[insert organisation name/logo]
Risk Management Procedure
1.
Overview of the procedure
This procedure details how the organisation identifies, assesses, treats, monitors and
reports on risk. It should be read in conjunction with the Risk Management Policy.
2.
Considerations
Risk management is applied to all functions and activities of the organisation.
All Board members and staff have responsibility for applying risk management to
their functions and activities.
3.
Summary of procedure
Risk management is a constant and continual process, involving the following key
steps:
1.
2.
3.
4.
5.
6.
7.
3.1
Communicate and consult
Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Monitor and review.
Communicate and consult
Consultation with internal and external stakeholders is the first step in implementing
risk management. Internal stakeholders include Board members, staff, students, and
volunteers.
External
stakeholders
include
clients,
funding
bodies,
consultants/contractors, partners and community.
Stakeholders are consulted to provide varied perspectives on potential risks and risk
management. Consultation may occur through formal means such as hosting
forums/workshops, surveys/questionnaires, feedback forms, delegating responsibility
for risk management development strategies to those that may be directly affected,
Risk Management Procedure – [month/year]
Page 1 of 4
or seeking comment on draft policies/papers. Informal consultation may occur
through general discussion or observation when interacting with stakeholders.
The development and implementation of risk management is communicated to all
relevant parties throughout the process.
3.2
Establish the context
Establishing the context occurs during risk management processes and when
significant changes to the organisation’s external environment or business operations
occur.
This step establishes the external and internal context in which the rest of the
process will take place. The context identifies the relationship of the risk to the
broader organisation, including people, policies, processes and activities. It also
identifies the specific risk assessments that need to be undertaken.
3.3
Identify risks
Identifying organisational risk defines potential, perceived and actual risks which may
have an adverse affect on the organisation. Organisational risk in the following
categories is analysed:
-
Financial
Information management
Health, safety and environment
Legal and regulatory
Planning
Service delivery
Human resources
Clients.
Consideration is given to the range of risk impacts, including personal, program,
organisation or sector-wide.
3.4
Analyse and evaluate risks
Once a risk is identified, the potential consequences, a consequence rating and a
likelihood rating are determined in order to give an overall risk rating.
The Risk Review Template assists in analysing and evaluating risks.
Risk Management Procedure – [month/year]
Page 2 of 4
Risk Review Template
Category: [insert risk category, e.g. Human resources]
Risk: [insert detail, e.g. difficulty in recruiting to psychology position]
Risk consequences
Consequence
rating
[insert consequence detail, e.g. clients with mental health
issues don’t have access to in-house specialist psychology
services]
1
2
3
4
5
Likelihood
rating
Rare
1
Minor
Moderate
2
Significant
3
Major
Unlikely
Moderate
Likely
4
Catastrophic
5
Almost
certain
Risk rating
(Calculate consequence x likelihood)
Current controls:
[insert detail, e.g. psychology position funds utilised to purchase private psychology services]
Risk treatment:
[insert detail, e.g. Advertise in specialist psychology journals, advertise through community sector
networks].
Date of risk assessment:
Date for risk review:
Name and position of risk assessor:
3.5
Treat Risks
After analysing and evaluating risks, the treatment of those risks is developed with
the aim of eliminating the risk or minimising consequences. Priority is given to risks
with a high overall risk rating and to those risks the organisation considers to have an
unacceptable level of consequence (such as physical injury/death). Risk treatment is
detailed in the Risk Review Table.
Risk Management Procedure – [month/year]
Page 3 of 4
Treatment actions may be required when current controls are not adequately
managing the risk within defined acceptance levels.
Risk treatment options may include:
-
avoiding the risk by changing the process or objective
changing the likelihood of the risk occurring by reducing the cause of the risk
- changing the consequence by reducing the impact of the risk
- sharing or transferring risk ownership and liability to a third party
- retaining the risk and accepting impacts of the risk.
In determining risk treatment options, consideration is given to the cost of the
treatment and the likely risk reduction that will result (cost benefit analysis).
The implementation of risk treatments identifies:
- costs of treatment actions and incorporation into budget planning processes
- person(s) responsible for implementing and communicating treatments (the
risk owner(s))
- implementation dates(s) or schedules
- performance measures to evaluate treatment impacts.
3.6
Monitor and Review
Person(s) responsible for managing risks (the risk owner(s)) ensures identified risks
and their treatments are effective and current.
The Board of Directors and senior management monitor overall risk management
systems and take ownership of risks pertinent to their roles and positions.
A risk register is used to collate and summarise identified risks, for the purpose of
monitoring review schedules and for reporting to the Board. All risks are reviewed
[insert frequency, i.e. at all Board meetings].
Risk Management Procedure – [month/year]
Page 4 of 4