City of Melville Risk Management Toolkit

Transcription

1 City of Melville Risk Management Toolkit Last Review Date: 30/07/2012 Document Owner: Risk Management Coordinator Page 1 of 24

2 Table of Contents 1. Introduction Risk Management Methodology Conducting a Risk Assessment Preparing for a Risk Assessment Establish the Context Identify the Risk Analyse the Risk Analysing a Risk Analysing an Opportunity Evaluate the Risk Evaluating a Risk Evaluating an Opportunity Treat the Risk Monitor and Review Communicate and Consult Documenting Risks Risk Reporting Page 2 of 24

3 1. Introduction Regardless of your Service Area or Directorate, any activity you are undertaking will have an objective. The City of Melville may be exposed to a number of internal and external factors that make it uncertain whether, when and the extent to which it will achieve those objectives. Risk is the effect of uncertainty on an objective. The effect on an objective may be in the form of a negative consequence or a positive benefit. The City has decided that any negative consequence uncertainties will be referred to as risks and any positive benefit uncertainties will be referred to as opportunities. The goal of Risk Management is to either minimise risks or maximise opportunities through coordinated activities. This Risk Management Toolkit (RMT) has been developed to assist all staff in conducting a risk assessment to achieve the goal of Risk Management. All the matrices and templates required to manage risks have been included along with guidelines for their use. If additional assistance is required in the completion of a risk assessment, the City of Melville has a Risk Management Coordinator available. 2. Risk Management Methodology To manage risks, the City of Melville utilise the methodology outlined in the Risk Management Framework (RMF). This methodology is based on the methodology outlined in International Standard AS/NZS ISO/IEC 31000:2009 Risk Management Principles and Guidelines. Page 3 of 24

4 Communicate and Consult Monitor and Review Figure 1: Risk Management Methodology Establish the Context Identify the Risk Analyse the Risk Evaluate the Risk Treat the Risk The seven process steps in the above methodology will be explained individually and you will be provided with guidelines and any tools required to successfully complete them. 3. Conducting a Risk Assessment Risk assessments can be undertaken at anytime, by anyone. Whilst the methodology contains seven steps, only five of these steps deliver an actual output whilst the other two are for accountability and validation which are undertaken throughout the entire risk assessment process. To assist you in undertaking a risk assessment, three additional steps have been added to this Toolkit. The steps you will need to undertake to conduct a risk assessment are: Preparation; Establish the Context (Establish); Identify the Risk (Identify); Analyse the Risk (Analyse); Evaluate the Risk (Evaluate); Treat the Risk (Treat); Monitor and Review; Communicate and Consult; Documentation; and Reporting. Page 4 of 24

5 3.1 Preparing for a Risk Assessment Before commencing a risk assessment process, it is important to document a clear description of what you are about to assess. In most cases, the risk assessment is likely to be conducted on a Service Area, a process, a product or a project. If a clear definition of what is being assessed is not stated up front, it can cause confusion and may distract the focus of stakeholders later on. For the purpose of this Toolkit, anything being risk assessed will be referred to as the Assessable Item. Organise stakeholders to participate in the assessment process. It is important to get as many perspectives as possible. Always try to have at least one stakeholder who is actually involved the Assessable Item. Whilst managers can provide valuable insight into how a process is supposed to run, it is just as important to have someone who can tell you how they do it. You may find that the biggest risk is that no one is actually following the defined process. You may not need all of your identified stakeholders at every step. For the Establish, Identify and Analyse you will most likely want to involve all of the stakeholders. In some cases, this can be a large number of people. The best way to encourage analytical thinking and ensure lively debate is to set up a workshop. The bigger the scope of the Assessable Item, the more time you will need. Large numbers of stakeholders will also increase the time required. Note: There is no such thing as too many stakeholders. However, having 50 people in a room might not work to run your risk assessment. If you have too many stakeholders to fit into a room or to let them all have a voice, split them into multiple smaller groups. Another option is to use a survey. Though survey s will provide useful data and may be a way to involve people in a process that might not normally be able to be involved; risk management should involve active discussion to be truly effective. You may find it beneficial to use one or more documentation tools to record the information you gather at each step. All the required tools will be included as Tables in this Toolkit and you will be advised when and how to use them. Page 5 of 24

6 3.2 Establish the Context Under the RMF, the City has defined three levels of risk; Strategic, Operational and Project (see table 1). Table 1: Risk Levels Risk Level Definition Strategic Uncertainty that could affect the achievement of the City of Melville s Vision and Corporate Plan objectives. Operational Uncertainty that could affect the objectives of a Service Area or Directorate. Project Uncertainty that could affect actions or project objectives on a day-to-day basis. Once you have determined what level your risk assessment is in, next develop an understanding of where the Assessable Item fits within the City, both internally and externally. An example of somewhere to find information that may assist you with this is the Plan for the Future (Corporate Plan). Regardless of the type of Assessable Item, it will have at least one objective. It may be helpful to document any objectives for use during risk identification. Uncertainty can arise in many different forms. The City has summarised in the RMF what it believes to be the key categories of uncertainty where risks may arise. To develop a clear understanding of the context of your Assessable Item, it may assist you to explore any internal or external factors that could lead to uncertainty. The Risk Categories presented in Table 2 should be used to trigger any potential factors for consideration. Not all Risk Categories will be applicable to all risks; this is simply a tool to ensure that a holistic picture is formed for each Assessable Item. Table 2: Risk Categories Risk Category Asset / Infrastructure Budget / Financial Customer Relations Definition This includes the condition management, renewal, replacement and planning in relation to assets. This includes cash flow, budgetary requirements, tax obligations, creditor and debtor management, remuneration and other general account management issues. Associated with meeting the current and changing needs and expectations of customers and citizens. Page 6 of 24

7 Risk Category Environment Human Resources Legal / Legislation / Compliance Political Project Safety Technology Definition This includes risk arising from management of environment and environmental consequences of the City s activities. This includes the recruitment, retention and remuneration of employees and workforce planning. This category includes compliance with legal requirements such as legislation regulations, standards, codes of practice and contractual requirements. This also extends to include compliance with policies, procedures etc. Associated with delivery of either Local or State Government legislation or to meet Council's stated commitments. This includes the management of equipment, finances, resources, technology, timeframes and people associated with the projects, internal or external to the organisation. This includes the safety of everyone associated with the City. This extends from individual safety, to workplace safety, policy safety and to the safety and to the safety and appropriateness of services delivered by the City. This includes implementation, management, maintenance and upgrades associated with information technology. For each objective, determine if any internal or external factors may adversely affect it or create benefits. Testing the objectives to see what drives its success or failure should highlight the areas of uncertainty that will allow you to identify the risks. Desired Outcomes for Establish the Context: A list of objectives for the Assessable Item (documented if required). An understanding of what internal or external factors may adversely affect or create benefits to the objectives. Page 7 of 24

8 3.3 Identify the Risk Identifying risks is the most important part of the entire process. Accurately defining risks makes the rest of the process much easier. It is quite common for people to incorrectly define risks. More often than not, risk statements will list threat sources or mitigation strategies as the risk. To identify, the best place to start is to break down all of the elements that will come into play. These are; the objective, the threat (cause), the risk statement, the consequence (or benefit) and the likelihood. Every risk will include all five of these things. The objective statement you should already have. The threat (cause) will come from your internal and external factors that were identified in the Establish step. The risk statement can be created by following the process below. The consequences and likelihood will be discussed in the Analyse step but are mentioned here because as stated above, risk statements are often incorrectly written and will include them. To ensure a clear and accurately defined risk statement, start by looking at the objective or event. Here is an example: Objective: Work in partnership with the community to contribute to a safer community. Using any findings from the Establish step, start to identify the uncertainties. Examples of areas of uncertainty for the above objective might include: resources available; community expectations; or legislative requirements. From these areas of uncertainty, you need to create risk statements. The risk statement is always subjective; there is no specific formula for creating the perfect statement. However as a suggested guide, a risk statement should include the cause and effect, linked together with leads to, results in or causes. So how do you word a risk statement? Following the aforementioned suggestion, an example of a good risk statement around the uncertainty of resource availability could be: Not having an appropriate number of qualified resources available results in poor community security. The above statement is short, clear and direct. Whilst there is no definitive wrong way to write a risk statement, a poorly constructed risk statement makes it hard for stakeholders to determine what they are assessing. Page 8 of 24

9 If in doubt about your risk statement, contact the Risk Management Coordinator for assistance. Desired outcomes for Identify the Risk: A list of identified risks / opportunities. An understanding of the threats (causes) associated with each risk / opportunity. 3.4 Analyse the Risk Risks mean different things to different people. Where one employee may see a risk they think will mean the end of the world, another may only see a delay of a few hours in delivering an outcome. This is why, as was mentioned in the Preparation step, it is important to involve a range of stakeholders with varied views on the Assessable Item. By the end of this step, you will have determined a Risk Rating. The Risk Rating is a simple alignment of the two inputs that stakeholders will need to determine; consequence and likelihood. Table 3 provides a breakdown of what consequence and likelihood mean in relation to risks and opportunities. Table 3: Risk and Opportunity Consequences and Likelihoods Risk / Descriptor How it applies Opportunity Risk Consequence A risk consequence is negative impact or harm that will affect an objective. Some types of risk consequences might include injury to employees, delays in service delivery, damage to the environment or financial loss. Opportunity Consequence An opportunity consequence is a benefit to an objective. Some types of opportunity consequences might include enhancement of skills, increased asset value, improved efficiencies or financial gain. Risk Likelihood The likelihood of a risk occurring examines the frequency of past occurrences and the potential for future occurrences. Opportunity Likelihood The likelihood of an opportunity examines the potential for success based on past occurrences and the potential for future occurrences. Page 9 of 24

10 At the completion of this step you should be able to create a final version of your Risk Register. An example Risk Register is included in the Documentation section of this Toolkit (see Section 3.9). The remainder of the Analysis step will be split so that you can easily follow the process for a risk or an opportunity. There are different tools used when conducting an assessment on one or the other Analysing a Risk To determine the Consequence Rating for a risk, think about the consequences of not being able to achieve your objective if your area of uncertainty got in the way. Using the example from the Identify step, if you had insufficient resources available, what negative impacts would that have? As a guide, you might find it useful to use the Risk Consequence Matrix which you will use shortly to determine the Consequence Rating (see Table 4). Though not a complete or definitive list, the matrix includes seven possible categories which may trigger some types of consequence for you. Page 10 of 24

11 Table 4: Risk Consequence Matrix Descriptor Catastrophic Major Moderate Minor Negligible Injury Death or permanent Life threatening injury or Serious injury requiring Minor injury or First Aid Incident only, no Disability multiple serious injuries medical treatment treatment medical treatment Service Disruption Environmental Impact Financial Impact Reputation Legal Project Long term recovery solution required which will result in nondelivery of outcomes Irreversible environmental harm or permanent negative impact on urban design Loss of over $5m or 10% of budget through: Direct Loss Opportunity Cost Lost Revenue Increased Cost Widespread national news profile, formal inquiry, possible government censure Major breach of statutory or contractual obligation with significant penalties Will fail to be completed or to deliver its outcomes or major objectives causing hospitalisation Significant delays in recovery processes leading to substantial delays in outcome delivery Major environmental impact caused long term recovery, or long term negative impact no urban design or loss of sense of place for whole of area Loss of $1m - $5m or up to 10% of budget through: Direct Loss Opportunity Cost Lost Revenue Increased Cost High news profile (including TV), third party action, public, ministerial involvement Major breach of statutory obligations resulting in fine or common law action by individual or group Will be completed but scope, cost, schedule, stakeholder or outcomes will be substantially compromised Recovery takes longer than anticipated causing delays in the delivery of outcomes Small environmental impact long term recovery or long term negative impact on urban design or loss of sense of place for part of area Loss of $250k - $1m or up to 5% of budget through: Direct Loss Opportunity Cost Lost Revenue Increased Cost Zero Growth Public embarrassment, moderate news profile, internal ministerial involvement Significant breach of statutory or contractual obligations Will not fully deliver in accordance with all requirements, but the result will be functional Recovery undertaken within acceptable timeframe with minor impact to outcome delivery Small environmental impact no long term effect or short term negative impact on urban design or loss of sense of place for whole of area Loss of $50k - $250k or up to 2% of budget through: Direct Loss Opportunity Cost Lost Revenue Increased Cost Below Budgeted Growth Minor media interest with low news profile, e.g. local paper Minor breach of statutory or contractual obligations with request to comply Some compromise to scope, cost, schedule, stakeholders, or outcomes but project remains intact required Able to recover quickly with negligible impact to outcome delivery Transient impact on environment or short term negative impact on urban design or loss of sense of place for part of area Loss <$50k or up to 1% of budget through: Direct Loss Opportunity Cost Lost Revenue Increased Cost Static Growth Minor adverse local community comment or complaint Minor breach of statutory or contractual obligations with request to comply No recognisable impact after project completion (scope, cost, schedule, stakeholder, outcomes) Page 11 of 24

12 Document every consequence that you come up with. The consequences will all be helpful during risk treatment to assist in working out how to mitigate the risk. Don t limit yourself to just writing down the category such as Injury ; if you can be specific, do so, as it will help you later on. Rather than just injury, for the resourcing example, you could put in fatigue or stress. The more specific your consequence, the easier it will be to determine a mitigation strategy. Once you have documented all of the possible consequences, use the Risk Consequence Matrix to determine the overall Consequence Rating. There are five choices: Catastrophic; Major; Moderate; Minor; and Negligible. If you read the wording in the matrix carefully, you will note that each of the Consequence Categories is defined differently based on its level of severity. Each of your consequences is likely to have a different rating. Whatever the highest rating is for any of your identified consequences; that is the rating you need to record. To determine the likelihood rating for a risk, think about whether the consequences you just documented have ever occurred before. Using the example from the Identify step, have you ever not had enough resources to achieve your objective before? There are five Likelihood Ratings: Rare, Unlikely, Possible, Likely and Almost Certain. You might find it helpful to use the Likelihood Rating Matrix in determining which of these five ratings is appropriate (see Table 5). Table 5: Likelihood Rating Matrix Descriptor Qualitative Definition Quantitative Definition Almost Certain Is expected to occur in most circumstances Occurs numerous times per year Likely Will probably occur in most Occurs at least once per year circumstances Possible Might occur at some time Has occurred at least once in the history of the City of Melville Unlikely Could occur at some time Has never occurred at the City of Melville but has infrequently occurred in similar organisations Rare May occur in exceptional circumstances Is possible but has never occurred at the City of Melville or any similar organisation Page 12 of 24

13 Using the two ratings for consequence and likelihood, align them in the matrix at Table 6 to determine the Risk Rating. The Risk Rating will be examined in more detail in the Evaluate step. Table 6: Risk Rating Matrix Almost Likely Possible Unlikely Rare Certain Catastrophic Extreme Extreme Extreme High Medium Major Extreme Extreme High Medium Low Moderate Extreme High Medium Medium Low Minor High Medium Medium Low Low Negligible Medium Low Low Low Low Analysing an Opportunity To determine the Consequence Rating for an opportunity, think about the benefits you might get if your area of uncertainty became a positive certainty. Using the example from the Identify step, if you had more than adequate resources available, what benefits might that lead to? As a guide, you might find it useful to use the Opportunity Consequence Matrix which you will use shortly to determine the Consequence Rating (see Table 7). Though not a complete or definitive list, the matrix includes seven possible categories which may trigger some types of consequence for you. Page 13 of 24

14 Table 7: Opportunity Consequence Matrix Descriptor Outstanding Major Moderate Minor Negligible People Outstanding improvement to critical skills / people Major enhancement to critical skills or personnel Moderate enhancement in core skills affective services Minor improvement to capability Minimal skills improvement Information Property & Equipment Business Process & Systems Reputation Financial Efficiency Allows the organisation to acquire or improve safeguards to information of the highest value Outstanding improvement to asset or its value (>25%) Enhancement in key activities resulting in outstanding improvements in business performance (e.g. reduced service delays, client dissatisfaction, increased revenue, cost reductions, and process improvement) Increases City reputation by >25% or prevents sustained adverse national / international media campaign Gain of $1m or more in revenue or over 10% reduction in expenses Improvement in delivery of 1 week or more Acquire or improve safeguards to information sensitive to City of Melville interests or registered intellectual property Major improvement to asset or its value (>10%) Enhancement in key activities resulting in major improvements in business performance (e.g. reduced service delays, client dissatisfaction, increased revenue, cost reductions, and process improvement) Increase City reputation by >10% or prevents intense public, political or media scrutiny Gain of up to $500k in revenue or up to 10% reduction in expenses Improvement in delivery of up to 1 week Acquire or improve safeguards to information sensitive to City-wide operations Moderate improvement of asset or increase in its value (>5%) Moderate improvement in business resulting in enhanced performance. These improvements may need to be subject to significant review or changed ways of operations Increases City reputation by >5% or removes requirement for scrutiny by external organisations Gain of up to $250k in revenue or up to %5 reduction in expenses Improvement in delivery of up to 1 day Acquire or improve safeguards to information sensitive to internal or subunit interests Minor improvement of asset or increase in its value (2-5%) Minor improvement on business areas such as in terms of delays or system quality Increases City reputation by 2-5% or removes requirement for scrutiny by executive, internal committees or internal audit Gain of up to $100k in revenue or up to 2% reduction in expenses Improvement in delivery of up to 4 hours Acquire information not readily available in the public domain Minimal improvement to asset (<2%) Minimal improvement on noncore business operations Minimal selfimprovement or increase in City reputation (<2%) Gain of up to $50k in revenue or up to 1% reduction in expenses Improvement in delivery of up to 2 hours Page 14 of 24

15 Document every benefit that you come up with. The benefits will all be helpful during risk treatment to assist in working out how to ensure you realise the opportunity. Don t limit yourself to just writing down just the category such as People as your benefit; if you can be specific, do so, as it will help you later on. Rather than just People, for the resourcing example, you could put in improved skills or strengthened morale. The more specific your benefit, the easier it will be to determine a treatment strategy. Once you have documented all of the possible benefits, use the Opportunity Consequence Matrix to determine the overall Consequence Rating. There are five choices: Excellent; Major; Moderate; Minor; and Negligible. If you read the wording in the matrix carefully, you will note that each of the Consequence Categories is defined differently based on its level of benefit. Each of your consequences is likely to have a different rating. Whatever the highest rating is; that is the rating you need to record. To determine the likelihood rating for an opportunity, think about whether the benefits you just documented have ever occurred before. Using the example from the Identify step, have you ever had more than adequate resources to achieve your objective before? There are five Likelihood Ratings: Rare, Unlikely, Possible, Likely and Almost Certain. You might find it helpful to use the Likelihood Rating Matrix in determining which of these five ratings is appropriate (see Table 8). Table 8: Likelihood Rating Matrix Descriptor Qualitative Definition Quantitative Definition Almost Certain Is expected to occur in most circumstances Occurs numerous times per year Likely Will probably occur in most Occurs at least once per year circumstances Possible Might occur at some time Has occurred at least once in the history of the City of Melville Unlikely Could occur at some time Has never occurred at the City of Melville but has infrequently occurred in similar organisations Rare May occur in exceptional Is possible but has never circumstances occurred at the City of Melville or any similar organisation Using the two ratings for consequence and likelihood, align them in the matrix at Table 9 to determine the Risk Rating. The Risk Rating will be examined in more detail in the Evaluate step. Page 15 of 24

16 Table 9: Opportunity Risk Rating Matrix Almost Certain Likely Possible Unlikely Rare Excellent Outstanding Outstanding Outstanding High Medium Major Outstanding Outstanding High Medium Low Moderate Outstanding High Medium Medium Low Minor High Medium Medium Low Low Negligible Medium Low Low Low Low Desired outcomes for Analyse the Risk: A documented set of consequences or benefits against each risk / opportunity. A documented likelihood rating for each risk / opportunity. A completed final version of your Risk Register. 3.5 Evaluate the Risk During the Analyse step, you identified a Risk Rating. However, this is just a word at the moment and probably doesn t mean much to you. The evaluation of risks takes the Risk Rating and explains what that means with regard to the need for treatment, the priority for treating it and who will be responsible for driving that treatment. The remainder of the Evaluate step will be split so that you can easily follow the process for a risk or an opportunity Evaluating a Risk The Risk Rating for a risk is used to determine the Level of Risk. The Level of Risk explains responsibility, priority and need for treatment action. Table 10 below describes the Level of Risk for each Risk Rating. Page 16 of 24

17 Table 10: Level of Risk Risk Rating Extreme High Medium Low Level of Risk Immediate action required by EMT with detailed planning, allocation of resources and regular monitoring. Additional controls required to be implemented to reduce the Risk Rating. Immediate attention required by Service Area Director to determine response. Additional controls required to be implemented to reduce the Risk Rating. Attention required by OMT who may accept the risk if all that is reasonably practicable has been done to mitigate it. Ongoing review and monitoring required. Existing controls may be adequate but additional controls can be added to reduce the Risk Rating. Risk is acceptable. Manage by existing controls Evaluating an Opportunity The Risk Rating for an opportunity is used to determine the Potential for Success. The Potential for Success explains responsibility, priority and need for treatment action. Table 11 below describes the Potential for Success for each Risk Rating. Table 11: Potential for Success Risk Rating Outstanding High Medium Low Potential for Success Amazing opportunity requiring immediate action by EMT. Detailed separate planning required to prepare and capture the opportunity. Strong or valuable opportunity requiring immediate attention by the Service Area director. Separate planning required to prepare and capture the opportunity. Potentially valuable opportunity that may be accepted by OMT. Basic planning required by OMT to prepare, capture and monitor the opportunity. An opportunity that can be managed by routine procedures or is determined to be not valuable enough to act on. Desired outcomes for Analyse the Risk: A Level of Risk or Potential for Success for each identified risk / opportunity. Page 17 of 24

18 3.6 Treat the Risk The risk treatment process involves determining a mitigation strategy, submitting it for approval and then implementing any approved strategies. This Toolkit does not explain how to actually treat a risk or how to undertake the processes required to allocate resources and funding. The implementation of mitigation strategies (controls) is something that will be specific to each Service Area. Some generic guidelines for treatment types have been included. This part of the Toolkit will provide you with information on how to complete a Risk Treatment Plan which should contain the relevant information required to start the other processes for completing implementation. At this stage you should have a completed Risk Register. It is advisable to now shift that data into a Risk Treatment Plan (see Section 3.9). Eventually, all risks should be transferred into the City s Interplan Risk Management Module but for expedience, a Risk Treatment Plan is a good tool to use right now. The Risk Treatment Plan is very similar to the Risk Register. However, it removes some of the columns and data you no longer need and adds in new columns to accommodate the new data you will be recording. These new columns will be for: What the mitigation strategy for each risk will be. Who will be responsible for implementing that treatment. The timeframe for implementation (i.e. within 1 month, 1-3 months, 3-6 months, etc.). Determining a risk treatment, as stated above, will be specific to the Service Area. Subject Matter Experts (SMEs) will be required to identify realistic, cost effective and relevant options to treat your risks. You should have at least one SME who was already involved in the risk process as one of your stakeholders. However, there are occasions where you will need to engage an external SME if you don t have the required skill sets in-house. It is advisable to identify a few possible treatment options for your risks; preferably with varied cost implications to ensure that whoever approves your treatment isn t too restricted. The best way to write your suggested treatments is to document them as recommendations or options. Ultimately, it will be the responsibility of your supervisor to approve treatments; all you can do is provide them with the best information to make their decision. Page 18 of 24

19 When treating risks and opportunities, there are some generic guidelines that can be followed to assist you in identifying a recommended approach. For treating risks, the City has identified four acceptable methods: Tolerate accept the risk, no action other than continual monitoring required. Mitigate Implement some type of treatment control to reduce or remove the risk. This may include but is not limited to options such as substitution, isolation, engineering or administration. Terminate eliminate the risk completely by removing the asset or stopping the service. Transfer allocate the risk to a third party (i.e. you could transfer the financial consequences of a risk by buying insurance). For treating opportunities, the City has identified four acceptable methods: Ignore do nothing but monitor the risk in case of improved Potential for Success. Exploit eliminate the uncertainty and ensure that the opportunity will definitely happen. This may include but is not limited to options such as strengthening the cause by reinforcing any trigger conditions. Enhance implement some type of response strategy that increases the probability of the occurrence and the potential benefits. Share allocate the risk to a third party who is best able to maximise the probability of occurrence and the potential benefits. Each risk should also be assigned a Responsible Officer. Whilst you are able to list more than one person, it is advisable for manageability to choose just one. The Responsible Officer will be the person who implements the treatment and reports back on its progress and effectiveness. A timeline for implementation should also be determined. Based on the Level of Risk or Potential for Success determined during the Evaluate step, you should have a reasonable idea of the priority for putting a treatment in place. The higher the risk rating, the faster it should be attended to. However, the timeline needs to be realistic. If the treatment will require significant funding or resources, it may take time for the approval process. At your discretion, determine a timeline that takes both the severity and achievability into account. Page 19 of 24

20 Implementation timelines should be defined recorded as one of the following: Within 1 month; Between 1 and 3 months; Between 3 and 6 months; Between 6 and 12 months; or More than 12 months. Desired Outcomes for Treat the Risk: A completed Risk Treatment Plan. At least one risk treatment option for every identified risk that requires treatment. A Responsible Officer assigned to each risk. An implementation timeline for every identified risk that requires treatment. 3.7 Monitor and Review Monitor and Review is not a one-off process step like the main five in the Risk Management Methodology. It is a continual process that is undertaken at every step to ensure the validity, timeliness and effectiveness of risks and their treatments. The dynamic nature of risks and their environments means that a risk defined at the beginning of a process may have changed by the end of the process. It is therefore important to continually monitor and review risks to ensure their validity and status. At each step, a review should be conducted to check that the risk still exists, that is correctly worded, its rating is correct and/or its treatment is being implemented on time and is effective. When conducting these reviews, sometimes new risks will be identified. It is advisable to document any comments/changes identified during a Monitor and Review process to ensure all risks are auditable. Desired outcomes for Monitor and Review: Confirmed validity, timeliness and effectiveness of risks and their treatments. Page 20 of 24

21 3.8 Communicate and Consult Communicate and Consult, like Monitor and Review, is not a one-off process step. It is a continual process that is undertaken throughout the entire risk management process to ensure the validity, transparency and accountability of risks. Effective risk management is entirely dependent on strong buy-in. By continuously undertaking communication and consultation activities, particularly with those who will ultimately end up approving risk treatments, consistent buy-in can be maintained at any given step of the process. At any stage of the process, internal or external SMEs or other types of stakeholders are likely to be engaged in the process. Their engagement provides the ability to maintain current knowledge in related areas to ensure that continual improvement can be included in the process. Desired outcomes for Communicate and Consult: Confirmed validity, transparency, and accountability of risks and their treatments. Page 21 of 24

22 3.9 Documenting Risks As you have progressed through this Toolkit, it has been suggested that you use a Risk Register (see Table 12) and a Risk Treatment Plan (see Table 13) to use for documentation purposes. These tools are excellent temporary data stores but do not make for easy reporting. Table 12: Risk Register Objectives Threats Risks Consequences Likelihood Risk Rating Table 13: Risk Treatment Plan Risk Consequence Likelihood Risk Rating Risk Treatment Responsible Officer Implementation Timeline The City operates a software solution known as Interplan Risk Management Module (RMM). The RMM acts as a centralised Risk Register which allows you to record and manage your risks and their treatments. It also allows managers to run risk report which can show implementation progress for treatments or residual risk ratings. Page 22 of 24

23 Once you have finalised your risks and their treatments, if you haven t already done so, transfer them into the RMM. If you do not know how to undertake that task, there is training available. Please contact the Risk Management Coordinator for further information. Page 23 of 24

24 3.10 Risk Reporting Not all staff at the City will be required to understand or undertake all the steps in this Toolkit. Regardless of whether your job requires you to complete the whole risk process or not, there are two key things that every staff member must know about risk management; how to identify and risk and what to do once it s identified. These two things are very easy to achieve. Risk identification that is not undertaken as part of a workshop where the objectives are clear is usually something seen whilst undertaking day-to-day duties. This may be something like an Occupational Health and Safety hazard or a process you are following that has a clear gap in it. Whatever the risk may be, identifying it in the field is just as valid a way to identify a risk as undertaking a risk workshop. The major difference here however, is that you need to make sure something is done about it. The second part of the process after identification is reporting. No matter how big or how small the risk is, if you identify it you cannot keep it to yourself. In some instances, like a safety hazard, you may be able to rectify the situation on the spot. That is always the best course of action. However if you cannot fix it yourself, immediately report it to your supervisor. Reporting risks is extremely important. Version: 1 Last Reviewed: 31 January 2014