Kidsafe NSW Risk Management Plan. August 2014

Transcription

1 Kidsafe NSW Risk Management Plan August 2014

2 Document Control Document Approval Name & Position Signature Date Document Version Control Version Status Date Prepared By Comments Document Reviewers Name & Position Signature Date Kidsafe NSW Risk Management Plan Page 2 of 22

3 Contents Page 1. I N T R O D U C T I O N Purpose Scope R I S K M A N A G E M E N T P R O C E S S What is Risk Management? Risk Management in Practice C O N T I N U A L I M P R O V E M E N T O F T H E R I S K F R A M E W O R K R E V I E W A N D A P P R O V A L A P P E N D I X A R I S K R A T I N G C R I T E R I A A P P E N D I X B R I S K R E G I S T E R T E M P L A T E 1 8 A P P E N D I X C R I S K E V E N T R E G I S T E R T E M P L A T E A P P E N D I X D N E W A N D E M E R G I N G R I S K S T E M P L A T E A P P E N D I X E D E F I N I T I O N S A P P E N D I X F R E L A T E D P O L I C I E S A N D D O C U M E N T S Kidsafe NSW Risk Management Plan Page 3 of 22

4 1. Introduction 1.1 Purpose The Risk Management Plan has been developed to support Kidsafe NSW in managing risk across the organisation including: The process to identify, assess, treat, monitor and review risks. The criteria for assessing risk, including evaluation of controls. Guidance for the documentation, reporting and escalation of risks. 1.2 Scope The Procedure complies with the follow guidance and is applicable to all employees of Kidsafe NSW: Kidsafe NSW Risk Management Plan Page 4 of 22

5 2. Risk Management Process 2.1 What is Risk Management? Risk is defined as the effect of uncertainty on objectives (ISO 31000:2009). Risk management is a set of coordinated activities that enables the identification and management of risk in a consistent, systematic, credible and timely manner. The purpose of risk management is to minimise the impact of uncertainty and undesirable events on operations and to provide adequate information to enable effective decision making and the protection of value. 2.2 Risk Management in Practice A risk management process is a systematic application of management policies, procedures and practices to the activities of communicating and consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. This Procedure is structured in accordance with the process defined in ISO 31000:2009 and detailed below in Figure 1. Figure 1: Kidsafe NSW - Risk Management Process Communication and Consultation Communication and consultation with external and internal stakeholders is an ongoing activity which should be conducted across all stages of the risk management process. It will enable the provision, sharing and obtaining of risk information and will ensure that stakeholders understand the basis upon which decisions are made, and the reasons why particular actions are required. Kidsafe NSW Risk Management Plan Page 5 of 22

6 2.2.2 Establishing the Context This step considers both the external and internal parameters to be taken into account when identifying and managing risk, and sets the scope and risk criteria for the remaining process. The external context can include, but is not limited to: The social and cultural, political, legal, regulatory, financial, technological, economic and competitive environment. Key drivers and trends having impact on the objectives of Kidsafe NSW. Relationships with, perceptions and values of external stakeholders. The internal context can include, but is not limited to: Kidsafe NSW s governance, organisational structure, roles and accountabilities. Policies, objectives, and the strategies that are in place to achieve them. Capabilities in relation to resources and knowledge. The relationships with and perceptions and values of internal stakeholders and the organisational culture Risk Identification Risk identification involves identifying sources of risk, areas of impact and causes and potential consequences of risks. The aim of this step is to generate a comprehensive list of risks based on those events which might create, enhance, prevent, degrade, accelerate or delay the achievement of Kidsafe NSW s strategic objectives. Kidsafe NSW is required by to assign identified risk to a risk category, in line with their Risk Categories. These are contained in Appendix A of this procedure, to assist in identifying sources of risk. Additional methods of identifying risk include: A structured brainstorming session based on the risk categories listed in Appendix A. Review of past events. Review of external and internal audit report. Consideration of community/ client complaints. Results from monitoring activities. Benchmarking with competitors. Advice from external experts. Focus group discussions (facilitated internally or externally) where more detailed discussions are held relating to risk. To assist in the clarity, consistency, and comparability of risks identified, Kidsafe NSW will capture risk information in the Kidsafe NSW Risk Register Template defined in Appendix B of this Procedure. The structure of the Kidsafe NSW Risk Register is compliant with the requirements of the QIC Standards. Each risk record documented in the risk register should include the following details: Unique risk identification number The linkage of the risk into the Kidsafe NSW Strategic Direction. The Kidsafe risk category to which the risk pertains. The assigned risk owner. The date on which the risk was raised. A description of the nature of the risk. The causes which might give risk to the risk. The potential consequences of the risk. The nature of existing controls currently in place. The above requirements are documented in the Kidsafe NSW Risk Register Template which is provided in Appendix B of this Procedure. Kidsafe NSW Risk Management Plan Page 6 of 22

7 2.2.4 Risk Analysis Risk analysis is the process to comprehend the nature of the risk and to determine the level of risk. The assessment process involves a consideration of the risk criteria in terms of likelihood and consequence. Existing controls and their effectiveness should also be taken into account. The risk analysis process involves the assignment of an overall residual risk rating for each risk documented in the risk register through the following steps. Inherent risk determine the likelihood and consequence of a risk event if it were to occur in the absence of controls. Identify and assess controls identify the existing controls in place to address the risk and assess how effectively these are in operation. Residual risk rating determine the likelihood and consequence of a risk event, taking into consideration the effectiveness of the control environment. To support employees in the analysis of risk, Kidsafe NSW has adopted standardised risk rating criteria to be applied across the organisation. Step 1: Inherent Risk Considerations Consideration should be given to the likelihood and consequence of a risk occurring, in the absence of existing controls. The inherent nature of the risk event will facilitate an understanding of the extent of controls or treatment plans required to mitigate the risk to an acceptable level. For each risk identified, the inherent likelihood, consequence and overall risk rating should be documented in the Kidsafe NSW Risk Register. The Kidsafe NSW risk tolerance level should also be recorded in the Kidsafe NSW Risk Register. Step 2: Identify and Assess Controls A control is any process, policy, device, practice, or other actions that modify a risk. There may be one or more existing controls in place to prevent, detect and mitigate the identified risk. For each control identified the following should be recorded in the Kidsafe NSW Risk Register: A control description which succinctly describes the action used to modify the likelihood or the consequence of the risk. A control owner should be assigned. An assessment of the operating effectiveness of controls should be determined on a holistic basis, using the criteria set out in Appendix A. Step 3: Residual Risk Rating The residual risk rating will be determined by combining the likelihood and consequence of the risk taking into account the effectiveness of existing controls: Likelihood refers to the chance of something happening. The Kidsafe NSW risk likelihood criteria is outlined in Appendix A. Consequence refers to the outcome of an event affecting objectives. This should be quantified based on the most credible (not the worst case) impact of the risk. The consequence criteria provided in Appendix B provides guidance on the indicative consequence for risks and has been developed with consideration to Kidsafe NSW s Risk Appetite. Kidsafe NSW Risk Management Plan Page 7 of 22

8 2.2.5 Risk Evaluation The purpose of risk evaluation is to assist in making decisions around which risks require further treatment, based on the outcomes of the risk analysis. Risk evaluation will enable the prioritisation of risk treatments and the direction of resources towards high priority risk areas. Kidsafe NSW has adopted the following matrix to guide the actions required for risks based on their overall residual risk rating. Rating Description Catastrophic High Moderate Minor Risks to be escalated to the Council and Governance Committee. The Executive Oficer will escalate all Catsstrophic, High and Moderate rated risks to the the Council and Governance Committee. Risk treatment plans should be developed and directed towards reducing the severity of the risk. Risk owners should be assigned to perform ongoing monitoring of the progress of risk treatment plans. Monitoring should occur on a monthly basis. Risks should be managed within the Executive Oficer s capability and business operations. Risk treatment options should be identified and risk owners assigned. Risks should be monitoring on an ongoing basis. Insignificant Accept risk/ monitor and review through standard management processes. During the implementation of the Kidsafe NSW Risk Management Framework, the Executive Officer may determine that it is necessary to escalate medium and insignificant rated risks to the Council or Governance Committee. The decision to do so remains at the discretion of the Executive Officer. The level of the organisation to which the risk should be escalated should be documented in the Kidsafe NSW Risk Register. Target Risk Rating The target risk is a desired level of risk that is achieved through implementation of risk treatments to reduce unacceptable risk levels (e.g. high and extreme risks) to an acceptable level. The target risk rating is achieved once treatment plans have been fully developed and implemented (refer to Section for further detail). This may require further action if the initial controls, once fully developed and implemented, do not achieve the desired outcome or target risk rating. The target risk rating taking into consideration the impact of risk treatment plans should be recorded in the Kidsafe NSW Risk Register. Kidsafe NSW Risk Management Plan Page 8 of 22

9 2.2.6 Risk Treatment Risk treatment involves selecting one or more options for addressing and modifying risk, and implementing those options. Risk treatment involves a cyclical process of: Assessing a risk treatment. Deciding whether residual risk levels are tolerable. If not tolerable, generating a new risk treatment. Assessing the effectiveness of that treatment. Risk treatment options are not mutually exclusive or appropriate in all circumstances. A number of treatment options can be considered and applied either individually, or in combination. Treatment options can include: Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk. Taking or increasing the risk in order to pursue an opportunity. Removing the risk source. Changing the likelihood. Changing the consequences. Sharing the risk with another party or parties (including contracts and risk financing). Retaining the risk by informed decision. Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived. When selecting risk treatment options, Kidsafe NSW should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others. Risk treatment plans should be developed for all risks with a residual risk rating of medium to extreme. However, treatment plans for extreme and high risks should include: Details of the treatment plan selected including expected benefits to be gained, the resource requirements and performance measures and constraints. The treatment owner responsible and accountable for implementing the treatment plan. The target resolution date for monitoring and reporting requirements. Status update and progress of actions undertaken against the treatment plan. The above detail should be recorded in the Kidsafe NSW Risk Register. Kidsafe NSW Risk Management Plan Page 9 of 22

10 2.2.7 Monitoring and Review Both monitoring and review should be a planned part of the risk management process, and should involve regular checking and surveillance. Kidsafe NSW s monitoring and review process should encompass all aspects of the risk management process for the purpose of: Ensuring that controls are effective and efficient in both design and operation. Obtaining further information to improve the risk assessment process across the organisation. Analysing and learning lessons from events (including near-misses), changes, trends, successes and failures. Detecting changes in the external and internal context, including changes to the risk criteria and the risk itself which can require revision of risk treatments and priorities. Identifying new and emerging risks. Kidsafe NSW s monitoring and review requirements are outlined in the table below. Activity Requirements Frequency The Council Risk Register Review On a six-monthly basis the Council should review the content of the Kidsafe Risk Register to ensure that it accurately reflects the organisation s Risk Profile. On a monthly basis all additions to the Risk Register should be reviewed by The Council. This review should include the appropriateness of the assigned risk rating and the risk treatment plan. Six-Monthly/ Monthly Governance Committee Risk Register Review On a six-monthly basis each Governance Committee member should review the content of the Risk Register to ensure that it accurately reflects the Risk Register. Six-Monthly A report will be prepared for the Council and Governance Committee on a quarterly basis which details: Sumary of new and emerging risks identified subsequent to the previous meeting. Executive Officer Review All Catastrophic, Major and Moderate rated risks identified across the organisation. Quarterly All movements in the rating of Catastrophic, Major and Moderate rated risks across theorganisation All risk events with consequence ratings of Catastrophic, Major and Moderate. Kidsafe NSW Risk Management Plan Page 10 of 22

11 2.2.8 Escalation Risk Event Escalation An event is referred to an occurrence or changes of a particular set of circumstances. An event without consequences can also be referred to as a near miss, near hit or close call. When an event occurs, the following escalation process should be followed. It is the responsibility of all employees to escalate events to the Excutive Officer. Upon receiving the relevant information from the employee, the Executive Officer will assign a consequence rating to the event, using the Kidsafe NSW Risk Matrix. The Executive Officer will escalate the event to the Governance Committee and / or The Council. All events will be reported to the Governance Committee and / or The Council. Where the consequence of the event is Catastrophic, Major and Moderate (in accordance with the Kidsafe NSW Risk Consequence Criteria) the event will be reported to the Governance Committee and / or The Council. Upon reviewing the event, the Executive Officer will escalate events with a Catastrophic, Major and Moderate consequence to the Governance Committee and The Council Events should be captured in the Kidsafe NSW Event Register contained in Appendix C of this Procedure. New and Emerging Risks Emerging risks are newly developing or changing risks which are often difficult to quantify and may have a substantial impact on the business. New and emerging risks that are considered Catastrophic, Major and Moderate will be escalated through the standard risk escalation process detailed in Section Ongoing monitoring of new and emerging risks should be reported in accordance to the requirements set out in Section Details of new and emerging risks that are required to be escalated and/ or reported should be documented in the Kidsafe NSW New and Emerging Risk Register detailed in Appendix D. Kidsafe NSW Risk Management Plan Page 11 of 22

12 3. Continual Improvement of the Risk Framework Kidsafe NSW is committed to an annual review of its risk management framework to ensure that risk management is effective and continues to support organisational performance. The Council and Governance Committee will monitor and evaluate Kidsafe NSW s performance in relation to risk management. This will be informed by the following periodic reviews: Evaluation of the effectiveness and alignment of the Kidsafe NSW Risk Management Plan (e.g. against better practices). Engagement with key stakeholder to confirm that risk management and reporting is relevant and meet informational requirements. Assessment of the awareness of management and staff in relation to their risk management responsibilities (e.g. through Performance Planning and Development). Review of training and development needs of managers and staff in relation to their risk management responsibilities. Review of the completeness and currency of risk registers across all categories of risk. The results of reviews will be used to inform decisions relating to how the Risk Management Plan can be improved to support the management of risk and an improved risk management culture across Kidsafe NSW. Kidsafe NSW Risk Management Plan Page 12 of 22

13 4. Review and Approval This Risk Management Plan will be reviewed annually, or more frequently as required, in accordance with The Council and Governance Committee s review and approval. Kidsafe NSW Risk Management Plan Page 13 of 22

14 Appendix A Risk Rating Criteria Likelihood Rating: Use the table below to determine the likelihood of the risk occurring. Likelihood Description Probability Rare Only occurs in exceptional circumstances < 5% Unlikely May occur at some time 5% - 40% Possible Should occur at some time 40% - 70% Likely Will probably occur 70% - 95% Almost certain Expected to occur in most circumstances or occurs regularly > 95% Control Effectiveness: Rank the effectiveness of the current controls to prevent, detect and mitigate the risk. Control Effectiveness Ineffective Partially effective Effective Description The control design does not meet the control objective/ and or the control is not applied or is applied incorrectly. The control design meets the control objective and the control is normally operational but occasionally is not applied w hen it should be, or not as intended. The control design meets the control objective and the control is operating the majority of the time Kidsafe NSW Risk Management Plan Page 14 of 22

15 Consequence Table: Rank the risk based on the consequence if the risk were to occur. Impact Catastrophic Major Moderate Minor Insignificant Strategic Non-achievement of strategic objectives Limited achievement of strategic objectives Reasonable achievement of the strategic objectives Achievement of most of the strategic objectives Achievement of almost all of the strategic objectives Legal & compliance Non-compliance with majority of the legislations and standards. Deregistering Kidsafe NSW as a business entity and charity organisation Non-compliance with significant legislations and standards. Fines and penalties levied against Kidsafe NSW Non-compliance with some of the legislations and standards. Fines and penalties levied against Kidsafe NSW Compliance with most of the legislations and standards Compliance with almost all the legislations and standards Financial Zero funding and reserved funds do not cover provisions for debts and operating costs. Actual deficit > $ 500,000 Zero funding and reserved funds do not cover provisions for debts and operating costs. Actual deficit > $ 250,000 Reduced funding and reserved funds do not cover provisions for debts and operating costs. Actual deficit > $ 100,000 Reduced funding and reserved funds reasonably covers provisions for debts and operating costs. Actual deficit < $ 90,000 Funding and reserved funds cover provisions for debts and operating costs. Actual deficit < $ 10,000 Reputation Continuous negative national media attention affecting Kidsafe brand reputation Negative national media attention affecting Kidsafe brand reputation Some negative national / state media attention affecting Kidsafe brand reputation Localised negative media attention affecting Kidsafe brand reputation Localised negative attention because of poor service delivery Business Continuity Complete loss of operational capacity and facilities Significant loss of operational capacity and facilities Some loss of operational capacity and facilities Minimal loss of operational capacity and facilities Insignificant loss of operational capacity and facilities Kidsafe NSW Risk Management Plan Page 15 of 22

16 Impact Catastrophic Major Moderate Minor Insignificant Safety Death / significant injury of staff, visitor, volunteer or client at Kidsafe activities and onsite Serious injury of staff, visitor, volunteer or client at Kidsafe activities and onsite resulting in hospitalisation and permanent incapacitation Serious injury of staff, visitor, volunteer or client at Kidsafe activities and onsite requiring hospitalisation and long term rehabilitation Injury of staff, visitor, volunteer or client at Kidsafe activities and onsite requiring first aid or medical attention Minor injury of staff, visitor, volunteer or client at Kidsafe activities and onsite requiring basic first aid Operational Inability to deliver all of the contractual obligations and Kidsafe services within the agreed timeframes Inability to deliver majority of the contractual obligations and Kidsafe services within the agreed timeframes Inability to deliver some of the contractual obligations and Kidsafe services within the agreed timeframes Inability to deliver minor components of the contractual obligations and Kidsafe services within the agreed timeframes Minimal impact on contractual obligations and Kidsafe services People Significant loss of key staff and Council with no contingency/ succession plan in place affecting capacity to deliver strategic KPIs Loss of key staff and Council members with no contingency/ succession plan in place affecting capacity to deliver strategic KPI's Inadequate contingency / succession plan in place to deliver strategic KPI's Adequate contingency / succession plan in place to deliver strategic KPI's Minimal impact on service delivery and achievement of strategic KPIs Kidsafe NSW Risk Management Plan Page 16 of 22

17 Risk Rating: Combining the Likelihood and Consequence will provide a risk rating in accordance with Kidsafe NSW Risk Matrix detailed below. CONSEQUENCE Catastrophic Major Moderate Minor Insignificant Almost certain A D J P S Likely B E K Q T LIKELIHOOD Possible C H M R W Unlikely F I N U X Rare G L O V Y Legend Risk Rating High Significant: Medium Low A - E F K L R U - Y Kidsafe NSW Risk Management Plan Page 17 of 22

18 Appendix B Risk Register Template Please refer to the Kidsafe NSW Risk Register Template contained in Microsoft Excel for additional details. Kidsafe NSW Risk Management Plan Page 18 of 22

19 Appendix C Risk Event Register Template Event ID Risk Category Location Date Event Description Cause Consequence Description Consequence Classification Actions / Status / Timing E.001 E.002 E.003 E.004 E.005 E.006 Kidsafe NSW Risk Management Plan Page 19 of 22

20 Appendix D New and Emerging Risks Template Risk Category Date Raised Risk Description Causes Consequences Actions Kidsafe NSW Risk Management Plan Page 20 of 22

21 Risk Management Procedure Appendix E Definitions Term Communication and Consultation Consequence Control Establishing the Context Event External context Internal context Level of Risk Likelihood Monitoring Residual risk Review Risk Risk Analysis Risk Assessment Risk Criteria Risk Evaluation Risk Identification Risk Management Risk Management Framework Risk Management Process Risk Profile Risk Treatment Stakeholder Definition Continual and iterative processes that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk. Outcome of an event affecting objectives. Measure that seeks to address, modify or mitigate risk. Defining the external and internal parameters to be taken into consideration when managing risk, and setting the scope and risk criteria for effective risk management. Occurrence or change of a particular set of circumstances. An event without consequences can also be referred to as a near miss, near hit or close call. External environment in which the organisation seeks to achieve its objectives. Internal environment in which the organisation seeks to achieve its objectives. Magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood. Chance of something happening. Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. Risk remaining after risk treatment. Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objective. Effect of uncertainty on objectives. Process to comprehend the nature of risk and to determine the level of risk. Overall process of risk identification, risk analysis and risk evaluation. Terms of reference against which the significance of a risk is evaluated. Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/ or its magnitude is acceptable or tolerable. Process of finding, recognising and describing risks. coordinated activities to direct and control an organisation with regard to risk Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. Description of any set of risks. Process to modify or mitigate risk. Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity. Kidsafe NSW Risk Management Procedure Page 21 of 22

22 Risk Management Procedure Appendix F Related Policies and Documents Issuer Reference Document Name Kidsafe NSW Risk Register Kidsafe NSW Risk Management Procedure Page 22 of 22