[insert organisation name/logo] Risk Management Procedure 1. Overview of the procedure This procedure details how the organisation identifies, assesses, treats, monitors and reports on risk. It should be read in conjunction with the Risk Management Policy. 2. Considerations Risk management is applied to all functions and activities of the organisation. All Board members and staff have responsibility for applying risk management to their functions and activities. 3. Summary of procedure Risk management is a constant and continual process, involving the following key steps: 1. 2. 3. 4. 5. 6. 7. 3.1 Communicate and consult Establish the context Identify risks Analyse risks Evaluate risks Treat risks Monitor and review. Communicate and consult Consultation with internal and external stakeholders is the first step in implementing risk management. Internal stakeholders include Board members, staff, students, and volunteers. External stakeholders include clients, funding bodies, consultants/contractors, partners and community. Stakeholders are consulted to provide varied perspectives on potential risks and risk management. Consultation may occur through formal means such as hosting forums/workshops, surveys/questionnaires, feedback forms, delegating responsibility for risk management development strategies to those that may be directly affected, Risk Management Procedure – [month/year] Page 1 of 4 or seeking comment on draft policies/papers. Informal consultation may occur through general discussion or observation when interacting with stakeholders. The development and implementation of risk management is communicated to all relevant parties throughout the process. 3.2 Establish the context Establishing the context occurs during risk management processes and when significant changes to the organisation’s external environment or business operations occur. This step establishes the external and internal context in which the rest of the process will take place. The context identifies the relationship of the risk to the broader organisation, including people, policies, processes and activities. It also identifies the specific risk assessments that need to be undertaken. 3.3 Identify risks Identifying organisational risk defines potential, perceived and actual risks which may have an adverse affect on the organisation. Organisational risk in the following categories is analysed: - Financial Information management Health, safety and environment Legal and regulatory Planning Service delivery Human resources Clients. Consideration is given to the range of risk impacts, including personal, program, organisation or sector-wide. 3.4 Analyse and evaluate risks Once a risk is identified, the potential consequences, a consequence rating and a likelihood rating are determined in order to give an overall risk rating. The Risk Review Template assists in analysing and evaluating risks. Risk Management Procedure – [month/year] Page 2 of 4 Risk Review Template Category: [insert risk category, e.g. Human resources] Risk: [insert detail, e.g. difficulty in recruiting to psychology position] Risk consequences Consequence rating [insert consequence detail, e.g. clients with mental health issues don’t have access to in-house specialist psychology services] 1 2 3 4 5 Likelihood rating Rare 1 Minor Moderate 2 Significant 3 Major Unlikely Moderate Likely 4 Catastrophic 5 Almost certain Risk rating (Calculate consequence x likelihood) Current controls: [insert detail, e.g. psychology position funds utilised to purchase private psychology services] Risk treatment: [insert detail, e.g. Advertise in specialist psychology journals, advertise through community sector networks]. Date of risk assessment: Date for risk review: Name and position of risk assessor: 3.5 Treat Risks After analysing and evaluating risks, the treatment of those risks is developed with the aim of eliminating the risk or minimising consequences. Priority is given to risks with a high overall risk rating and to those risks the organisation considers to have an unacceptable level of consequence (such as physical injury/death). Risk treatment is detailed in the Risk Review Table. Risk Management Procedure – [month/year] Page 3 of 4 Treatment actions may be required when current controls are not adequately managing the risk within defined acceptance levels. Risk treatment options may include: - avoiding the risk by changing the process or objective changing the likelihood of the risk occurring by reducing the cause of the risk - changing the consequence by reducing the impact of the risk - sharing or transferring risk ownership and liability to a third party - retaining the risk and accepting impacts of the risk. In determining risk treatment options, consideration is given to the cost of the treatment and the likely risk reduction that will result (cost benefit analysis). The implementation of risk treatments identifies: - costs of treatment actions and incorporation into budget planning processes - person(s) responsible for implementing and communicating treatments (the risk owner(s)) - implementation dates(s) or schedules - performance measures to evaluate treatment impacts. 3.6 Monitor and Review Person(s) responsible for managing risks (the risk owner(s)) ensures identified risks and their treatments are effective and current. The Board of Directors and senior management monitor overall risk management systems and take ownership of risks pertinent to their roles and positions. A risk register is used to collate and summarise identified risks, for the purpose of monitoring review schedules and for reporting to the Board. All risks are reviewed [insert frequency, i.e. at all Board meetings]. Risk Management Procedure – [month/year] Page 4 of 4