee member or their equivalent. Instructions for
accessing the module are available on the Funded Agency Channel at: http://www.dhs.vic.gov.au/fundedagency-channel/accessing-my-agency/using-my-agency/user-guidelines
The guide is titled 'How to complete your Risk Attestation in the Service Agreement Module'.
The online attestation will require your organisation to answer three questions relating to whether your
organisation has:

processes in place for managing risk in accordance with the Australian/New Zealand risk management
standard

reviewed its risk management processes in the previous twelve months

had a relevant authority in your organisation confirm that the risk management processes your
organisation has in place satisfactorily manage its risks.
The information below aims to help your organisation answer these questions. If your organisation is not
able to answer ’Yes’ to some of the questions, to complete the attestation your organisation will also be
asked to provide a brief description of how it will improve its risk management processes in the future.
Question 1: What processes need to be in place to confirm that my organisation is
managing risk in accordance with the Australian/New Zealand Risk Management
Standard?
The Australian/New Zealand Standard is referred to as AS/NZS ISO 31000:2009 – Risk management Principles and guidelines. This standard provides a range of key principles for managing risk. The principles
highlight the importance of risk being considered in an organisation’s every day planning and decision
making. All aspects of your organisation’s business are to be considered when determining key risks, for
example operational, financial and governance risks.
While not all risks can be managed, strategies and plans can be developed to manage the consequences of
the risk, if it occurs. By identifying your organisation’s key risks and taking reasonable precautions to
prevent them from occurring, your organisation can continue to focus on the delivery of services and
supporting employees, volunteers and other representatives of your organisation in this delivery.
One of the most important risk management principles is for your organisation to ensure that the risk
management processes it has in place are tailored to your organisation’s circumstances. The type of
processes your organisation will have in place to manage its risks depend on a range of factors such as
your organisation’s size, structure and the nature of the services it provides. Your organisation’s risk
management processes will also change over time as risk management becomes more embedded in your
organisation.
For small organisations, risk management processes may be as simple as:

setting aside an hour every six months at a committee meeting to consider any risks to services that
might occur and examining and reviewing ways to prevent these risks occurring

having in place:
o an occupational health and safety policy
o a policy for avoiding the spread of illness or disease
o emergency management processes
o a process for recording and acting on incidents that occur.
Organisations that are larger and are delivering a complex range of services may also have in place:
3

a formal audit and risk management committee that provides recommendations to the Board or
Committee of Management on risk management strategies

a documented and comprehensive risk management framework which includes defined roles and
responsibilities

a risk register to prioritise risks based on likelihood and consequence scales.
These are examples only. Your organisation might also have other ways that it manages risk.
Refer to the VMIA website for further information on the Australian /New Zealand Risk Management
Standards (www.vmia.vic.gov.au/riskmanagementstandards).
Question 2: What does my organisation need to do to review its risk management
processes?
At least once a year your organisation needs to review its risks and its risk management processes to
consider how these processes can be improved. How your organisation improves its risk management
processes will depend on the size and nature of your organisation. The review does not need to be
onerous.
It is good practice to document the review in writing and have it considered and endorsed by your
organisation’s Board or Committee of Management.
Question 3: Who within my organisation has authority to confirm that risk
management practices are in place?
The attestation requires an appropriate authority in your organisation to confirm that appropriate risk
management processes are in place. Most of the time this is done by an organisation’s Board or Committee
of Management.
My organisation already undertakes an accreditation or registration process that
requires my organisation to meet risk management standards. Can this be used as
evidence for the attestation?
The risk attestation is about an organisation confirming annually whether it has appropriate processes in
place to identify and manage its risks.
Many organisations undertake an accreditation or registration process that requires them to meet risk
standards, for example accreditation under the National Safety and Quality Health Service Standards or the
Department of Human Services Standards. Organisations should use compliance with these standards to
feel confident that appropriate risk management processes are in place to allow the organisation to attest.
When is the attestation due?
To streamline processes from 2013, the risk attestation will be due at the same time that your organisation
completes the Financial Accountability Requirement (FAR). In general, an organisation is to provide its FAR
to the department:


three months after the end of its financial operating period (1 October for organisations operating on a
financial year and 1 April for organisations operating on a calendar year); or
seven days after an organisation’s annual general meeting.
What will happen if my organisation is not able to fully attest that it has appropriate
risk management processes in place?
Your organisation can always complete the attestation. By completing the attestation your organisation has
met the requirements of the service agreement.
4
Where your organisation does not answer ‘Yes’ to all three questions in the risk attestation, your
organisation can still complete the attestation by indicating in Question 4 what your organisation will do in
the future to improve its risk management processes.
The focus of the risk attestation is on continuous improvement. The department, with the Victorian Managed
Insurance Authority (VMIA), is committed to supporting organisations to improve their risk management
processes. The departments and VMIA will use the information gathered from the attestation to put
appropriate resources and supports in place for organisations that are identified as requiring assistance to
improve their risk management processes
A formal request to complete the annual risk attestation will be sent by the departments to the primary
contact of your organisation normally by email. If the attestation is not made by the due date, a reminder will
also be sent. If the risk attestation is not completed, this will be considered by the department when
monitoring an organisation’s overall performance.
Where can my organisation go to get further information about risk management?
For a more detailed explanation about risk management and attestation refer to the following links:
Resource
Link
VMIA Risk Management Guide
A VMIA guide to assist organisations to better understand risk
management, the risk management process and how to implement a risk
management program.
https://www.vmia.vic.gov.au/r
isk/risk-tools/riskmanagement-guide
Risk Management Control Model for Disability Services
A self-assessment tool produced by NDS and VMIA to strengthen
organisational governance, and the risk management knowledge and
capacity of disability service providers
http://www.nds.org.au/project
s/article/69
Training
VMIA offers a range of training and development programs that lead the
direction and the development of risk management in the Victorian public
sector.
http://www.vmia.vic.gov.au/tr
aining
Risk register software
VMIA offers a free, easy to use and secure software solution for risk
managers to record and report on key risks.
http://www.vmia.vic.gov.au/ri
skregistersoftware
Risk appetite
Information for CSOs wanting a deeper understanding of this important risk
management concept.
https://www.theirm.org/knowl
edge-and-resources/thoughtleadership/risk-appetite-andtolerance/
Business continuity guide
A practical guide for organisations wanting to know more about business
continuity management as part of their broader risk management planning.
ANAO BCP Better Practice
Guide.
For further information regarding risk management your organisation can also contact VMIA at
cso@vmia.vic.gov.au.
5
Related documents
Module B * References
Module B * References
Unit G620
Unit G620
How to structure your report
How to structure your report
MM Assignment briefing - Jun-Sep 2013
MM Assignment briefing - Jun-Sep 2013
Corresponding Members Form
Corresponding Members Form
New membership application form - The International Humanist and
New membership application form - The International Humanist and
Font Graphics Colour - Classroom Multimedia
Font Graphics Colour - Classroom Multimedia
Group Membership Form - The Voluntary Network
Group Membership Form - The Voluntary Network
Arts Development UK Organisational membership application form
Arts Development UK Organisational membership application form
Preparing a Records Management Plan (RMP)
Preparing a Records Management Plan (RMP)
Download
advertisement