Risk Management Framework. Group Risk Management Version 2

Transcription

1 Group Risk Management Version 2

2 RISK MANAGEMENT FRAMEWORK Purpose The purpose of this document is to summarise the framework which Service Stream adopts to manage risk throughout the Group. Overview The overall objective of Risk Management is to ensure that actual business performance meets or exceeds expected performance. Expected performance Risk appetite Expected financial result Expected OHS&E results Expected policy compliance Actual performance Actual risk profile Actual financial performance Actual OH&S performance Policy exceptions reported Philosophy The Group s overall philosophy to Risk Management is to: Be aware of what risks we as a Group are exposed to. Actively manage those risks that we do know about. Consider strategies for dealing with unexpected (i.e. Black Swan ) risk events. Approach The Group s general approach to Risk Management is to: Document what is expected and communicate this around the whole Group. Monitor what is being done and regularly report on performance against targets. Discipline consistently any exceptions to the required standards of corporate behaviour. Be consistent with the risk management message. Independently check key risk management activities and Take Nothing for Granted! Guidance The Group s has been based on: Risk Management Principles AS/NZS ISO 31000: 2009 Risk Management Principles & Guidelines Risk Management Tools Australian & New Zealand Standards - AS/NZS 4360:2004 Risk Management Page 2

3 Compliance Principles ASX Corporate Governance Principles and Recommendations 3rd Edition - Principle 7 Corporations Act Commonwealth State Based Occupational Health, Safety and Environmental Laws The risk management cycle Risk oversight Board approved risk appetite Reserve powers/delegations of authority Board approved risk management policies Risk management Risk identification/risk registers Assignment of risk management responsibilities Agreement on risk treatment and management plans Internal controls Monitoring of policy compliance Exception reporting and discipline Monitoring of residual risks and reporting Risk Oversight The Board is held to be ultimately responsible for managing the risks to the company and is the key determiner of what the company s Risk Appetite should be. In order to ease the supervisory work load the Board may split its risk oversight responsibilities between various Board Committees. The Charters of these Committees explain how specific risk issues are allocated amongst its members and how reporting to the full Board is undertaken. The Group has established: A Risk Management function that provides specialist support in the areas of enterprise risk management; and A National Safety and Compliance function that provides specialist support in the areas of HSE risks and compliance with quality systems and accreditation. Management The Board may delegate the day-to-day management of various risks issues to management. Management operates the business within the guidelines laid down within the Board s Reserve Powers, its Risk Management Policies and within the Delegation of Authority framework. Management regularly reports up through the organisation and ultimately to the Board on what the company s current risk profile actually is and what s being done to ensure on-going compliance with the Board s specified Risk Appetite. Page 3

4 Internal Controls Internal controls help ensure that what is supposed to be happening is actually happening. The Board s Reserve Powers specify what matters are for the Board to decide and what matters the company s management may decide without reference. The Board Policies explain on what basis the company is to be run and only the Board can authorise a change to Policy. Procedures can be written by management to explain how the company is to function on a day-to-day basis but they must be consistent with any relevant Board Policy. Compliance with both Policy and Group Procedures are monitored and exceptions reported to Senior Management and Board as appropriate. Components of the risk management cycle Board Approved Risk Appetite Risk Appetite refers to a Quantitative based statement as to the maximum amount of variance permitted from the required business performance. There may be separate Risk Appetites specified depending upon the specific type of risk issue being considered. For example: Financial Risk Appetites = Typically expressed as a $Dollar Value variance from the Budgeted Financial result (e.g. No more than a $5m variance from the Budgeted NPAT result is permitted). Operational Risk Appetites = Typically expressed in terms of 0 Deaths, No more than 100 hours Lost Time injury p.a. etc. Compliance Risk Appetite = No Exceptions to Policy Compliance during the year etc. Actual business performance or forecast performance worse than the specified Risk Appetite immediately becomes a reportable issue to the Chairman and /or full Company Board. Changes to a previously specified Board Risk Appetite can only be authorised by the full Company Board. Delegations of Authority and Reserved Powers Delegations of Authority must be documented and they must specify the duties and the financial or other authorities given by the Service Stream Limited Board to the Chief Executive Officer. The Chief Executive Officer may further delegate specific management responsibilities to direct reports and then onwards similarly down throughout all management layers. Whilst risk management tasks can be delegated down through the organisation the Legal & Regulatory responsibility for risk management practices will typically remain at the Company Officers and ultimately Director levels (as defined within applicable legislation). Below management levels Delegation of Authorities typically take the form of the duties allocated to a particular role in the Position Description. Compliance with the company Policies and Operational Procedures is expected and required of all staff levels. Monitoring of compliance, exception reporting and disciplining of breaches is expected to occur consistently at all levels of the organisation. Board Approved Risk Management Policies The Board s Risk Management Policy specifies the overall principles to be applied to managing business risks within the organisation. In addition to this overall Policy statement there are more detailed risk specific documented Policies and Procedures that provide specific guidance to management on key risk management issues (Treasury, Tax etc.) Page 4

5 Monitoring of Policy Compliance and Reporting Compliance with Delegations of Authority and Board Policies are monitored by the organisation and exceptions reported to the Senior Management and as required to the Board. In order to ensure an appropriate governance process there should be clear independence from the Operational management for the area tasked with the monitoring of compliance. Risk Identification Material Business Risks are those exposures that could have a serious impact on a company s business performance if they eventuate and not just in financial terms. Such risks include but are not limited to: Operational, Environmental, Sustainability, Compliance, Strategic, Ethical conduct, Reputation or brand, Technological, Product or service quality, Human capital, Financial reporting and typically also Market-related risks. Operational management or risk management specialists in a particular filed are typically the best placed to accurately identify and quantify the exposure to these particular types of risks. However, periodic review of the risk issues identified should be undertaken by senior management to check the completeness and accuracy of the initial risk assessments. Risk Registers Risk Registers are a valuable tool for recording risks and are normally constructed in table form, which allows for the documentation of the various risk issues in a clear, logical and structured format. The information typically recorded in the Register includes information on the: Name, Class or Type of risk issue Probability of the risk occurring within a specified time horizon Expected financial cost of the risk event before any specific risk treatment Expected $ Loss arising from a risk event occurring (i.e. probability x cost) Qualitative description of the expected impact on the company of the Expected Loss occurring Name of person who will be responsible for managing the risk issue Description on the Risk Management / Mitigation strategy to be undertaken Time by when risk management plan is implemented Due Date of next risk management status update Risk Registers can be created for a basic job function right up to for a whole Company. The higher up in the organisation a Risk Register represents the more important it is to have a ranking of risk issues in terms of actual impact so as to allow for prioritisation of the necessary risk treatment plans. For management purposes those risks that are currently rated outside the risk appetite statement should be prioritised and addressed the most urgently with other risks then as time and resources permit in order of severity. Risks are ranked in the Register in order of their Residual Risk Weighted Cost (i.e. Probability of Risk Occurring x Cost of Residual Risk Occurring) Residual Risk = Remaining risk exposure after the initial Risk Treatment Plan has been applied. To aid quick reference all risks identified are given also a Qualitative description of it s expected impact on the company. Page 5

6 Rating Impact Likelihood Insignificant Minor Moderate Major Catastrophic Almost certain Low Medium High Extreme Extreme Likely Low Medium High High Extreme Possible Low Medium Medium High High Unlikely Low Low Medium Medium High Rare Low Low Medium Medium High Risk Registers levels of the organisation will normally have different levels of sensitivity to the financial impacts of a risk issue in order to reflect their particular Risk Appetite levels. The Risk Adjusted $Dollar value of a Residual Risk exposure is however the key component referenced to when consolidating up the various different Risk Register levels in the organisation so as to ensure the consistency of Impact levels at higher levels in the organisation. Senior Management and the Board s time would normally only be directed at examining the Group level risks with an impact rating of at least HIGH or EXTREME. Assignment of Risk Management Responsibility The key to ensuring effective risk management is assignment of a risk treatment plan to an identified individual. The individual selected to manage a risk issue must be suitably qualified and experienced in that particular risk issue. Agreement to Risk Management Plans Due to the organisation s own finite resources and in some cases also external factors the risk treatment plans proposed by management may sometimes not be suitable or possible with the current operational capabilities. The higher up the risk weighting scale a risk issue, the higher up the organisation the approval of a risk management plan needs to be in order to ensure that all relevant matters have been actually considered. Risk management plans will normally have at least one of the following treatment characteristics: Risk Mitigation which aims to lessen the probability of the risk event actually occurring or lessen the consequences of the event (e.g. operational controls can reduce opportunities for certain risks actually occurring or Insurance whilst lessening the financial cost of a risk event after it occurs does nothing to stop the risk event from actually occurring); Risk Transfer which aims to transfer risk away from one party on to another (e.g. outsourcing arrangements, use of contractual liability and exclusion clauses etc) Risk Avoidance which aims to avoid risks entirely (e.g. not doing a particular type of work, divesting a business that causes the risk exposure to arise etc.) Few risk treatments occur at zero cost and as a consequence a risk adjusted calculation of the actual risk exposure is required so as to ensure that the Risk Treatment Plan proposed is not only effective but also that it is cost-effective. Page 6

7 Residual Risks Profile and Risk Exposure Reporting Once responsibilities for the management of a risk issue has been assigned ongoing monitoring of the risk management plan s implementation, the time to completion and the remaining level of residual risk exposures requires monitoring by a party reporting independently of the party that was originally assigned the risk treatment plan. The larger the residual risk exposure (on a risk weighted basis) the more senior should be the independent party assigned the risk review. Risks Profile assessments should occur for all new business proposals, new product introductions and business acquisition, divestments or merger proposals. Attachments Attachment 1: Risk Management Oversight Service Stream Limited (Group) Level 1 Board Service Stream Limited Board of Directors Level 2 Board Committees Audit and Risk Committee Safety Committee Level 3 Executive Management Managing Director Chief Financial Officer Managing Director EGM Human Resources Company Secretary and Group Risk Manager Level 4 General Management (reporting to CFO) General Manager Finance and Tax National Safety and Compliance function (reporting to EGM-HR) (reporting to CFO) Page 7

8 Attachment 2: Examples of Risk Metrics Table 1: Qualitative measures of consequence or impact Rating Detail description Service Stream Group Level Reputation and image Operational Financial Safety Environmental Severe Severe high profile adverse reporting, wide spread domestic and international multiple news items, Regulatory Body action, Government censure, immediate Loss of Govt related contracts Threatens the ongoing Operational viability of the Service Stream Group >$5m impact on EBIT Fatality or Serious injury requiring long term hospital treatment Major environmental pollution resulting in immediate EPA response Major High level public embarrassment, high profile national news story, Regulatory Body enquiry actions, Govt enquiries, Govt contracts become subject to review Threatens the ongoing Operational viability of a Service Stream company or Causes major disruption to Group Operations $2m < $5m impact on EBIT Serious injury requiring hospital treatment Environmental damage that is reportable to EPA Moderate Reporting or commentary in local press, Govt Bodies require notification, ongoing contracting impacted with 3rd parties Cause major disruption to a Business s operations $0.5m to $2m impact on EBIT Medical treatable injury or Registered lost time injury Contained localised Pollution but no EPA involvement required Minor No reporting in normal press but adverse on-line postings Impacts on the business efficiency but manageable internally to a business $0.1m to $0.5m impact on EBIT Report only - First Aid treatment Localised clean-up required Insignificant No media channel reporting No Material impact on a business manageable through routine operations < $0.100k impact on EBIT No reportable minor cuts, bruises or bumps Negligible environmental damage Page 8

9 Table 2: Qualitative measures of risk likelihood Rating Description Illustration Almost certain Likely Is expected to occur in normal circumstances Will probably occur in most circumstances Expected to occur at least once or multiple times during 1 year period Probably occur (>50%) chance of occurring at least once in a 1 year period Possible Should occur at some time May occur (< 50%) once during a 1 year period Unlikely Could occur at some time Not expected to occur during a 1 year period Rare May occur only in exceptional circumstances Not expected to occur Table 3: Heat map (significance of threat) Rating Impact Likelihood Insignificant Minor Moderate Major Catastrophic Almost certain Low Medium High Extreme Extreme Likely Low Medium High High Extreme Possible Low Medium Medium High High Unlikely Low Low Medium Medium High Rare Low Low Medium Medium High Page 9

10 Table 4: Risk treatment plan keys Risk level EXTREME HIGH MODERATE LOW Action Immediate reporting to the Chairman or full Board required Executive Management action immediately required Responsibility for Risk Treatment Plan allocated to the MD or a EGM Risk Remediation required BEFORE a project / contract can be commenced. Immediate / ongoing reporting to Senior and / or Executive Management required Senior and / or Executive Management action immediately required Responsibility for Risk Treatment Plan allocated to EGM or Senior Management Risk Treatment Plans and management responsibility allocated to a named individual. Periodic reporting to Management required Management level monitoring or action required on ongoing basis Responsibility for Risk Treatment Plan allocated to a Manager Risk Treatment typically by compliance with Board Policies or Standard Operating Procedures. Annual status update Exception reporting Compliance with Standard Operating Procedures Table 5: Risk treatment plan approaches Approach Avoid Reduce likelihood Reduce consequence Transfer Action Avoid the risk (e.g. not proceeding with an activity, don t bid for a Contract, divest a business) Reduce the likelihood of the risk event occurring (e.g. introduce Operational Controls) Reduce the consequences of the risk event occurring (e.g. put in place Insurance plan) Transfer the risk off to another party (e.g. Outsource work, Contractual legal terms, Limit liability) Retain Accept and retain risk (but must be matched with a risk management / treatment plan). APPROVED BY THE BOARD Page 10 This document remains the property of Service Stream Ltd and must not be copied, reproduced or distributed in any form by any other party without written permission