Sample risk policy and procedure

advertisement
Risk Policy & Procedure – Sample Only
Purpose and Scope:
This procedure describes the process for risk management and provides a generic
procedure for assessing risk within ABC Education. It describes how risk management
is linked to other compliance activities including the standards for managing risk in the
Australian Quality Training Framework (AQTF), the international standard for quality
management systems (ISO9001: 2000), and the requirements under the OH&S Act
(2000), its associated Regulations (2001) and other Australian Standards.
Policy:
ABC Education is committed to complying with legislative requirements on risk
management as part of a cycle of continuous improvement so as to ensure a safe
workplace and quality training outcomes. As required by ANTA and outlined in the
AQTF, ABC Education must:
“include documented procedures to identify and manage risks concerned with
compliance with the Standards for Registered Training Organisations and to
correct and prevent any failure to comply with the Standards and the RTO’s
quality system, policies or procedures.” (Standard 1.8)
Further, the NSW OH&S Act (2000) requires that a risk management strategy be
implemented to ensure compliance. The Australian standard for risk management
AS/NZ 4360 (1999) is the framework used by ABC Education. This approach ensures
consistency in identification, analysis, reporting and updating of risk issues.
Figure 1 - Source: Australian/New Zealand Risk Management Standard AS/NZS4360 (1999)
Responsibilities:
1. The Quality Management Group (QMG) has organisational responsibility for the
effective implementation of risk management related to all organisational activity.
2. Faculty and Support Unit Managers are responsible for assessing risks against
their business plan, putting the procedure into operation and monitoring and
following up on control plans.
Definitions:
Risk Management
The practice of systematically identifying and evaluating any threats to the organisation;
establishing priorities for action and making decisions about which risk control measures
need to be implemented.
Generic Procedure:
At the beginning of the planning cycle, Faculties and Support Units prepare and
document business plans. These are to take into account the level of risk involved in
plan associated activities, together with the mitigation strategies to be implemented
where the level of risk is assessed as being too high. When and how risk is assessed
for all major business activities is to be documented within the business plan (refer to the
organisation’s ‘Self Assessment Guide for Functional Units’ available from the
Educational Developments Unit). An approach based on the AS/NZ 4360 is to be used.
Faculties and Institute Support Units are therefore to assess risk by:
1.
2.
3.
4.
5.
6.
7.
8.
Establishing the unit/section objectives.
Identifying major activities needed to reach the objectives.
Identifying and analysing the risks associated with each activity.
Evaluating and ranking the risks.
Identifying the current risk control measures.
Rating the current risk control measures.
Determining the current risk.
Controlling unacceptable risk through mitigation strategies.
Once major activities are their risks are identified, all effected stakeholders are to be
included in the consultation process around the assessment of the risk.
Where risk is assessed as EXTREME of HIGH, existing and potential control measures
should be established and a reassessment undertaken. Treatment options are to be
applied to the extent that a LOW or MEDIUM risk level can be gained and maintained
Applying controls
Hard controls may include document trails, reconciliation, physical control over assets,
authority for approvals etc. Soft controls may include ethics, competence, culture,
communication, leadership, integrity etc. The effectiveness of a control should be rated
in a subsequent risk assessment. Effectiveness may be rated as:
 Poor – control is not addressing the risk (High risk level is not changing)
 Fair – control is addressing the risk, but is not considered effective
 Good – control effective in addressing risk (risk level is considered acceptable)
Before employing regulatory instruments as a hard control refer to the document
“Principles for the use of regulatory instruments in organisations” issued by ABC
Education Legal Branch. This gives guidance on when a regulatory instrument is
appropriate.
Where extensive controls are in place for an activity assessed as low risk, consideration
should be given to risk managing instead of continuing to control it. This frees up
organisational resources. Where the final assessment is still EXTREME or HIGH, the
Educational Developments, Corporate Services or Human Resources Manager should
be contacted and an alternative treatment strategy considered such as outsourcing.
A more detailed guide titled ‘Implementing the Management of Risk’ is available to
support the methodology behind this approach. It can be downloaded from ABC
Education’s Intranet at http://………………..
Generic Form:
Appendix 1 provides a generic Risk Assessment Worksheet that provides evidence of
assessment within a structured format.
Compliance to AQTF:
NB - The following provides a specific example of the implementation of risk
management in the area of the AQTF. The generic procedure is as applicable here as it
would be in terms of OH&S, financial systems and other compliance standards
management.
The Risk Management procedure outlined in the Risk Management Policy will be used to
identify and manage the risks associated with compliance with the AQTF standards for
Registered Training Organisations (RTO’s). Annually the Educational Development Unit
will analyse ABC Education’s risk in adhering to the AQTF standards for RTO’s. A
number of sources will be utilised to do this. This includes but is not limited to:





National Key Risk Areas identified by ANTA
State priorities identified by VETAB from the National Key Risk Areas
State sources for identifying risks
Results from Internal Audits
Analysis of Customer Suggestions & Complaints


Analysis of surveys conducted including staff and student surveys
Analysis of staff suggestions
Once this Risk Assessment has been conducted and appropriate controls implemented,
a copy of the business unit risk plan is to be provided to the Educational Developments
Manager for endorsement. On an ongoing basis, the Educational Developments,
Corporate Services and the Human Resources Manager will monitor the risks
associated with AQTF and legislative compliance from a variety of inputs including but
not limited to:






Internal Audits
Staff Suggestions
Customer complaints
Ministerials
OH&S Committees
Appropriate legislation and licensing.
Review
This policy was endorsed on January 1, 2003 and is due for review by December 19,
2003.
Appendices
Appendix 1 - Risk Assessment Template.
Appendix 2 - AQTF National Risk Management Approach
Appendix 3 - National Key Risk Areas (KRA’s)
Appendix 4 - State and Territory Sources for Identifying Risk
APPENDIX 1 - RISK ASSESSMENT WORKSHEET
Business Objective:
Risk
Ref.
Risk Description
Assessment Before Controls
(L)
Major Process –
Steps:
1.
2.
3.
4.
5.
(C)
Level of
Risk
Accept
Risk
Y/N
Existing Control
Description
Assessment After Controls
(L)
(C)
Controlled
Risk
Accept
Risk
Y/N
Control
Rating
Treatment
Appendix 2 - AQTF National Risk Management Approach
Preamble
Unacceptable levels of risk may expose the national vocational education and training (VET)
system to significant financial, legal, social and/or political consequences. To ensure individuals
in receipt of training and assessment services in the VET sector are protected and assured of
quality outcomes, national key risk areas have been identified by the States and Territories.
These will be incorporated into the existing State and Territory risk management processes for
targeting and scheduling audits of registered training organisations (RTO’s).
A national key risk area (KRA) may not assume the same priority in each jurisdiction due to
demographics, policy priorities and social and economic variability. Therefore, States and
Territories will select from these based on importance to their jurisdiction, for inclusion in their 12
month audit schedule.
The national key risk areas will be reviewed and updated annually by the National Training
Quality Council (NTQC). In doing so, they will consider which national key risk areas were
selected by States and Territories, those not selected and the reasons for those decisions, along
with the need for variations, inclusions and deletions to the listing of national key risk areas.
States and Territories could advise the NTQC on priorities or emerging risks through the 12
month audit schedule. In States and Territories advice to the NTQC, there will also be an
opportunity to share generic best practice information in both State and Territory audit practices
and RTO business practices, as part of the continuous improvement process to ensure continued
quality training outcomes in the VET sector.
The AQTF National Risk Management Approach will ensure national consistency in the
identification, analysis, reporting and updating of risk issues in accordance with the Risk
Management Standard AS/NZS 4360 (1999). National consistency in risk management will be
further enhanced by the application of the AQTF’s Evidence Guide for Registered Training
Organisations and Auditors as a risk mitigation and control tool.
Audit activities are one part of a continuous improvement cycle to ensure quality training
outcomes in the VET sector. Audit activities have the potential to inform RTO’s about possible
risks associated with their business, encourage self correction and treatment, provide quality
guidance and generic information sharing on best practice and highlight the need for additional
support and guidance in obtaining and maintaining compliance with the AQTF’s standards for
RTO’s.
Appendix 3 - National Key Risk Areas (KRA’s)
KRA1 High number and/or seriousness of verified complaints against RTOs
RTO’s facing a high number of and/or seriousness of verified complaints present a high
risk to the integrity of the VET system and need careful monitoring. Particular risks are
associated with: appropriate policies and procedures; timeliness in dealing with
complaints and transparent and fair processes.
KRA2 Potentially dangerous environments and industries
RTO’s operating in potentially dangerous environments and industries have special
requirements with: identifying the OH&S issues; informing and training staff and students
about OH&S; understanding and managing the impact of OH&S requirements.
KRA3 Delivery of Assessment & Workplace Training qualification (Certificate IV)
RTO’s delivering the qualification (integral to the Australian Quality Training Framework
(AQTF) and every Training Package) face particular risks associated with:

the qualifications of the trainers and assessors

the quality of training delivery; and

the robustness of the assessment.
KRA4 Multi-site delivery (including off-shore)
RTO’s operating across more than one site and/or off-shore have particular risks
associated with maintaining quality and consistency: when operating in more than one
jurisdiction; where management and operations are diversified and decentralised.
KRA5 Delivery and assessment of Training Packages and other AQF
qualifications in new and emerging industries
RTO’s delivering training in new and emerging industries have little or no benchmarking
data by which to verify: the currency of the qualifications and competencies of the trainers
and assessors and determine professional development needs; the quality of training
delivery; the robustness of the assessment; whether the training meets the needs of new
and emerging industries; the status of the qualification in the industry with respect to
whether or not additional training is required.
KRA6 Delivery of training where training is not core business
RTO’s delivering training where training is not core business have particular risks
associated with: the currency of the qualifications of the trainers and assessors; the
quality of training delivery; the robustness of the assessment; the nature and quality of
the supervision; the nature and quality of any partnership arrangements; the commitment
of corporate management to the deployment of adequate resources (ie time, personnel,
facilities, budget) to training delivery and assessment; the ethical management and
transparency of multiple roles (eg schools and Group Training Companies).
KRA7 Delivery by exclusive pathways
There are particular risks where apprenticeships/traineeships are delivered fully on-thejob in a way that the structured learning component is not explicit, or alternatively, where
the pathway to a particular occupational outcome is fully institutionally based with no real
workplace component.
For fully on-the-job pathways, RTO’s have particular risks associated with: the
qualifications of trainers and assessors; the quality of training delivery; the robustness of
the assessment; the nature and quality of any partnership arrangements; and the nature
and quality of the supervision.
For fully institutional pathways the RTO has risks associated with relevance to current
industry practice, adequacy of skill development opportunities, access to current
equipment and facilities and currency of vocational competencies of trainers and
assessors.
KRA8 Introduction of (or significant expansion of) structured training into established
industries
RTO’s delivering training in industries that have not previously had structured training
have particular risks associated with: the currency of the qualifications of the trainers and
assessors; the quality of training delivery; the robustness of the assessment; the
adequacy of the infrastructure to manage significant expansion of structured training; and
understanding enterprise and industry training requirements.
KRA9 Extreme variations in training effort by RTO’s delivering the same or similar
qualifications
In a competency-based environment, the training effort may vary for the same or similar
qualifications. RTO’s with extreme variations in training effort for the same or similar
qualifications, compared to that of other RTO’s with similar client groups, may have
particular risks associated with the quality of training delivery and the consistency of
outcomes.
Interface Risk Areas:
Where these issues interface with the AQTF’s Standards for Registered Training Organisations,
any risks must be identified, as a result of the interface. The following key risk areas are interface
areas:
KRA10 Introduction of new or changed external regulatory/licensing standards which may
affect Training Package delivery
RTO’s operating where there are changes in external regulatory/licensing standards (eg
Information Technology, Aged Care) which may affect Training Package delivery have
particular risk associated with: identifying new or changed regulations or licences;
informing appropriate persons; understanding and managing the impacts of the new
requirements on Training Package delivery.
KRA11 Priority interface areas as defined by State/Territory (e.g. providers in receipt of
government funds, poor AVETMISS returns, particular courses /qualifications)
RTO’s delivering training in priority areas as defined by the State/Territory are required to
manage the risks associated with those defined areas. States and Territories may have
particular priorities which contain inherent levels of associated risk.
Appendix 4 - State and Territory Sources for Identifying Risk
The following list provides a range of sources that States and Territories could use to identify
risks associated with an RTO’s performance.







Complaints
AVETMISS returns
Contract management information
Strategic industry audits (internal/external)
Audit patterns – derived from local audits
Newspapers/advertising/training program promotional material
Inter-government/inter-departmental
 legislation, forums, committees














Industry training plans
Research (NCVER etc)
Size/change of scope
Extreme variations in advertised program duration
Regulated training data
Field officer reports
Group training data – supplied by managers or media
Company searches
Annual internal audits
Annual financial returns
Student satisfaction surveys
Employer surveys
Stakeholder feedback
Industry bodies/training plans
Download