137813064.xls.

ms_office

SECTION

ESSENTIAL (E)/ ADVANCED DEVELOPING A RISK MANAGEMENT FRAMEWORK (A) Has the board and executive expressed their support for a risk management programme? Have you identified a person who will be responsible for implementinmg risk management? Does the risk manager, or equivalent, have reasonable access to staff and management across the oganisation? Have you defined categories of risk relevant to your organisation and industry? Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories? Is there a clear organisational strategy (or objectives) articulated for the organisation? Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation? Have you defined and agreed a consequence scale to help assess risk impacts across the organisation? Does the organisation's consequence scale describe both financial and non-financial impacts? Does the risk Mnagement framework consider the effectiveness of controls or risk treatments? Is there an agreed template or format for recording risks and risk treatment information (a risk register)? Has a risk policy been defined? Does the organisation have a documented risk management strategy? Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy? Do job descriptions of key stakeholders include responsibilities for risk management? Is a formal project management methodology used to manage projects? Is a mechanism in place to identify, asssess, record and monitor risks on projects? Has the organisation agreed what types and levels of risk are unacceptable? E E E

REQUIREMENT

IN PLACE (Yes/No)

1 2 3

Communicate and Consult Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Establish the Context Communicate and Consult

4 5

E E

6 7

A E

E E E E E A E

9 10 11 12 13 14

15 Establish the

E A A E

Context
16 Establish the

Context 17 Establish the Context

18 Establish the

Context

Page 1 of 8

137813064.xls.ms_office

SECTION

REQUIREMENT

Is there an agreed format/ template for reporting on Context risk? 20 Establish the Is there a process and/or template where new risks Context can be recorded by the executive and staff? IMPLEMENTING A RISK MANAGEMENT FRAMEWORK
21 Communicate

19 Establish the

ESSENTIAL (E)/ ADVANCED (A) E E

IN PLACE (Yes/No)

and Consult
22 Communicate

and Consult
23 Communicate

and Consult
24 Communicate

Is risk management or awareness training provided to all staff? Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required? Do staff know that they have a right and responsibility to assist in risk identification and escalation? Do staff know who to report/ escalate risks to? Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility? Have the executive and the board provided guidance on what information they would like to see in risk reports? Is there agreement on when and how often risk reports will be produced? Have the recipients of risk reports been identified and agreed? Can different risk reports be produced to meet different needs of stakeholder groups? Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible? Are staff encouraged or incentivised to report risk or suggest risk reduction strategies? Has a risk brainstorming workshop (or workshops) been conducted? Have you considered the history of events and incidents in your organisation during the risk assessment process? Has research been performed to understand common risks in the industry?

E E

E E

and Consult
25 Communicate

and Consult
26 Communicate

and Consult
27 Communicate

E E A E

and Consult
28 Communicate

and Consult
29 Communicate

and Consult 30 Communicate and consult

31 Communicate

A E A

and Consult 32 Risk Assessment 33 Risk Assessment

34 Risk

Assessment

Page 2 of 8

137813064.xls.ms_office

SECTION

REQUIREMENT

35 Risk

Assessment
36 Risk

Assessment 37 Risk Assessment 38 Risk Assessment

39 Treat Risks

40 Treat Risks 41 Treat Risks

42 Treat Risks 43 Treat Risks 44 Treat Risks 45 Treat Risks 46 Treat Risks 47 Treat Risks 48 Risk

Has the executive and board considered risks relating to the achievement of key organisational goals and objectives? Are risks identified during compliance reviews/ audits always added to the risk register? Have existing controls been identified for risks during the risk assessment process? Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place? Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')? Have you identified possible actions/ treatment plans that could help to reduce the risk level? Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy? Have risk treatment or action plans been documented and approved for important risks? Have due dates/ completion dates been agreed for risk treatment actions and plans? Is there a clear understanding of who will oversee the risk treatment selection and execution process? Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas? Are the organisation's physical assets appropriately insured? Is a business continuity plan (BCP) in place for critical organisational functions/ processes? Has the risk register been updated in the last year? Is the risk register updated throughout the year to reflect changes in risk and emerging risks?

ESSENTIAL (E)/ ADVANCED (A) A

IN PLACE (Yes/No)

E E E

E A

E E E A E A E A

Assessment
49 Risk

Assessment

MONITORING AND REVIEW/ ENHANCEMENT OF A RISK MANAGEMENT FRAMEWORK

50 Monitor and

Review
51 Monitor and

Review

Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard? Does the Internal Audit function or equivalent review risk management processes?

E A

Page 3 of 8

137813064.xls.ms_office

SECTION

REQUIREMENT

52 Monitor and

Is an Internal Audit function/ process in place? Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register? Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels? Has the risk policy been reviewed and approved in the last year? Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable) Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?

ESSENTIAL (E)/ ADVANCED (A) E A

IN PLACE (Yes/No)

Review 53 Monitor and Review

54 Monitor and

Review
55 Monitor and

E E

Review
56 Monitor and

Review

57 Monitor and

Review

Page 4 of 8

137813064.xls.ms_office

Page 5 of 8

137813064.xls.ms_office

Page 6 of 8

137813064.xls.ms_office

Page 7 of 8

137813064.xls.ms_office

Page 8 of 8