1
This Risk Management Framework governs the approach of NSW Treasury. It is not a guide, but a standard to be followed. Risk management is essential to good governance, and as such is a legislative and policy requirement in New South Wales.
Treasury’s Group Executive and senior management team are committed to developing a risk management culture, where risk management is seen as integral to the achievement of our aims at all levels and where all staff are alert to risks, capable of an appropriate level of risk assessment, and confident to report risks or opportunities perceived to be important in relation to the agency’s priorities.
Treasury’s Framework has been developed in compliance with the statewide audit & risk policy TPP 09-05 (under its Core Requirement 5) and the NSW Risk Management Toolkit for
Public Sector Agencies . As required by the policy, the toolkit was based on the international risk management standard (ISO 31000, also known as AS/NZS 31000). The standard is not a compliance standard, but a guide to best practice, and the Toolkit invites agencies to make adaptations which create the most efficient and effective template for their needs.
Effective risk management processes are also required by the Public Finance and Audit Act
1983 and the Work Health & Safety Act 2011 . The Annual Reports Regulations require agencies to report on their risk management and insurance arrangements. Agencies must attest annually to compliance with all of the core requirements of TPP 09-05.
For Treasury, risk management is much more than a compliance exercise. Our corporate values include integrity and trust. They, along with pride in our high reputation for almost two hundred years are deeply embedded in our culture.
1 “Treasury” is defined throughout this document as all active entities in the Treasury cluster which report through the Secretary.
1
Definition of Risk
ISO 31000 defines “risk” as “ the effect of uncertainty on your agency’s objectives ”.
The term “Risk Management” refers to having an overview of an agency’s risks, its risk appetite and the way it chooses to manage strategic and major operational risks. Like other agencies, Treasury identifies and manages risks throughout its management hierarchy, e.g. at
Directorate, Branch, Program and Project levels.
This Framework deals with risk management on the agency level, but also aims to provide a standard for consistency in risk identification, analysis and treatment that can be used at all levels from strategic planning to project management.
For example, as the principal agency in a cluster, Treasury also applies this Framework on those occasions where it needs to manage risk across the cluster. As a central agency of the NSW government, it may also apply the Framework to support a whole-of-government view (for example, when considering risks in the Budget development or statewide accounting processes).
Purpose of an effective Risk Management Framework
The successful identification and management of key risks removes or minimises imped iments to Treasury’s objectives. It also assists with the early identification of opportunities. This Framework is intended to ensure that the way Treasury engages with risk at all levels is:
Effective
Efficient
Consistent and integrated
Benefits of a robust risk management framework are summarised in Figure 1 below:
Figure 1: Benefits of a robust risk management framework
Source: Management Toolkit for Public Sector Agencies
2
PART 1:
RISK MANAGEMENT POLICY
Tre asury’s Risk Management Policy forms Appendix 1 of this Framework. It was endorsed by the Secretary in August 2012. At the same time the Secretary requested the development of a communication strategy to:
Advise staff of the benefits of the Policy and Framework and progressively embed consistent practices around risk assurance within the organisation’s culture
Advise stakeholders of the benefits of collaborating with Treasury to identify and manage mutual risks
The Framework and Policy are now released in accordance with this communication strategy.
PART 2:
IMPLEMENTING THE RISK POLICY: KEY ELEMENTS OF THE RISK FRAMEWORK
Treasury has implemented the following plan for implementing its risk management policy and embedding the framework.
Element Action/Milestone Who By when
1. Risk Policy
2. Risk framework
In place
In place
Planning, Risk
& Audit Branch
(PRA)
August 2012: revised
March 2013, then annually
PRA August 2012: revised
March 2013, then annually
3. Risk Register and
Management
Plan
In place
4. 1-year Audit Plan In place
PRA/Executive
Board
August 2012: revise annually
5. Communication and development strategy for staff
Complete
6. Communication strategy for external stakeholders
7. 3-year Strategic
Audit Plan and audit universe
Complete
PRA/Executive
Board
June 2012: revise annually
PRA/People &
Development
Rollout in first half
2013
PRA/Corporate/
RADs
Rollout to current stakeholders complete by April
2013
Revise and update annually PRA/Ernst &
Young
Revised Sept 2013; next review March
2014 then annually in
December
3
PART 3:
STRUCTURE OF GOVERNANCE AND MANAGEMENT OF RISK IN NSW TREASURY
Secretary
Audit & Risk
Committee (ARC)
1. Governance responsibility for risk management and legal compliance within the Treasury cluster. TCorp has separate governance arrangements, but the Treasury Secretary is
Chairman of the TCorp Board.
2. Strategic responsibility for advising the Treasurer on risks and opportunities for strengthening State finances and the policy settings driving the State economy
Provides independent advice to the Secretary on risk management and legal/regulatory compliance within the Treasury cluster (TCorp Board has a separate ARC)
As input to its advice, it continually monitors: risk identification, assessment and treatment ; Treasury’s control framework; external accountability, particularly in relation to financial statements including the accounts of the Total State Sector; compliance with laws, regulations and policies; external audit findings; and the internal audit program, including progress implementing the recommendations arising from both internal and external audit.
Chief Audit Executive
Supports the Audit & Risk Committee and reports to Secretary
Assists the senior management team to identify and assess risks and controls and determine appropriate treatments
In consultation with the Secretary and ARC, plans Treasury’s annual internal audit program, and subsequently manages it
Senior management team
Deputy Secretary
Budget & Financial
Management,
Directors Crown &
Long Service Corp
Management responsibility for identification, assessment and monitoring of risk within the Treasury cluster, and for determination of risk appetite, in consultation with the Secretary
Operational responsibility for advising the Secretary and
Treasurer on risks and opportunities in relation to State finances and economic drivers
Management responsibility for the identification, assessment, management and reporting of risks and controls in Crown and
Long Service Corporation, and for recommending elevation of those risks to Treasury strategy level where appropriate.
Develop and maintain risk management policy at operational level.
Project Management
Office (PMO)
Project Sponsors and
Project Managers
All staff
Monitor the program level, including risks at interdependencies between projects, and advise the senior management team.
Assist project sponsors and managers to manage risk efficiently.
Identify, assess, manage, monitor and report on project risks, advising the PMO, the project steering committee and/or senior management
Understand and act on their responsibility to report new risks or increases in risk in a timely way
Have regard to the organisation ’s risk appetite in the way staff perform their own work
4
PART 4:
To provide the highest degree of consistency practicable in the management of risk across
Treasury and its related entities it is important to have a systematic means of establishing the context in which we are operating, and of identifying, analysing and treating risk in the most effective way within the demands of that context. Such a process should be able to be applied at any level within the agency, and if necessary across the cluster or from a central agency perspective.
The seven elements of the ISO 31000 risk management process and their interrelationships are shown in Figure 2 below. Risk identification, analysis and evaluation are collectively known as “risk assessment”.
Figure 2: The Risk Management Process
Source: ISO/AS-NZS 31000
Establishing the context
Because risk is the effect of uncertainty on objectives, the first step is to understand what those objectives are.
Depending on the level at which we are identifying risk, the context may come from State
Plan NSW 2021, Treasury’s strategic level planning, from a Branch’s plan, or from a program or project plan. Ideally, we will understand the objectives of the plan at least one level higher than our own, to deepen our understanding of the context. When identifying and assessing risk we also need an understanding of Treasury’s internal strengths and
5
weaknesses relevant to the objectives that most closely concern us. Bearing the strengths in mind may assist with the identification of unforeseen opportunities.
The more we understand about the agency’s internal and external operating environment, and the expectations of our stakeholders, the better prepared we are to identify and assess those risks which are likeliest to prevent the efficient achievement of our goals.
Factors to consider in the external environment include the political environment, economic conditions, social norms and trends, technology, major trends in the natural environment and laws and regulations. In its role as a central agency, Treasury also needs to consider the strengths and weaknesses of the structures and systems at its interface with other agencies.
Risk Assessment:
1. Risk Identification
The next step is to identify and document all the risks that may impact on Treasury’s ability to achieve its objectives.
Techniques for identifying risks include:
checklists
risk assessment workshops
questionnaires
individual interviews and/or commissioned reviews
Internal and external auditors always look for risk, so their findings should always be sought and considered. In Treasury, the current internal auditors are Ernst & Young and external audit is provided by the Audit Office on behalf of the Auditor-General. To ascertain whether there is a report relevant to your area of concern, contact Treasury’s Chief Audit Executive.
Risk classifications commonly used in Treasury include:
compliance (ie with laws, regulations, Premier/Treasurer Circulars, Treasury policies)
financial (ie the risk involves financial losses)
reputational (a particularly important concern for any Treasury)
fraud and/or corruption
management and people (eg key person risk)
service delivery
health and safety
business continuity (specifically, risks related to recovery after an incident)
In identifying a risk, it is important to document the likely source of the risk, the causes or triggers and the controls which are already in place to deal with the risk or to disarm the
“trigger event”. This will help determine likelihood and consequence of the risk (see below).
Further, if we match the triggers to the controls we can easily see where new or additional treatments may be needed.
6
Risk Assessment:
2. Risk Rating
Treasury has developed a Risk Matrix for staff to use to establish “risk ratings” (Fig 3, next page).
All identified risks should be reviewed and provided with an overall risk rating. This is a combination of the two characteristics, “consequence” and “likelihood” as defined below.
Using the Risk Matrix, the rating can be used to classify a risk as (overall) Low-to-Moderate,
Significant, High or Extreme.
Consequence of Risk Occurring:
Classification
5 Catastrophic
Example of Consequence
Would threaten the continuation of the Treasurer, Secretary and/or
Board in their positions, or would present a major statewide threat
4 Major Would produce a real threat to the effective performance of NSW
Treasury and/or to the fiscal performance of NSW
3 Moderate
2 Minor
Functions of NSW Treasury could be subject to significant review or changes to operations
A threat to the efficiency or effectiveness of NSW Treasury, but at a level which can be dealt with internally
3
2
1
1 Insignificant The consequences can be dealt with by routine operations
Likelihood of Risk Occurring:
Risk Level Description Likelihood
5 Very likely Very high – likely to occur at least once within next six months
4 Likely High – likely to occur at least once in the next year
Possible
Unlikely
Rare
Risk might occur once in a period of several years
A risk which could occur over time
A risk that is relatively unknown and has not been experienced to date
7
Figure 3: NSW Treasury Risk Matrix
LIKELIHOOD INSIGNIFI-
CANT
1
VERY
LIKELY
5
LIKELY
4
M
5
L
4
NSW TREASURY RISK MATRIX
CONSEQUENCES
MINOR
2
S
10
M
8
MODERATE
3
H
15
S
12
MAJOR
4
E
20
H
16
POSSIBLE
3
UNLIKELY
2
L
3
L
2
M
6
L
4
M
9
M
6
S
12
M
8
CATAS-
TROPHIC
5
E
25
E
20
H
15
S
10
RARE
1
E 20-25
H 15-19
S 10-14
M 5-9
L
1
Legend:
Extreme Risk: attention
L
2
L
3
Immediate Action Required,
L
4 for Secretary’s
High Risk: Executive Management attention needed
Significant Risk: Senior Management attention needed
Moderate Risk: Manage by Standard Procedures
M
5
L 1-4 Low Risk: Manage by Standard Procedures
Note that the “Legend” in Figure 3 applies at the cluster and agency levels. A Project
Management Office may adapt it to have project risks escalate to project leaders and sponsors.
Where risks are truly judged extreme (ie very likely risks which could threaten the continuity of the Treasurer, Secretary or Executive in their roles or present a significant statewide threat or opportunity), they must be brought to the Secretary’s attention even if they emerge from a single project.
3. Defining risk criteria
In addition to likelihood and consequence, effective risk identification will include:
1. the type of consequence/s, i.e. in what way the risk could prevent or impede the attainment of our objective/s
8
2. what level of risk Treasury is prepared to tolerate in relation to this objective (also known as “risk appetite”)
3. how we will know that any controls or treatments put in place to prevent the risk are working.
Risk Assessment:
4. Risk Appetite
It is very important to understand that risk management does not mean eliminating all risk.
If we overspend on risks which are not really very important to our objectives, we are wasting resources which could be spent more effectively somewhere else. An indicator of a mature risk culture is that the risk management effort is balanced to an accurate reflection of risk appetite.
Consideration should therefore be given to Treasury’s appetite, or tolerance, for each risk.
There are four possible levels, each of which implies a management strategy:
1. Accept: do nothing significant about the risk
2. Manage: accept the risk will probably occur and focus on mitigation
3. Share: e.g. through reinsurance, through escalation to higher management
4. Avoid: employ all practicable measures to ensure the risk never occurs, together with mitigation or fallback strategies in case it does
Managing Risk:
1. Controls and Treatments
Having identified the risks and opportunities which can most affect our objectives, described our appetite for them and prioritised them in terms of likelihood and consequence (or impact), the next step is to assess the degree to which risks are already being managed.
Risks are usually managed via “controls”. Auditors will routinely look for controls when performing audits or risk assessments. Controls may vary. To prevent fraud, for example, we could do a range of things: from installing complex data analytic software to identify errors and losses outside set tolerances, through to simple arrangements like keeping an up to date gifts and benefits register, or instigating a system of peer review and signoff of financial transactions.
Assuming our appetite for a risk is not “Accept”, the best way to ensure it is appropriately controlled is to develop an understanding of its source/s and the trigger events that might cause it to affect Treasury’s objectives. Not only can we then track its emergence, giving us some valuable warning time, but we can check whether the controls in place are likely to be effective against each of the trigger events.
9
When sufficient controls are not found to be in place and the risk remains a priority, then
“risk treatments” will be required. This means action to put more comprehensive controls in place. Often the treatments will be summarised in a Risk Management Plan. All strategic projects should have risk management plans prepared during project planning, to make the project less likely to be delayed or thrown off course.
Risk treatments need to be cost effective, practicable and commensurate with the level of the risk.
Treasury has three distinct levels of controls:
1. “DO”: Those applied by st aff and line managers when they follow Treasury’s policies and procedures; make and maintain appropriate records; do repetitive tasks consistently and implement risk treatment plans or the recommendations of internal and external reviews;
2. “REVIEW”: Controls supplied by o managers and executives who provide quality control and independent checking by reviewing work, and o the Audit & Risk Committee, which provides independent advice to the
Secretary on risk management in Treasury;
3. “AUDIT”: Internal audit runs off a three-year strategic plan and an annual audit program based on the Treasury Risk Management Plan, which in turn is reviewed annually by the Executive Board and the Audit & Risk Committee.
Internal audit is the “third line of defence” against risk because it can provide an independent assessment of the risks and also review the effectiveness of the other controls in managing risk for the benefit of Trea sury’s objectives.
Managing Risk:
2. Inherent v Residual Risk
While it is not required practice, it is common to assess risks in terms of “inherent” and
“residual” characteristics.
Inherent risk is an assessment of the likelihood and consequences of a risk if there were no controls in place.
Residual risk is the same assessment, but taking existing controls into account.
It does not take into account planned treatments, though we can certainly use those to calculate what the residual risk will be when they are completed.
It is difficult to assess inherent risk because in most cases the existing controls are so much a part of the operating context it is hard to “un-see” them. For Treasury, in most cases an accurate assessment of residual risk will be all that is required for effective management.
10
The main point of assessing both is that it allows organisations to prioritise more frequent auditing for those areas with the biggest difference between inherent and residual risk, because such a disparity means there is an especially heavy reliance on the controls. One of internal audit’s key tasks is to verify that controls we think are in place are, in fact, present and working effectively.
Managing Risk:
3. Monitoring & Review
To ensure that risk management is operating as intended, Treasury has a monitoring and review framework which allows us to oversee the implementation and assess the effectiveness of:
agency-level risk treatments (applicable across the Treasury cluster)
risk management during projects
management responses to internal and external audit recommendations designed to introduce or strengthen controls for risk
legal and regulatory compliance
this Framework
Agency level risk treatments appear in the Treasury Risk Register and Management Plan, where they are assigned responsible officers and deadlines. The Management Plan is reviewed at least quarterly by the Chief Audit Executive and delays may be referred to management and/or the Audit & Risk Committee.
Project-level risk is identified during the scoping and documentation of projects, recorded and assessed. It is the responsibility of the project manager and project sponsor to ensure that risks are adequately controlled and to implement any agreed treatments or other actions to manage risks. Treasury’s Project Management Office is a second line of defence in monitoring risk at project level for strategic projects, and is accountable for ensuring effective program management, including monitoring risks which may occur through interdependencies between projects.
Treatments arising from internal and external audit, or from recommendations made by
‘watchdog’ agencies, are entered into registers of recommendations, which include the agreed management response, who is responsible and a deadline for each undertaking.
These registers are followed up by Audit & Risk Branch and formally monitored by the Audit
& Risk Committee at least quarterly, and unwarranted or unexplained delays are advised automatically to the Secretary.
Compliance risks are included, where strategic, in the Risk Register and Management Plan. A separate Compliance Register has recently been developed which details Treasury’s legal and regulatory obligations, and will be implemented over the next 12 months.
The Risk Management Framework and Policies are reviewed at least annually by the Chief
Audit Executive in consultation with senior management and the Audit & Risk Committee.
11
Internal and external audit service providers are observers at the Committee and their input to this task is welcome, as we seek continuous improvement in line with TPP09-05 and the
ISO Standard.
Internal and external audit form the final line of review.
For internal audit, Treasury develops a three-year strategic audit plan based on the Risk
Register and Management Plan, and designed to provide a three-dimensional view incorporating:
(a) seriousness of risk rating
(b) coverage across the risk types (financial, reputational, compliance, fraud, etc) and
(c) coverage across the Treasury cluster and across Treasury’s internal structure
This plan is then refined to an Annual Audit Plan, which summarises the brief for each audit in the program. This Plan is developed in consultation with senior management and the
Audit & Risk Committee and endorsed by the Secretary on the advice of both. It is implemented by the (outsourced) internal audit service provider, closely monitored by the
Chief Audit Executive, who reports directly to the Secretary. The reports of all audits, including management’s responses to the recommendations, are presented to the
Committee and subsequently to the Secretary.
External audit is provided by the Audit Office on behalf of the Auditor-General, and is a control for the Parliament rather than for an individual agency or cluster. Treasury has accountability for numerous sets of financial statements, including the Total State Sector
Accounts, and external audit consults with the management of each area that compiles statements. Significant risks and/or potential qualification of any given set of statements are brought to the attention of senior management and the Chief Audit Executive as early as possible. External audit is a strong final line of defence against financial risk and compliance risk, especially in relation to accounting standards. The Auditor-General reports directly to Parliament on the main results and themes emerging from external audit across the public sector.
Other reviews – by the Public Accounts Committee, the Auditor-General, the Ombudsman,
ICAC and the Office of the Information Commissioner – all occur from time to time.
Recommendations applicable to Treasury are monitored through one of the registers overseen by the Audit & Risk Committee, until agreed actions are completed or until the
Secretary is satisfied the risk is within Treasury’s appetite.
1. NSW Treasury Risk Management Policy
2. Definitions: a common Risk Vocabulary
Version
1
2
Date Name
August 2012 Nadia Fletcher, Chief
Audit Executive
March 2013 Nadia Fletcher, CAE
Details of changes made to Framework
Endorsed but not rolled out: awaiting communication strategy
3 Feb 2014 Nadia Fletcher, CAE
Endorsed for rollout by Executive. Long Service Corporation and
Industrial Relations added. Minor updates. Communication strategy approved.
Minor updates
12
1
Treasury’s 2 role is to provide financial advice to government in support of its goals of achieving and maintaining strong state finances and policy settings which enable a strong economy for NSW.
Risk management is concerned with understanding and managing uncertainty – it covers both opportunities and threats. Treasury recognises that by embedding risk management into all organisational systems and processes, we optimise our ability to meet our organisational objectives.
Treasury maintains a Risk Management Framework based on AS/NZS ISO 31000:2009 Risk
Management – Principles and Guidelines to support quality and consistency in our approach to risk management and decision making. We record key risk management decisions.
The Framework includes a tailored risk management process to ensure we identify and analyse risks consistently across all functions. It also requires that risk evaluation be linked to practical and cost-effective controls and treatments that are appropriate to our role, and to the level of risk Treasury is willing to bear. It is a waste of resources and effort to try to eliminate all residual risk. Our aim is a mature, consistent risk culture where management effort is balanced to an accurate reflection of our risk appetite.
The Risk Managemen t Framework sits within Treasury’s broader policy framework. We incorporate suitable risk management activities in our planning, in the development and implementation of new policies and programs and in our contract and project management.
Risk management is a continuous process that demands awareness and proactive behaviour from all staff, contractors and external service providers to reduce the possibility and impact of risk on our objectives and to improve our ability to respond to opportunities. It is applicable whether these derive from Treasury’s actions or whether they impact on it from outside.
Risk management is a core responsibility for all Treasury managers. In addition to the
1 Original approval August 2012: updated March 2013. Minor updates Feb 2014.
2 “Treasury” is defined throughout this document as all active entities within the Treasury cluster except the
Treasury Corporation (TCorp), which has its own provisions.
13
assessment of risk, their roles include:
ensuring our staff have the appropriate capability to perform their risk management roles
prioritising and scheduling risk control improvements
reporting to the Executive on the status of risks and controls
identifying and communicating potential improvements for the Department’s risk management practices to Treasury’s Chief Risk Officer (the Chief Audit Executive).
All staff are responsible for identifying and managing risk within their work areas. They are also accountable for advising their manager of the existence and assessed impact of the risk and what is being done to manage it.
A table setting out responsibilities at all levels may be found in Treasury’s Risk Framework.
In undertaking their responsibilities, we expect our staff to understand and be familiar with this Framework, including its risk reporting protocols. We expect our staff to be able to differentiate between those risks that are within their responsibility and authority to manage and those that they should escalate through their management structure for further consideration. Staff who are uncertain should report the risk and seek guidance.
Treasury espouses the “no surprises” principle, thus a manager should be made aware of all risks identified within his or her administration (e.g. in the context of a normal management meeting) even when the staff member has identified existing controls or required treatments and is implementing them.
Treasury’s Chief Audit Executive, acting as Chief Risk Officer, is available to support managers and staff in undertaking their risk management activities.
A specific type of risk relates to the Occupational Health and Safety Act 2000 . All managers, staff, contractors and visitors have responsibilities under this Act to ensure that Treasury provides a safe workplace and a safe environment for visitors. For more detail see
Treasury’s Health & Safety intranet page: http://treasury.intranet/health_and_safety
All Treasury committees need to consider relevant risks and their management as a standing item at all meetings. Treasury’s Audit and Risk Committee is responsible for reviewing our:
risk management process and procedures
risk management strategies for key projects or undertakings
control environment and insurance arrangements
legal and regulatory compliance
business continuity planning arrangements
fraud and corruption controls and plans.
The Committee also provides advice annually to the Secretary on the content of Treasury’s internal audit plan for the forward year. This plan is largely based on identified areas of existing and emerging risk. It also checks controls on which Treasury heavily depends or which have not been reviewed for some time.
14
Tr easury will publish a summary of its risk management performance in each year’s Annual
Report. Our challenge into 2014-15 is to establish a culture and systems whereby it becomes second nature to integrate risk management into our everyday service delivery operations – and those of our contractors and partners where relevant to our interests.
Universal involvement and support is critical to achieving this goal, which in turn will help
Treasury achieve its critical objectives.
Some areas of Treasury, in particular the Crown entity and the Long Service Corporation, have specific risk management requirements. The Crown has drafted a risk policy for its treasury functions as an adjunct to this one, while Long Service Corporation came into the
Treasury cluster with its own risk policy and framework.
Crown’s risks are taken into consideration when establishing and reviewing Treasury’s overall Risk Register and Management Plan and when defining Treasury’s 3-year and 1-year
Audit Plans. It is monitored by Treasury’s Audit & Risk Committee. Long Service
Corporation has its own Committee, and its own Risk Register and Audit Plans. In coming months the Crown and Long Service Corporation risk procedures will be amalgamated with this Policy and the Treasury framework. In the interim they will continue in use in those entities , with Treasury’s procedures prevailing in the event of a conflict.
We have developed a common risk vocabulary to use when we talk about risk and risk management, which forms Appendix 3 of our Risk Management Framework. This is also available on the intranet page along with risk management tools, processes and procedures.
Treasury is committed to continually improving its ability to manage risk. We will review this policy and our Risk Management Framework at least annually to ensure that they continue to meet our requirements, and will communicate any significant amendments to users. The independent advice of the Audit and Risk Committee will be sought on each review.
For further information on Treasury’s Risk Management Policy, Framework and Process, contact the Chief Audit Executive on nadia.fletcher@treasury.nsw.gov.au.
For information on statewide risk and audit policy, or on the Risk Toolkit released in August
2012, contact Financial Management & Accounting Policy on narayan.mukkavilli@treasury.nsw.gov.au
Philip Gaetjens
Secretary
15
Treasury’s risk vocabulary is informed by the ISO/AS/NZS 31000 standard.
Term Meaning
Compliance register Tool for identifying and monitoring compliance with legislation, regulation or statewide policy. Raises staff awareness of legal obligations and aims to embed/maintain a regard for regulatory compliance in the culture.
Consequence
Controls
Positive or negative impact on an objective
Inherent Risk
Likelihood
Operational risks
Project risks
Residual risk
Risk
Currently existing processes, policy, procedures or other actions that act to minimise negative risks and/or enhance opportunities
Initial assessment of the consequence and likelihood a risk. Does not take into account the impact of existing controls.
The chance of something happening. May be defined, measured or determined objectively or subjectively and described verbally or mathematically.
Risks associated with day-to-day operational performance (eg staff safety or availability, mechanical or technological risks, most corruption risks, etc)
Risks which may significantly affect the likelihood of a project’s being completed to planned time, quality and/or budget.
The consequence and likelihood of a risk when existing controls are taken into account.
The effect of uncertainty on an agency’s objectives
Risk assessment
Risk management
Risk management plan
Risk owner
Risk register
Risk treatment
Strategic risks
The overall process of identifying, analysing and evaluating risks and their controls. May involve qualitative or quantitative assessment.
The culture, processes, coordinated activities and structures that are directed to realising potential opportunities or managing adverse effects.
It includes communicating, consulting, establishing context, identifying, analysing, evaluating, treating, monitoring and reviewing risks.
A plan which takes the Risk Register further, considering Treasury’s appetite for the risk, any gaps between existing controls and appetite, and proposing treatments for any remaining risks, which are assigned to owners, given deadlines and monitored.
In Treasury, at cluster level, there is one document which is the Risk
Register and Management Plan.
Person or entity with the accountability for a specified risk. In
Treasury, the Secretary is ultimately the owner of all risks.
Document recording each risk identified,its rating and existing controls.
Actions planned and undertaken to deal with any gaps between existing controls and the agreed appetite for the risk.
Internally or externally generated forces that may have a significant impact on the achievement of strategic objectives.
16