Академический Документы
Профессиональный Документы
Культура Документы
ms_office
SECTION
ESSENTIAL (E)/ ADVANCED DEVELOPING A RISK MANAGEMENT FRAMEWORK (A) Has the board and executive expressed their support for a risk management programme? Have you identified a person who will be responsible for implementinmg risk management? Does the risk manager, or equivalent, have reasonable access to staff and management across the oganisation? Have you defined categories of risk relevant to your organisation and industry? Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories? Is there a clear organisational strategy (or objectives) articulated for the organisation? Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation? Have you defined and agreed a consequence scale to help assess risk impacts across the organisation? Does the organisation's consequence scale describe both financial and non-financial impacts? Does the risk Mnagement framework consider the effectiveness of controls or risk treatments? Is there an agreed template or format for recording risks and risk treatment information (a risk register)? Has a risk policy been defined? Does the organisation have a documented risk management strategy? Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy? Do job descriptions of key stakeholders include responsibilities for risk management? Is a formal project management methodology used to manage projects? Is a mechanism in place to identify, asssess, record and monitor risks on projects? Has the organisation agreed what types and levels of risk are unacceptable? E E E
REQUIREMENT
IN PLACE (Yes/No)
1 2 3
Communicate and Consult Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Communicate and Consult
4 5
E E
6 7
A E
E E E E E A E
9 10 11 12 13 14
15 Establish the
E A A E
Context
16 Establish the
Context
Page 1 of 8
137813064.xls.ms_office
SECTION
REQUIREMENT
Is there an agreed format/ template for reporting on Context risk? 20 Establish the Is there a process and/or template where new risks Context can be recorded by the executive and staff? IMPLEMENTING A RISK MANAGEMENT FRAMEWORK
21 Communicate
19 Establish the
IN PLACE (Yes/No)
and Consult
22 Communicate
and Consult
23 Communicate
and Consult
24 Communicate
Is risk management or awareness training provided to all staff? Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required? Do staff know that they have a right and responsibility to assist in risk identification and escalation? Do staff know who to report/ escalate risks to? Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility? Have the executive and the board provided guidance on what information they would like to see in risk reports? Is there agreement on when and how often risk reports will be produced? Have the recipients of risk reports been identified and agreed? Can different risk reports be produced to meet different needs of stakeholder groups? Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible? Are staff encouraged or incentivised to report risk or suggest risk reduction strategies? Has a risk brainstorming workshop (or workshops) been conducted? Have you considered the history of events and incidents in your organisation during the risk assessment process? Has research been performed to understand common risks in the industry?
E E
E E
and Consult
25 Communicate
and Consult
26 Communicate
and Consult
27 Communicate
E E A E
and Consult
28 Communicate
and Consult
29 Communicate
A E A
Assessment
Page 2 of 8
137813064.xls.ms_office
SECTION
REQUIREMENT
35 Risk
Assessment
36 Risk
42 Treat Risks 43 Treat Risks 44 Treat Risks 45 Treat Risks 46 Treat Risks 47 Treat Risks 48 Risk
Has the executive and board considered risks relating to the achievement of key organisational goals and objectives? Are risks identified during compliance reviews/ audits always added to the risk register? Have existing controls been identified for risks during the risk assessment process? Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place? Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')? Have you identified possible actions/ treatment plans that could help to reduce the risk level? Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy? Have risk treatment or action plans been documented and approved for important risks? Have due dates/ completion dates been agreed for risk treatment actions and plans? Is there a clear understanding of who will oversee the risk treatment selection and execution process? Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas? Are the organisation's physical assets appropriately insured? Is a business continuity plan (BCP) in place for critical organisational functions/ processes? Has the risk register been updated in the last year? Is the risk register updated throughout the year to reflect changes in risk and emerging risks?
IN PLACE (Yes/No)
E E E
E A
E E E A E A E A
Assessment
49 Risk
Assessment
Review
51 Monitor and
Review
Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard? Does the Internal Audit function or equivalent review risk management processes?
E A
Page 3 of 8
137813064.xls.ms_office
SECTION
REQUIREMENT
52 Monitor and
Is an Internal Audit function/ process in place? Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register? Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels? Has the risk policy been reviewed and approved in the last year? Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable) Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?
IN PLACE (Yes/No)
Review
55 Monitor and
E E
Review
56 Monitor and
Review
57 Monitor and
Review
Page 4 of 8
137813064.xls.ms_office
Page 5 of 8
137813064.xls.ms_office
Page 6 of 8
137813064.xls.ms_office
Page 7 of 8
137813064.xls.ms_office
Page 8 of 8