Risk Assessment & Management Plan

Risk Management PRINCIPLES

Risk Management should:
1 create value – resources expended to mitigate risk should be less than the consequence of inaction
2 be an integral part of organizational processes
3 be part of decision making
4 explicitly address uncertainty and assumptions
5 be systematic, structured and timely
6 be based on the best available information
7 be tailorable
8 take human and cultural factors into account
9 be transparent and inclusive
10 be dynamic, iterative and responsive to change
11 facilitates continual improvement and enhancement of the organization
12 be continually or periodically re-assessed

Navigation of this tool

1 To Identify Risks Click Here
2 To Evaluate Risks Click Here
3 To Treat (Manage/Action) Risks Click Here
4 To Monitor (Review) Risks Click Here
5 To Report on Risks Click Here
6 To View/Update Validation Rules Click Here

Risk Management BENEFITS

1 Increase the likelihood of achieving objectives;
2 Encourage proactive management;
3 Be aware of the need to identify and treat risk throughout the organization;
4 Improve the identification of opportunities and threats;
5 Achieve compatible risk management practices between organisations and nations;
6 Comply with relevant legal and regulatory requirements and international norms;
7 Improve governance;
8 Improve stakeholder confidence and trust;
9 Establish a reliable basis for decision making and planning;

Author: Sean Chamberlin

http://www.linkedin.com/in/seanchamberlin
 Risk Management PROCESS

onsequence of inaction

Communication Consultation
Risk Management Further Inf
10 Improve controls; LinkedIn Group 'ISO 31000 Risk Manage
11 Effectively allocate and use resources for risk treatment; http://www.linkedin.com/groups/ISO-310
12 Improve operational effectiveness and efficiency; International Organisation for Standardiz
13 Enhance health & safety performance and environmental protection; http://www.iso.org/iso/home/standards/is
14 Improve loss prevention and incident management; Standards Australia Risk Management P
15 Minimize losses; http://sherq.org/31000.pdf
16 Improve organizational learning; and Concise Guide to Treasury Risk Manage
17 Improve organizational resilience. http://www.charteredaccountants.com.au
agement PROCESS

Establishing the Context

Risk Assessment

Monitoring & Review

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

agement Further Information

up 'ISO 31000 Risk Management Standard'
nkedin.com/groups/ISO-31000-Risk-Management-Standard-1834592?trk=my_groups-b-grp-v
Organisation for Standardization
o.org/iso/home/standards/iso31000.htm
ustralia Risk Management Principles & Guidelines
rg/31000.pdf
de to Treasury Risk Management
harteredaccountants.com.au/Industry-Topics/Audit-and-assurance/Current-issues/Audit-Committee-Guides/Audit-Committee-Guides/Treasury-Managem
e-Guides/Treasury-Management-Guide.aspx
Risk Assessment & Management Plan

# Risk Source of the Risk

(thing with potential to harm or assist)

1 loss of relevance of products to customer base changing market needs & sentiment
2 Risk 2
3 Risk 3
4 Risk 4
5 Risk 5
6 Risk 6
7 Risk 7
8 Risk 8
9 Risk 9
10 Risk 10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 IDENTIFY
What can happen How can it happen When & Where could Business Goals/Objectives
(consequences) (cause for hazard to occur) the Risk occur impacted by Risk
FY
Assumptions & key variables
Business Process Category
used to assess risk
Strategic Environmental
Link to Document Document Type Existing Controls

Strategic Plan annual review of plans

Business Continuity Plan
OH&S Policies & Procedures
Other
 EVALUATION
Cost of Consequence
Assessment of Existing Controls Consequence Likelihood Risk Priority
(if known)
Opportunities for Improvement Major Possible High
Major Almost Certain V High
Moderate Likely High
Moderate Possible Medium
Minor Possible Medium
Minor Possible Medium
Minor Unlikely Low
Minor Unlikely Low
Negligible Rare Low
Negligible Rare Low
Risk # Treatment # Risk
1 1 loss of relevance of products to customer base
2 2 Risk 2
3 3 Risk 3
4 4 Risk 4
5 5 Risk 5
6 6 Risk 6
7 7 Risk 7
8 8 Risk 8
9 9 Risk 9
10 10 Risk 10
11 11 0
12 12 0
13 13 0
14 14 0
15 15 0
16 16 0
17 17 0
18 18 0
19 19 0
20 20 0
21 21 0
22 22 0
23 23 0
24 24 0
25 25 0
26 26 0
27 27 0
28 28 0
29 29 0
30 30 0
31 31 0
32 32 0
33 33 0
34 34 0
35 35 0
36 36 0
37 37 0
38 38 0
39 39 0
40 40 0
 TREATMENT / ACTION PLAN
Action Possible Treatment Options Result of Cost/Benefit
Google Analytics daily review
ENT / ACTION PLAN
Action Type Responsibility By When Residual Risk Rating
Reduce Likelihood (eg. P&P,
Marketing rep 01-Jan-15 Adequate
Training)
 Monitoring ONGOING REVIEWS
Key Risk Indicators Reporting/Monitoring Last Reviewed
Google searching for our Weekly line graph of total
01-Mar-14
product description falling searches for our products
 ONGOING REVIEWS
Review Frequency (# Months) Next Review Due Responsibility
12 01-Mar-15 Marketing
Top Risks by Category/Industry

Click on appropriate category to get a list of the common risks

Board level risks
Insurance Industry top 10 risks
Manufacturing Industry risks
Small Business risks
Procurement process risks, consequences & related actions
Treasury
Project Risks
OHS (Health & Safety)

Board Legal Responsibilities (and therefore may represent risks)

Fiduciary Duty (common law) – act in good faith for the benefit of, or in the interests of, the organisation

Duty to Act in Good Faith (sect 181 of Corporations Act) – A director must exercise their power in good faith
in the best interests of the corporation & for a proper purpose

Do Not Misuse Information or Position of Director - The law prohibits Board members from using their
position to gain an advantage for themselves or another, or to cause detriment to the entity they are governing

Do Not Abuse an Opportunity – if you become aware of an opportunity as a result of your position on a
board then you should not take up tht opportunity for personal benefit at the expense of the organisation

Duty to Act with Care & Diligence - Board members must exercise their powers and discharge their duties
with the care and diligence of a "reasonable person" in their position. Board members with a high level of
expertise will attract a higher standard of care than other members.
Avoid Conflict of Interest
Avoid Insolvent Trading
Avoid Fraud
Avoid Negligence
Tax – tax legislation including any obligations required for charitable income tax exempt status and/or
deductible gift recipient status (if applicable).
Conditions of funding – contractual obligations that exist to any funding bodies.
Occupational health and safety – must provide a safe workplace for employees, subcontractors, volunteers
and a range of others. For example training on fire evacuation procedures, electrical safety, first aid, no
smoking in workplace, etc.
Industry-specific – for example child care and safety in schools.
Organisation Constitutional compliance – for example rights of members, appointments to the board & their
tenure, etc.
Privacy – important to understand what data is considered to be private as this is subject to tight regulatory
controls as to its use, accesibility, accuracy & storage
Information Security
Environmental Sustainability such as EPA compliance
HR – for example pay rates, superannuation contribution amounts & frequency, Sick Leave, Overtime, Hiring
& Firing procedures
Trade Practices Act – for example misleading & deceptive conduct, Third Line Forcing, etc
Anti-Discrimination
Contracts Law
Defamation
Fund Raising
Manufacturing Industry
Are substances used in particular tasks suitable for the tasks?
Is there a register of hazardous substances, and an inventory of chemicals purchased or produced and material safety data sheet
(MSDS) for each substance?
Are hazardous substance containers adequately labelled?
Are hazardous substances stored according to respective MSDS?
Is plant and equipment suitable for the required tasks?
Are all moving parts of plant and equipment guarded to prevent contact with people and property to minimise the risk of injuries
and damage, such as crushing, stabbing, cutting, puncturing, shearing, and tearing?
Are there systems in place to prevent injury from fragmentation of or flying particles from plant and equipment?
Are there systems in place to prevent injury from falling plant and equipment?
Are there systems in place to prevent injury from performing a task with plant and equipment in a confined space?
Are there systems in place to prevent injury from inadvertent movement of plant and equipment?
Are there systems in place to prevent injury from ‘stored energy' in plant and equipment, for example compressed air or hydraulic
pressure after turning off plant?
Are there systems in place to prevent injury resulting from failure of plant and equipment due to the loss of contents, loss of load,
unintended ejection of product, explosion, fragmentation or collapse of parts?
Does plant and equipment have adequate power isolation, noise insulation, ventilation and fume extraction?
Is the noise level of plant, equipment and the surrounding environment within the legislated noise level set down for your particular
workplace?

For people using vibrating hand-held equipment or operating vibrating controls (chain saws, sewing machines, grinders, pneumatic
drills, and so on) are exposure levels within values recommended by Australian Standard AS2763?

For drivers of vehicles and tractors, and helicopter and airplane pilots, are the vibration exposure levels within values recommended
by Australian Standard AS2670?
For operators of vibrating platforms on manufacturing/construction sites, are exposure levels within values as per Australian
Standard AS2670?
Are occupational exposures to Ionising radiation, such as X-rays, and gamma-rays equipment, within limits set by WorkSafe
Australia Network Health and Medical Research Council (National Standard Recommendations for limiting exposure to ionising
radiation)?
Is plant and equipment that generates UV radiation, such as photocopiers, lasers, UV cured inks in the printing industry, and
welding emissions enclosed?
Are radio frequency exposure levels from TV/FM radios transmitters, radio, microwaves, plastic moulders, induction heaters and so
on kept as low as practically possible?
Are outdoor workers provided with personal protective equipment and work systems as per WorkSafe Australia - guidance note on
the protection of workers from UV radiation in sunlight?
Are tasks performed at temperatures between 16°C and 24°C for sedentary work, 4°C and 24°C for light work and – 7°C and 24°C
for moderately heavy work?
Are tasks performed for more than 2 hours done so at humidity levels between 40% to 60%?
Is electrical wiring installed according to Australian Standard AS 3900?
Are electrical fixtures provided with adequate earthing or other residual current devices?
Are any signs of damage to either cable isolation or other electrical fixtures rectified?
Are there identified colour coded cable labelled isolators to all switchboards?
Are employees prevented from performing tasks in metal enclosures or damp places using electrical tools?
Is there a regular inspection of portable cords and extension leads?
Are ‘Danger' tags used by electricians when working on plant?

Does electrical equipment comply with Australian Standard AS3100 - General Requirements For Electrical Equipment?

Is adequate lighting provided according to Australian Standard AS1680 – lighting levels for different types of work?
Is employees' eyesight assessed every two years to determine their ability to continue performing their tasks?
Are hazardous conditions that are likely to arise during the use of plant and equipment as a result of friction, fire, explosion,
moisture, vapour, gases, dust and ice controlled?
Are access and egress arrangements for doorways, passageways, stairs, gangways and so on clear of obstructions, well lit, free of
slip hazards and secure?
Has lifting, carrying, pushing, and pulling been eliminated from all tasks?
Has frequent bending, twisting and stretching been eliminated from all tasks?
Has lifting of awkward loads been eliminated from all tasks?
Has repetitive work using awkward or constrained postures been eliminated from all tasks?
Have slip, trip and fall hazards been eliminated?
Are all walkways free of obstructions?
Are floors undamaged?
Are ladders checked regularly for any damage?
Are stairways well lit and properly maintained?
Are work stations and benches adjusted to suit the physical dimensions of workers?

Are safety devices and emergency back-up arrangements of plant equipment and systems suitable for the tasks being performed?

Are plant, equipment, building areas and fixtures maintained and repaired?
Are environmental conditions and terrain suitable for the plant and substances that are used?
Are hazardous elements, such as electricity, water and incompatible chemicals, segregated?
Are systems in place to address conflict between staff?
Are systems in place to address poor job satisfaction?
Are systems in place to address low job security?
Have poor work conditions, such as noise, dust, lack of ventilation and so on been eliminated?
Are visitors to the workplace provided with relevant safety information and are they supervised?
Are the current work systems appropriate, for example, whether more or fewer people should be involved and whether work
procedures need to be revised?
Do workers hold the required competency requirements, such as licensing, certification and apprenticeships?
Is training and supervision provided to meet the needs of each individual worker?

Insurance Industry
Climate change
Demographic shifts in core markets
Catastrophic events
Emerging markets
Regulatory intervention
Channel distribution
Integration of technology with operations and strategy
Securities markets
Legal risk
Geopolitical or macroeconomic shocks

Small Business
Financial – includes cash flow, budgetary requirements, tax obligations, creditor and debtor management, remuneration
and other general account management concerns.
Equipment – extends to equipment used to conduct the business and includes everyday use, maintenance,
depreciation, theft, safety and upgrades.
Organisational – relates to the internal requirements of a business, extending to the cultural, structural and human
resources of the business.
Security – includes the business premises, assets and people. Also extends to security of company information,
intellectual property, and technology.
Legal & regulatory compliance – includes legislation, regulations, standards, codes of practice and contractual
requirements. Also extends to compliance with additional ‘rules’ such as policies, procedures or expectations, which
may be set by contracts, customers or the social environment.

Reputation – entails the threat to the reputation of the business due to the conduct of the entity as a whole, the
viability of products/services, or the conduct of employees or others associated with the business.
Operational – covers the planning, daily operational activities, resources (including people) and support required within
the a business that results in the successful development and delivery of products/services.

Contractual – meeting obligations required in a contract including delivery, product/service quality,

guarantees/warranties, insurance and other statuatory requirements, non-performance.
Service delivery – relates to the delivery of services, including the quality of service provided, or the manner in which a
product is delivered. Includes customer interaction and after-sales service.
Commercial – includes risks associated with market placement, business growth, product development, diversification
and commercial success. Also to the commercial viability of products/services, extending through establishment,
retention, growth of a customer base and return.

Project – includes the management of equipment, finances, resources, technology, timeframes and people involved in
the management of projects. Extends to internal operational projects, business development and external projects such
as those undertaken for clients.
Safety – including everyone associated with the business: individual, workplace and public safety. Also applies to the
safety of products/services delivered by the business.

Stakeholder management – includes identifying, establishing and maintaining the right relationships with both internal
and external stakeholders.
Client-customer relationship – potential loss of clients due to internal and external factors.
Strategic – includes the planning, scoping, resourcing and growth of the business.
Technology – includes the implementation, management, maintenance and upgrades associated with technology.
Extends to recognising critical IT infrastructure and loss of a particular service/function for an extended period of time.
It further takes into account the need and cost benefit associated with technology as part of a business development
strategy.

Treasury

Market Risk
(the movement in value due to a change in price, creating a positive or negative value for the organisation)

Credit Risk
(the risk that your counter party defaults before or on settlement date)

Liquidity Risk
(risk of not being able to deal in a market due to lack of liquidity, and funding risk, which is not having
adequate funds in place when they are needed)
(risk of not being able to deal in a market due to lack of liquidity, and funding risk, which is not having
adequate funds in place when they are needed)

Operational Risk
(loss due to failure of people, processes and systems, or an external event such
as fire, fraud, flood, earthquake or other natural phenomenom)

Project Risks

Executive Support

Cost Management

Change Management

Stakeholders

Communication

Resources & Team

Resources & Team

Architecture

Design

Technical

Integration

Requirements

Decisions & Issue Resolution

Decisions & Issue Resolution

Procurement

Authority

Approvals & Red Tape

Organizational

External

Project Management

User Acceptance

Commercial

Procurement - common risks & management approaches

Risk Category
Planning

Developing the specification

Selecting the purchasing method

Purchasing documentation

Inviting, clarifying and closing offers

Evaluating offers

Selecting the successful tenderer

Negotiations
Contract management
Evaluating the procurement process

Disposals

OH&S (Health & Safety)

Risk Category
Mechanical hazards
Chemical and biological hazards
Sources of energy
Body stressing or impact hazards
Gravity
Psychological
Are risks identified as early as possible to ensure adequate steps are taken to handle the exposure in a timely manner?
Do risk measurement methodologies measure the risks adequately and in a timely manner?
Are potential stress tests and ‘what if’ analyses undertaken monthly – (eg.measuring sensitivity of exposure to market risk (
Is there a suitable mix of floating and fixed interest rates?
What is the foreign exchange risk hedging policy?
What percentage of foreign exchange is hedged?
Is the audit committee informed of any breaches of market risk policy or limits?
Is there adequate capacity to measure credit exposure?
Does the organisation have a process for handling and valuing collateral received or paid?
Does the organisation have settlement limits?
What reliance is placed on credit ratings provided by a credit rating agency?
Is credit risk appropriately managed?
Is the audit committee informed of any breaches of credit or settlement limits immediately?
What processes are in place to determine credit limits?
What processes are in place to measure liquidity risk?
What impact do financial instruments have on cash flow?
Are appropriate cash limits in place?
Are secured funding lines in place?
What level of security do these funding lines have?
Is close contact kept with funders, shareholders and bankers?
Are there diversified sources of funds?
Is there a spread of products and maturities so that maturities do not build up?
Is there liquidity in all the various financial instruments eg. any exotic or structure products?
What stress scenarios are run and are they stressful enough?
Is the audit committee informed of liquidity stress issues in a timely manner?
Are all staff who are responsible for monitoring derivative transactions well trained and qualified?
What is the culture of staff and management toward risk and controls?
Have staff adequate expertise for the roles that they perform?
Are bonuses paid based on the results of any risk management or treasury activities?
Is there an independent system for calculating and reporting to calculate and report results?
Are treasury operations handled by internal staff with the appropriate treasury skills?
Are front and back office systems adequate and appropriately segregated to ensure the completeness and accuracy of proc
Are valuation and spreadsheet models independently reviewed?
Are all back office staff adequately trained and do they understand the products used?
Are the organisation’s systems capable of producing adequate disclosure information for users of the financial statements?
Are accounting results routinely calculated and regularly reported?
Do the external auditors have a clear understanding of their role in verifying the financial transactions?
Are the policies and procedures reviewed at least annually?

1. Executives fail to support project

2. Executives become disengaged with project
3. Conflict between executive stakeholders disrupts project
4. Executive turnover disrupts project
5. Scope is ill defined
6. Scope creep inflates scope
7. Gold plating inflates scope
8. Estimates are inaccurate
9. Dependencies are inaccurate
10. Activities are missing from scope
11. Cost forecasts are inaccurate
12. Exchange rate variability
13. Change management overload
14. Stakeholder conflict over proposed changes
15. Perceptions that a project failed because of changes
16. Lack of a change management system
17. Lack of a change management process
18. Lack of a change control board
19. Inaccurate change priorities
20. Low quality of change requests
21. Change request conflicts with requirements
22. Stakeholders become disengaged
23. Stakeholders have inaccurate expectations
24. Stakeholder turnover
25. Stakeholders fail to support project
26. Stakeholder conflict
27. Process inputs are low quality
28. Project team misunderstand requirements
29. Communication overhead
30. Under communication
31. Users have inaccurate expectations
32. Impacted individuals aren't kept informed
33. Resource shortfalls
34. Learning curves lead to delays and cost overrun
35. Training isn't available
36. Training is inadequate
37. Resources are inexperienced
38. Resource performance issues
39. Team members with negative attitudes towards the project
40. Resource turnover
41. Low team motivation
42. Lack of commitment from functional managers
43. Architecture fails to pass governance processes
44. Architecture lacks flexibility
45. Architecture is not fit for purpose
46. Architecture is infeasible
47. Design is infeasible
48. Design lacks flexibility
49. Design is not fit for purpose
50. Design fails peer review
51. Technology components aren't fit for purpose
52. Technology components aren't scalable
53. Technology components aren't interoperable
54. Technology components aren't compliant with standards and best practices
55. Technology components have security vulnerabilities
56. Technology components are over-engineered
57. Technology components lack stability
58. Technology components aren't extensible
59. Technology components aren't reliable
60. Information security incidents
61. System outages
62. Legacy components lack documentation
63. Legacy components are out of support
64. Components or products aren't maintainable
65. Components or products can't be operationalized
66. Project management tool problems & issues
67. Delays to required infrastructure
68. Failure to integrate with business processes
69. Failure to integrate with systems
70. Integration testing environments aren't available
71. Failure to integration with the organization
72. Failure to integrate components
73. Project disrupts operations
74. Project disrupts sales
75. Project disrupts compliance
76. Requirements fail to align with strategy
77. Requirements fail to align with business processes
78. Requirements fail to align with systems
79. Requirements have compliance issues
80. Requirements are ambiguous
81. Requirements are low quality
82. Requirements are incomplete
83. Decision delays impact project
84. Decisions are ambiguous
85. Decisions are low quality
86. Decisions are incomplete
87. No response to RFP
88. Low quality responses to RFP
89. Failure to negotiation a reasonable price for contracts
90. Unacceptable contract terms
91. Conflict with vendor leads to project issues
92. Conflict between vendors leads to project issues
93. Vendors start late
94. Vendor components fail to meet requirements
95. Vendor components are low quality
96. Infrastructure is low quality
97. Service quality is low
98. Vendor components introduce third party liability
99. Loss of intellectual property
100. Project team lack authority to complete work
101. Authority is unclear
102. Delays to stakeholder approvals impact the project
103. Delays to financial approvals impact the project
104. Delays to procurement processes impact the project
105. Delays to recruiting processes impact the project
106. Delays to training impact the project
107. The project fails to match the organization's culture
108. An organizational restructuring throws the project into chaos
109. A merger or acquisition disrupts the project
110. Legal & regulatory change impacts project
111. Force Majeure (e.g. act of nature) impacts project
112. Market forces impact project
113. Technical change impacts project
114. Business change impacts project
115. Failure to follow methodology
116. Lack of management or control
117. Errors in key project management processes
119. Users reject the prototype
120. User interface doesn't allow users to complete tasks
121. User interface is low quality
122. User interface isn't accessible
123. Project reduces business productivity
124. Project reduces innovation
125. Product disrupts business metrics (measurements of objectives)
126. Users reject the product
127. Product doesn't sell
128. Product incurs legal liability
129. Product negatively affects brand
130. Product negatively affects reputation

Risk

Understatement of the need

Understatement of the need

Overstatement of the need

Misinterpretation of user needs

Insufficient funding

Impractical timeframe

Probity issues

Narrow definition or commercial

specification (eg. use of brand name)

Definition of inappropriate product or

service

Biased specification

Inadequate statement of requirements

Failure to identify potential sources

Selecting inappropriate method

Terms and conditions unacceptable to

tenderers
Terms and conditions unacceptable to
tenderers

Providing inadequate information

Failure to adequately address enquiries

from tenderers

Actual or perceived favouritism in

providing information

Actual or perceived breach of

confidentiality

Insufficient number of responses

No response from known quality

suppliers

Failure to follow effective evaluation

procedures

Breaches of security
Breaches of security

Offers fail to meet needs

Failure to identify a clear winner

Decision made on subjective grounds

Selecting an inappropriate supplier

Selecting inappropriate product

Not matching the expectations of buyer

and tenderer

Deadlock on details of agreement

Failure to secure mandatory conditions

Unfair or onerous requirements on the

tenderer in the contract conditions
Unfair or onerous requirements on the
tenderer in the contract conditions

Failure to reflect the terms offered and

agreed in the contract

Inadvertently creating a contract

without the delegate's prior approval

Variations in price and foreign

exchange
Unwillingness of the supplier to accept
the contract

Failure of either party to fulfil the

conditions of the contract

Inadequately administering the contract

Commencement of work by the supplier

before contract is exchanged or letter of
acceptance issued

Unauthorised increase in scope of work

Loss of intellectual property

Failure to meet liabilities of third parties

(eg. royalties or third party property
insurance)

Loss or damage to goods in transit

Fraud

Key personnel not available

Key personnel not available

Failure to evaluate procurement and

management processes

Failure to identify and address

problems

Collusive bidding at auction

Inadequate tender management

Risk
Plant, equipment and items (and parts of them) that have the potential to cut, rip, tear, abrade, crush, penetrate, produce pr
Chemicals, compounds, materials, powders, dusts and vapours that have the potential to impair health, have adverse effec
A range of sources of energy that have the potential to cause harm, including electricity, heat, cold, noise, high powered ligh
Activities that cause stress to the muscles and/or skeleton, including manual handling of people, animals, goods or material
Activities that are carried out where a person can fall or an object can fall onto people.
Hazards Events, systems of work or other circumstances that have the potential to lead to psychological and associated illn
as possible to ensure adequate steps are taken to handle the exposure in a timely manner?
dologies measure the risks adequately and in a timely manner?
d ‘what if’ analyses undertaken monthly – (eg.measuring sensitivity of exposure to market risk (VAR) and scenario analysis?
ting and fixed interest rates?
e risk hedging policy?
exchange is hedged?
med of any breaches of market risk policy or limits?
o measure credit exposure?
a process for handling and valuing collateral received or paid?
settlement limits?
redit ratings provided by a credit rating agency?

med of any breaches of credit or settlement limits immediately?

to determine credit limits?
to measure liquidity risk?
ruments have on cash flow?

se funding lines have?

nders, shareholders and bankers?

and maturities so that maturities do not build up?

ious financial instruments eg. any exotic or structure products?
 n and are they stressful enough?
med of liquidity stress issues in a timely manner?
ible for monitoring derivative transactions well trained and qualified?
nd management toward risk and controls?
e for the roles that they perform?
he results of any risk management or treasury activities?
em for calculating and reporting to calculate and report results?
dled by internal staff with the appropriate treasury skills?
tems adequate and appropriately segregated to ensure the completeness and accuracy of processing, settlement and verification of the
et models independently reviewed?
uately trained and do they understand the products used?
ms capable of producing adequate disclosure information for users of the financial statements?
ely calculated and regularly reported?
e a clear understanding of their role in verifying the financial transactions?
res reviewed at least annually?

gaged with project

e stakeholders disrupts project

proposed changes
t failed because of changes
ement system
ement process

with requirements

urate expectations

and requirements

n't kept informed

delays and cost overrun

ative attitudes towards the project

m functional managers
governance processes

aren't fit for purpose

aren't scalable
aren't interoperable
aren't compliant with standards and best practices
have security vulnerabilities
are over-engineered
lack stability
aren't extensible
aren't reliable

documentation
out of support
aren't maintainable
can't be operationalized
l problems & issues

business processes

nments aren't available

h the organization

n with strategy
n with business processes
n with systems
pliance issues
easonable price for contracts

s to project issues
s leads to project issues

o meet requirements

oduce third party liability

rity to complete work

pprovals impact the project

ovals impact the project
processes impact the project
cesses impact the project
ct the project
ch the organization's culture
cturing throws the project into chaos
disrupts the project
ge impacts project
of nature) impacts project

nagement processes

allow users to complete tasks

ss productivity

ss metrics (measurements of objectives)

cts reputation

Likely consequences
Purchase of unsuitable product or service
Money wasted
Need not satisfied
Greater expense
Poor competition
Totally unacceptable purchase or not most suitable product or service
Time lost
Increased costs
Possible downtime
Delay in making the purchase
Additional costs for re-tender
Inadequate responses from tenderers
Reduced competition
Delivery schedule not met
Increased procurement costs
Misuse of resources
Most suitable product not obtained

Unethical conduct

Fewer alternatives
Most suitable product or service may not be obtained
Increased costs
Need not satisfied
Time lost
Increased costs
Possible downtime
Inadequate responses from tenderers
Claims of unfair dealings
Variety of offers
Insufficient responses

Products offered not meeting needs

Difficult to evaluate
Lack of offers from suitable tenderers

Need to seek offers again

Possible cost variations

Failure to obtain value for money

Loading of costs in offers

Having to modify tender terms and conditions

Disruption
Low response

Loading of costs in offers

Variations in offers

Having to provide clarifying information, causing delays in tender closing

Additional costs
Claims of unfair practices

Offers with qualifications by tenderers

Withdrawal of offers

Complaints from tenderers

Withdrawal of offers

Complaints from tenderers

Mistrust by tenderers

Need to undertake process again

Increased costs
Delayed delivery to the client
Poor value for money due to limited competition

Reduced competition
Increased costs of products or services

Inconsistent evaluations

Possible complaints from tenderers

Subjective not objective evaluation of offers

Claims of unethical or unfair practices

Loss of faith with tenderers

Need to call tenders again

Additional costs
Delay in delivery

Claims of unethical and unfair behaviour

Complaints from tenderers

Failure to fulfil the contract

Failure to meet the client's need

Contract disputes

Delivery delays
Cost variations
Reduction in value for money
Purchase of less suitable product
Inefficient use of resources
Delays in delivery
Need to restart procurement
Possible cost of legal action
Inability to finalise contract
Delays in delivery
Variations in cost
Inefficient use of resources
Contract disputes
Invalidity of contract
Legal action
Poor supplier/customer relationship
Contract disputes
Legal action
Poor supplier/customer relationship
Expense of negotiating out of the contract and paying damages
Committing to other associated work prior to main contract existing
Cost overruns

Delays in delivery
Need to restart procurement
Contract disputes

Failure to satisfy needs

Delays in delivery
Downtime
Legal action
Cost increases

Failure of contract
Full benefits not achieved
Delivery of unsatisfactory product
Contract/supply disputes
Potential liability to pay for unauthorised work
Possibility of legal action for perceived breach of contract

Unanticipated cost increases

Contract disputes

Loss of commercial opportunity

Unwarranted reliance on supplier for product support
Legal action
Damage to the agency's professional reputation

Delays in delivery
Downtime
Liability disputes

Misuse of resources
Legal action
Disruption to procurement activities
Progress on project disrupted
 Less expertise

Failure to improve procurement and management processes

Procurement objectives not achieved

Possible failure in the future

Not achieving best return

Claims of unethical and unfair practices

Claims of bias and favouritism to organisations or individuals

Reduction in value for money

and parts of them) that have the potential to cut, rip, tear, abrade, crush, penetrate, produce projectiles or cause sudden impact.
erials, powders, dusts and vapours that have the potential to impair health, have adverse effects on human reproduction, cause disease
y that have the potential to cause harm, including electricity, heat, cold, noise, high powered light and damaging radioactive sources.
o the muscles and/or skeleton, including manual handling of people, animals, goods or materials and things or circumstances that can c
where a person can fall or an object can fall onto people.
work or other circumstances that have the potential to lead to psychological and associated illness, including work-related stress, bullyin
ket risk (VAR) and scenario analysis?
cy of processing, settlement and verification of the value of outstanding transactions?
Action
Analyse need accurately
Analyse need accurately
Use functional and performance requirements
Improve consultation with users
Obtain clear statement of work and definition of need

Obtain appropriate approvals before undertaking

process
Improve planning
Improve forecasting, planning and consultation with
users
Improve communication with potential tenderers

Implement best practice policies, guidelines and

practices
Maintain ethical environment
Improve training of personnel
Put suitable controls and reviews in place
Consider using a probity adviser
Improve communication with potential tenderers
Define the specification in terms of required outputs
Use functional and performance specifications

Ensure specification is consistent with needs analysis

Improve market knowledge
Use functional and performance specifications

Use functional and performance specifications

Implement a control mechanism to review
specification before release
Be familiar with requirements
Use functional and performance specifications
Use an Expression of Interest or Request for
Information to clarify requirements (be careful not to
infringe intellectual property rights or copyright)

Improve procurement planning processes

Improve market knowledge
Seek industry participation
Use the Industry Capability Network (ICN)
Improve implementation of procurement policies,
guidelines and practices
Improve tender documentation and clearly identify the
evaluation criteria in Request for Tenders
Provide staff with appropriate training and experience

Use standard documentation prepared by Crown Law

Select appropriate documentation for purchase type
(ie. goods, services, goods and services, or
information technology related)
Improve tender planning
Assess and allocate risks appropriately
Consult with Crown Law
Use commercially acceptable terms
Provide staff with appropriate tender planning and
procurement skills
Ensure staff have appropriate tender planning and
documentation training and experience
Improve tender planning and preparation
Review tender documents before issuing them and
ensure evaluation criteria contain the critical factors on
which assessment of tenders will be based

Implement standardised procedures for responding to

enquiries
Provide staff with appropriate tender management
training and experience
Respond in a timely manner to enquiries
Allow adequate time for tenderers to respond
As above
Answer queries in writing and provide copies to all
potential tenderers
Ensure that all potential tenderers are provided with
any addenda
Establish formal security procedures
Train staff in their obligations
Perform regular audits and reviews of security
processes
Advise tenderers of security measures

Use appropriate tender advertisement strategy to

increase competition (eg. consider advertising tenders
in other publications as well as the local paper)

Consult with the ICN to identify potential tenderers

Provide potential tenderers with advance notice of
tender requests
Improve tender documentation and specifications
Allow sufficient time for tenderers to respond
Actions as above for insufficient number of responses
Improve your market knowledge
Review specifications or conditions
Seek feedback from known suppliers on their non-
response
Provide staff with appropriate tender assessment and
evaluation training and experience
Improve tender assessment and evaluation processes
Maintain, audit and review evaluation procedures
Ensure that Evaluation Committee members declare
any conflicts of interest
Maintain, audit and review security procedures
Provide staff with appropriate training and experience
and monitor performance
Ensure that Evaluation Committee members
understand and sign Confidentiality Agreements
Improve market knowledge
Improve tender documentation
Conduct market research
Develop functional and performance specifications
Ensure evaluation criteria contain the critical factors
on which the assessment of tenders will be based and
that they are clearly identifiable to tenderers in tender
documents
Ensure evaluation criteria are appropriate and
measurable

Ensure that Evaluation Committee members sign

Declaration of Conflict and Confidentiality Agreements

Provide staff with appropriate tender evaluation,

financial and technical skills training and commercial
expertise
Improve evaluation procedures
Improve evaluation criteria and clearly identify them to
tenderers in tender documents
Reject unacceptable offers
Perform financial, technical and company evaluations
before awarding contract
Procurement Review Committee to review tender and
selection process prior to awarding contract
Ensure users are involved in the evaluation/selection
process
Improve technical evaluation procedures and train
staff as appropriate
Procurement Review Committee to review tender and
selection process prior to awarding contract
Improve communication, including ensuring that
Conditions of Contract form part of the Request for
Tender
Provide staff with training in contract planning and
management
Define terms carefully
Record each party's obligations
Clarify all ambiguities before signing the contract

Look at alternatives to share risk

Distinguish between essential and non-essential goals
and requirements

Establish baseline before negotiations

Distinguish essential goals from others
Consider variations to contract
Provide negotiators with adequate training
Provide negotiators with adequate training and
support
Negotiate commercial terms
Terms should be fair and reasonable
Check final draft of contract with successful tenderer
Keep records of all negotiations and agreements

Procedure in place to ensure delegate's approval

obtained first
Provide negotiators with adequate training
Agree on prices and the basis of prices
Agree on a formula for calculating variations
Seek legal redress if non-acceptance causes loss
Negotiate but retain integrity of the contract
Ensure good contract administration and performance
management
Hold regular inspections / meetings and ensure
progress reports
Ensure all staff know responsibilities and conditions
Ensure good record keeping and documentation

Maintain up-to-date agency procedures and practices

Ensure all staff are suitably trained and experienced in
contract planning and management

Confirm verbal acceptance of contract with written

advice
Accept all contracts in writing
Ensure approvals are received before allowing work to
start
Ensure all contract amendments are issued in writing
Record all discussions and negotiations
Confirm instructions in writing
Ensure suitable clauses are included in the contract

Check that all obligations are covered in the contract

Agree on responsibilities
Implement appropriate safety standards and programs
Include appropriate packaging instructions in
specification
Agree on insurance cover for supplier to provide
Accept delivery only after inspection
Know when title of goods is transferred to buyer
Maintain an ethical environment
Follow and maintain fraud control procedures

Include requirement in specification and ensure

compliance in post-tender negotiation
 Know the market
Accept risk and manage possible delay
Develop systematic evaluation methods, techniques
and evaluation criteria
Agree on performance criteria (with supplier and
customer)
Develop good relationships with suppliers
Include evaluation clause in the contract
Implement performance management strategies
Set reserve prices
Deal with reputable firms
Include disposal clause in initial contract
Maintain ethical environment
Sell by open tender
Document reasons for decision
Provide staff with appropriate training

oduce projectiles or cause sudden impact.

rse effects on human reproduction, cause disease or have explosive, fl ammable, toxic or corrosive properties.
wered light and damaging radioactive sources.
materials and things or circumstances that can cause a person to slip, trip or fall at the same level.

ciated illness, including work-related stress, bullying, workplace violence and work-related fatigue.
e of outstanding transactions?
ave explosive, fl ammable, toxic or corrosive properties.

a person to slip, trip or fall at the same level.

rkplace violence and work-related fatigue.

 Risk Reporting AS AT 08-Feb-19

Assessment of Existing Controls

Opportunities for Inadequate No Assessment
Risks - # by Priority
Adequate Totals
Improvement 5
V High 0 0 0 1 1
Risk Priority

High 0 1 0 1 2 4
Medium 0 0 0 3 3
Low 0 0 0 4 4
3
Totals 0 1 0 9 10

Consequence
Catastrophic Major Moderate Minor Negligible Totals 1
Almost Certain 0 1 0 0 0 1
Likely 0 0 1 0 0 1 0
Likelihood

V High High Medium Low

Possible 0 1 1 2 0 4
Unlikely 0 0 0 2 0 2
Rare 0 0 0 0 2 2
Totals 0 2 2 4 2 10

Colour Code V High

High
Medium
Low
 408751985.xlsx

Checklist for Risk Management Framework

Stage Stage2 # Checklist Item

1 Has the board and executive expressed their support for a risk management programme?
Communicate and Consult
2 Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy?
3 Have you identified a person who will be responsible for implementing risk management?
4 Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?
5 Have you defined categories of risk relevant to your organisation and industry?
6 Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?
7 Is there a clear organisational strategy (or objectives) articulated for the organisation?
8 Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation?
9 Have you defined and agreed a consequence scale to help assess risk impacts across the organisation?
Development 10 Does the organisation's consequence scale describe both financial and non-financial impacts?
of Risk Framework 11 Does the risk Management framework consider the effectiveness of controls or risk treatments?
Establish the Context
12 Is there an agreed template or format for recording risks and risk treatment information (a risk register)?
13 Has a risk policy been defined?
14 Does the organisation have a documented risk management strategy?
15 Do job descriptions of key stakeholders include responsibilities for risk management?
16 Is a formal project management methodology used to manage projects?
17 Is a mechanism in place to identify, assess, record and monitor risks on projects?
18 Has the organisation agreed what types and levels of risk are unacceptable?
19 Is there an agreed format/ template for reporting on risk?
20 Is there a process and/or template where new risks can be recorded by the executive and staff?
21 Is risk management or awareness training provided to all staff?
22 Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required?
23 Do staff know that they have a right and responsibility to assist in risk identification and escalation?
24 Do staff know who to report/ escalate risks to?
25 Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility?
Communicate and Consult 26 Have the executive and the board provided guidance on what information they would like to see in risk reports?
27 Is there agreement on when and how often risk reports will be produced?
28 Have the recipients of risk reports been identified and agreed?
29 Can different risk reports be produced to meet different needs of stakeholder groups?
30 Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible?
31 Are staff encouraged or incentivised to report risk or suggest risk reduction strategies?
32 Has a risk brainstorming workshop (or workshops) been conducted?
33 Have you considered the history of events and incidents in your organisation during the risk assessment process?
34 Has research been performed to understand common risks in the industry?
Implementation
35 Has the executive and board considered risks relating to the achievement of key organisational goals and objectives?
of Risk Framework
Risk Assessment 36 Are risks identified during compliance reviews/ audits always added to the risk register?
37 Have existing controls been identified for risks during the risk assessment process?
38 Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place?
39 Has the risk register been updated in the last year?
40 Is the risk register updated throughout the year to reflect changes in risk and emerging risks?
41 Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')?
42 Have you identified possible actions/ treatment plans that could help to reduce the risk level?
43 Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?
44 Have risk treatment or action plans been documented and approved for important risks?
Treat Risks 45 Have due dates/ completion dates been agreed for risk treatment actions and plans?
46 Is there a clear understanding of who will oversee the risk treatment selection and execution process?
47 Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas?
48 Are the organisation's physical assets appropriately insured?
49 Is a business continuity plan (BCP) in place for critical organisational functions/ processes?
50 Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard?
51 Does the Internal Audit function or equivalent review risk management processes?
52 Is an Internal Audit function/ process in place?
Monitoring & Review 53 Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register?
Monitor and Review
of Risk Framework 54 Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels?
55 Has the risk policy been reviewed and approved in the last year?
56 Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable)
57 Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?

Page 56 of 60
Term Definition
Risk Effect of uncertainty on objectives (either positive or negative deviation from what is expected). Often expressed as a combination of the consequences of an event & associated likelihood of occurrence
Any measure or action that modifies risk. Includes any policy, procedure, practice, process, technology, technique, method or device that modifies or managed risk.
Control Risk treatments become Controls or modify existing Controls once they have been implemented.
Residual Risk Risk left over after you’ve implemented a risk treatment option.
Hazard Source of potential harm. Present condition, event, object, or circumstance that could lead to or contribute to an unplanned or undesired event such as an accident.
Issue Risk with probability of 100%. Ie. it has eventualised into an existing issue.
Risk Identification Process of finding, recognising and describing risks involving identification of risk sources, events, causes and potential consequences
Risk Analysis Process to comprehend the nature of risk and to determine the level of risk
Risk Evaluation Risk with probability of 100%. Ie. it has eventualised into an existing issue.
Process to modify risk that can involve:
Risk Treatment - avoidance, taking or increasing a risk, removing the risk source, changing the likelihood, changing the consequences, sharing the risk (eg. Contracts), retaining the risk by informed decision,
Residual Risk Risk remaining after risk treatment

Note: Risk is different to a Hazard in that Risk is the future impact of a hazard that is not controlled - it can be viewed as future uncertainty created by the hazard.

Risk Likelihood/Probability of Occurrence

Type Estimation Description Indicators
High (probable) Likely to occur each year or more than 25% chance of occuring Potential of it occuring several times ithin the time period (eg. 10 years). Has occurred recently.
Could occur more than once within time period (eg. 10 years). Could be difficult to control due to some external
Threats Medium (possible) Likely to occur in a 10 year time period or less than 25% chance of occurrence
influences. Is there a history of occurrence?
Low (remote) Not likely to occur in a 10 year period or less than 2% chance of occurrence Has not occurred. Unlikely to occur.
Clear opportunity which can be relied on with reasonable certainty, to be achieved in the short term based on
High (probable) Favourable outcome is likely to be achieved in 1 year or better than 75% chance of occurrence
current management processes
Opportunities which may be achievable but which require careful management. Opportunities which may arise over
Opportunities Medium (possible) Reasonable prospects of favourable results in 1 year of 25% to 75% chance of occurrence
and above the plan.
Possible opportunity which has yet to be fully investigated by management. Opportunity for which the likelihood of
Low (remote) Some chance of favourable outcome in the medium term or less than 25% chance of occurrence
success is low on the basis of management resources currently being applied.

Hierarchy of Risk Management Options

Preference Order Treatment
1 Avoid
2 Accept
3 Avoid
4 Mitigate
5 Transfer
6 Accept
Risk Management Option
Avoidance by not starting or continuing the activity that led to the risk
Accepting or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing likelihood and/or Consequences
Sharing risk with another party
Retaining risk by informed decision
Business Category Risk Category Controls
Asset Management Business Continuity Adequate
Infrastructure Management Liability Opportunities for Improvement
Finance Environmental Inadequate
Clinical Governance Financial
Regulatory Compliance Political
Service Delivery OH&S
Corporate Governance Infrastructure, Assets & Systems
Operational Reputation
Market / Environmental
Strategic
Document Type Action Type Consequence
Strategic Plan Avoided (eg. don't do risky activity) Likelihood Negligible
Business Continuity Plan Accepted Almost Certain Medium
OH&S Policies & Procedures Removed (risk source removed) Likely Medium
Other Reduce Likelihood (eg. P&P, Training) Possible Low
Reduce Consequences Unlikely Low
Shared/Transferred (eg. Insurance) Rare Low
Retained (by informed decision)
Consequence
Minor Moderate Major Catastrophic
Medium High V High V High
Medium High High V High
Medium Medium High High
Low Medium Medium High
Low Medium Medium High