HSC Business Services Organisation Board

Transcription

1 Paper BSO 25/2009 HSC Business Services Organisation Board Risk Management 1. Purpose of this report The purpose of this report is to brief the Board on the BSO Risk Management process. 2. Background HSC Organisations are required to ensure that a independently assured risk management system is in place that conforms to the principles contained in AS/NZS 4360:2004, and which meets HSC and other requirements in respect of managing risks, hazards, incidents, complaints and claims. 3. Recommendation It is recommended that the Board approve the BSO Risk Management Process for adoption Enc 27 August 2009

2 Introduction The report gives an overview of risk management within the HSC. It outlines the HSC Controls Assurance process and details the baseline position of the legacy organisations that transferred to the Business Services Organisation. These factors have been taken into consideration when developing the BSO Risk Management process. The new process is described and the role and responsibilities of SMT and senior management have been outlined. HSC Risk Management HSC Organisations are required to ensure that a independently assured risk management system is in place that conforms to the principles contained in AS/NZS 4360:2004, and which meets HSC and other requirements in respect of managing risks, hazards, incidents, complaints and claims. There are 3 Core Controls Assurance Standards, Risk Management, Governance and Financial Management. The adoption of an Assurance Framework, to assist HSC Boards in the control of risks to strategic objectives, has been made mandatory from April Collectively they provide the basis for statutory reporting for the Statement on Internal Control. Risk management should be recognised within an organisation as an integral part of good management practice and should be part of the organisation s culture. It should be integrated into its philosophy, practices and business plans, and not be viewed or practised as a separate programme. When this is achieved, risk management becomes the business of everyone in the organisation. The design of a risk management system will be influenced by and tailored to the existing structure of the individual body, the services provided and the processes and specific practices followed. In addition to the organisation-wide system of risk management, the Department developed standards that focus on key areas of risk within the HSC and provide a vehicle for Accountable Officers to report the extent to which risk is being effectively controlled HSC Controls Assurance Standards The Standards are about identifying and applying best practice and offering assurance that we are doing our reasonable best to control the risks to the achievement of our objectives. There are 22 Controls Assurance Standards, all of which from 2008/09 require Substantive Compliance i.e. a score of 70%+ 2

3 The Standards applicable to the BSO are as follows, 1 Risk Management 2 Governance 3 Financial Management 4 Human Resources 5 Health & Safety 6 Emergency Planning 7 Records Management 8 ICT 9 Purchasing & Supply Management 10 Fleet & Transport Management 11 Fire Safety 12 Waste Management 13 Security Management 14 Buildings, Land & Equipment 15 Environmental Management For each of the aforementioned standards there is a guidance document that outlines the necessary requirements. Independent Assessment Each year the 3 Core Standards of Governance, Risk Management and Financial Management are independently assessed by Internal Audit along with 3 other Standards as determined by the Department. In 2009/10 the other Standards applicable to the BSO that will require independent assessment are Records Management and ICT. All other Standards are required to be undertaken and reviewed by self-assessment. The External Auditor as part of their annual audit undertake a review of the Controls Assurance Standards, in particular those that have been selfassessed and report on outcome in their Report to those charged with Governance. The BSO is required to submit all Controls Assurance Standards Assessment Scores to the Department and the Chief Executive must sign all score assessment forms. Legacy Baseline Position The legacy baseline position on Controls Assurance Standards is as follows 3

4 For Services that transferred from the Central Services Agency, substantive compliance was achieved on all of the 15 aforementioned standards. Internal Audit assessed compliance on governance, Risk Management, Financial Management, Records Management, Emergency Planning and SMT are informed of the Audit Recommendations. With particular reference to Risk Management, the principal recommendations centred on strengthening risk management process at directorate level and more focused reporting at corporate level. For Services that were transferred from the former Boards, i.e. Human Resources / Financial Transactions / Information Services, their host organisation achieved the substantive compliance level for the applicable service standard. For Services that transferred from HSC Trust i.e. Internal Audit there was no applicable service standard but as a service provider they would have been required to provide evidence for the three core standards, governance, risk management and financial management for their host organisation. For Services that transferred from DHSSPS i.e. Directorate of Information Service, HSC Pension Service and Counter Fraud, were not required to report adherence to Controls Assurance Standards. Compliance with standards, however, will not in itself provide all the necessary assurance about internal controls. The key to this is the organisation-wide system of risk management, fully embedded in the management activities of the Business Services Organisation. BSO Risk Management Process The BSO risk management process will build upon the work undertaken by the legacy organisations, paying particular importance to Audit recommendations made for the various Controls Assurance Standards. Reflecting the core principle that risk management should be embedded in the organisational management processes, SMT propose that the reporting arrangements should emerge from those processes, rather than be seen as a separate reporting tier. SMT propose that a reporting framework for risk management will be developed demonstrating how regular progress reports on each corporate risk will be made available to the Board directors will be required to define local risk management responsibilities within their directorate and be responsible for the management and update of their directorate risk register. 4

5 an accountable officer and lead officer will be nominated for all applicable Controls Assurance Standards risk management will be integrated into the planning process. Impact of risk management will focus in the interim and annual Statement on Internal Control SMT aim is to implement a risk management processes for identifying and evaluating risks associated with the various activities of the Business Services Organisation, assessing and addressing their impact and providing for appropriate disclosure of the progress made in managing the identified risks. It does not want to create a bureaucratic or mechanistic process but a culture whereby management and staff are aware that events or circumstances can / may occur which can prevent or adversely effect the management of planned outcomes and as such need to be carefully managed. The risk management process that is in operation from April 2009 to date is the process inherited from the legacy organisations, primarily the CSA. With the development of Corporate and Directorate Assurance Frameworks as part of the BSO Service Delivery planning process for 2009/10, it is now an appropriate time to align the risk management process to a process that is fit for purpose for the Business Services Organisation. BSO Risk Appetite The risk appetite will be expressed as a series of boundaries authorised by the Board and Senior Management Team, which gives each level of the Business Services Organisation clear guidance on the limits of the risk that is acceptable. D. Agree responses potentially including A. Define Risk Appetite reviewing risk appetite Strategic Set and communicate general tolerances for risk Programme Operational B Identify responses to mange risks C. Report risks outside tolerance level 5

6 SMT propose that the BSO Risk Appetite be defined as follows All risks will be assessed as to their likelihood and impact and classified in accordance with the Australian and New Zealand Standard, AS/NZS 4360 Risk Management. (See Appendix 1 &2) All risks outlined in the Corporate Assurance Framework (Strategic & Programme) will be transferred to the Corporate Risk Register and SMT will review for completeness, making amendments as required All risks outlined in the Directorate Assurance Framework (Operational) will be transferred to the Directorate Risk Register and Directors will review for completeness, making amendments as required. Any Directorate Risks classified as Extreme or High will be brought by the Director to SMT to be reviewed / assessed for inclusion in Corporate Risk Register if deemed appropriate. Action Plans will be developed for all risks classified as Extreme / High or Medium and progress monitored by SMT / Directors. All Risks will be assessed on a quarterly basis and risks escalated to/from respective registers accordingly. In accordance with departmental guidance the BSO Risk Management process will be based upon the Australian and New Zealand Standard, AS/NZS 4360 Risk Management, The BSO Risk Management Process is outlined in the schematic below Figure 1 6

7 INPUT Workshop for Board and SMT to agree Objectives and Risks BSO Risk Management Process BOARD Governance & Audit Committee Figure 1 OUTPUT Monthly Report at SMT Monthly Report at Directorate meetings Monthly Report at Team meetings R I S K O W N E R S SMT Directors Asst Directors Corporate Risk Register Annual Review Quarterly update of Risk Register Risk Treatment Plans /Quarterly Monitoring Controls Assurance Standards CAS Actions Plans / Assessment Directorate Risk Register Annual Plan Directorate Risk Quarterly update of Risk Register Risk Treatment Plans /Quarterly Monitoring Controls Assurance Standards CAS Action Plans / Assessment Operational Management of Individual Risks / Review of Controls Risk Documentation Team and Individual Performance Review 7

8 At the core of the process are the Risk Owners, and the development of Risk Registers At Corporate level, via SMT, Chief Executive& Directors will be responsible for the management of Corporate Risks, which will be recorded in the Corporate Risk Register. Each risk will be classified as to its impact/ likelihood of occurrence, have a risk owner and a treatment plan which will outline the action being taken/ to be undertaken to mitigate the risk. Nominated Risk Owners will report to SMT on progress against risk action plans on a monthly/quarterly basis. A review of all Corporate Risks will be undertaken on a quarterly basis. SMT will nominate Accountable Directors and lead officers for the applicable Controls Assurance Standards and will monitor progress against action plans. Terms of Reference will be developed to assist the Chief Executive and Directors to discharge their responsibilities with regard to risk management. SMT will oversee the development of a reporting framework for risk management, demonstrating how regular progress reports on each corporate risk will be made available to the Board / Audit Committee. The Governance and Risk Manager will maintain the Corporate Risk Register and will be responsible for the collating of information to support the risk reporting process. At Directorate level, via Directorate SMT, Directors and Asst Directors will be responsible for the management of risks at service level, which will be recorded in the Directorate Risk Register. Each risk will be classified as to its impact/ likelihood of occurrence, have a risk owner and a treatment plan which will outline the action being taken/ to be undertaken to mitigate the risk. Nominated Risk Owners will report to their Director progress against risk action plans on a monthly/quarterly basis. A review of all Directorate Risks will be undertaken on a quarterly basis. Terms of Reference will be developed to assist Directors and Assistant Directors to discharge their responsibilities with regard to risk management at Directorate level. SMT will oversee the development of a reporting framework for risk management at Directorate level so as to ensure that risk management is embedded within the BSO and that Directorates can demonstrate information to support the annually submission of the Risk Management Standard Each Directorate will be responsible for the maintenance and upkeep of Directorate Registers. Procedures and policies will be developed to support the risk management process as follows: 8

9 Risk Management Policy Risk Management Strategy & Action Plan for 2009/10 Risk Management Guide for Managers & Staff Assurance Framework Guide for Managers & Staff Risk Notification Forms, records any changes to risk registers The Governance and Risk Manager will prepare a business case for the implementation of DATIX, an automated risk management software package BSO Risk Register The BSO s Risk Register is an integral part of the Assurance Process and reporting thereof is the means by which the Board / Audit Committee / SMT can assess the effectiveness of the controls and assurances given for the management of the risks identified to the achievement of its objectives. The BSO Risk Register is managed at two levels Assurance Framework Reporting Ownership Corporate Risk Register Board Audit Committee SMT Directorate Risk Register Directors Asst Directors Senior Managers All Staff 1. Corporate Risk Register which quantifies strategic risks, outlines controls / assurances and action plan approved by the BSO Board to ensure the focused and effective management of these risks. It is comprised of principal risks that have been identified to the achievement of the BSO s Strategic Objectives. Corporate Risks are managed by SMT who will report monthly to the Board. 2. Departmental Risk Register, which quantifies all risks and sets out treatment plans and determines the residual risk that remain. It is 9

10 comprised of all the risks for each Directorate and it is the direct responsibility of the various Directors to mange the risks in their respective areas Corporate Risk Register The risks recorded on the Corporate Register are those that were identified in the Corporate Assurance Framework as presented in the BSO Service Delivery Plan for 2009/10. The risks identified are as follows: Risk No Risk Description 1 Inability to develop new structures 2 Inability to resource organisation 3 Inability to understand and meet customer requirements 4 Inability to deliver activity targets due to impact of RPA Vacancy Control 5 Inability to deliver services at expected quality levels 6 Inability to deliver services within expected costs as in accordance with agreed SLA s 7 Inability to deliver & promote performance management processes 8 Inability to respond to changes in service provision due to lack of finance 9 Inability to implement and deliver audit improvements including Controls Assurance Standards 10 Inability to implement new business processes / improved business processes 11 Inability to provide support and influence development of the Finance and Supplies Replacement Systems replacement project 12 Inability to roll out UNITAS Project 13 Inability to develop new contract portfolios and improved business arrangement to benefit the HSC 14 Inability to harness new technology 15 Inability to learn from incidents / complaints 16 Inability to determine suitable organisation for benchmarking and inability to carry out benchmarking exercise 17 Inability to engage with stakeholders to monitor performance 18 Inability to engage with Customers 19 Inability to deliver AFC completion within relevant timescales and ensure that staff have appropriate job descriptions 20 Inability to achieve Breakeven 10

11 21 Inability to deliver savings in accordance with departmental instruction 22 Inability to deliver 7m HSC Procurement Savings for Inability to identify training needs and develop appropriate training plans 24 Inability to implement, regularly undertaken staff performance appraisal Following the board approval of this approach it is the intention that SMT will review these risks taking account the likelihood and the impact / consequences if the risk did occur. In addition SMT will take a critical review of the risks to ensure that they are still current and appropriate. At this point it may be likely that additional risks will be identified given that the SMT are now more informed, compared to when the SDP was initially constructed, and as the external and internal environment will have developed considerably. The completed Corporate Risk Register will be presented to the Board in September The template that will be used is presented (Appendix 3) 11

12 Appendix 1 BSO Risk Score Matrix Low *RISK RATING CLASSIFICATION Medium Total Impact Catastrophic 20 Major 16 Moderate 12 Minor 8 Insignificant 4 High High Extreme Extreme Extreme High High High High Extreme Medium Medium Medium Medium High Low Low Low Medium Medium Low Low Low Low Low High Extreme Rare Unlikely Possible Likely Almost Certain LIKELIHOOD SCORE = LIKELIHOOD X (QUALITY + FINANCIAL CONSEQUENCES + REPUTATION + LITIGATION) Total Impact Catastrophic Major Moderate Minor Insignificant Rare Unlikely Possible Likely Almost Certain * in accordance with AS/NZS 4360:2004 guidance LIKELIHOOD 12

13 CATEGORIES OF RISK IMPACT Category Quality Financial Consequences Reputation/ Publicity Insignificant (1) Minor non-compliance Negligible financial loss Within unit Local press < 1 day coverage Minor (2) Single failure to meet internal standards Moderate (3) Repeated failures to meet standards Major (4) Serious failure to meet standards Low financial loss Local press < 7 days coverage Medium financial loss National media < 3 days coverage Department executive action High financial loss National media > 3 days coverage Litigation Appendix 2 Minor out-of-court settlement Civil Action Class Action Criminal prosecution Criminal prosecution no defence Catastrophic (5) Gross failure to meet standards Questions in the House/Assembly Extreme financial loss Full Public Enquiry Executive officer fined or imprisoned. QUALITIVE MEASURES OF LIKELIHOOD CODE DESCRIPTOR DESCRIPTION 1 Rare The event may only occur in exceptional circumstances 2 Unlikely The event could occur at some time 3 Possible The event might occur at some time 4 Likely The event will probably occur in most circumstances 5 Almost certain The event is expected to occur in most circumstances 13

14 BSO Corporate Risk Register Appendix 3 Objective 1. To develop the organisation from the legacy structures into an effective and efficient Business Services Organisation Risk No. Principal Risk as outlined in Assurance Framework 1 Inability to develop new structures 2 Inability to resource organisation 3 Inability to understand and meet customer requirements Likelihood Impact (Q+F+R+L) Quality Financial Consequences ReputationLitigation Score Rating Controls In Place Risk Owner All of the 24 corporate principal risks are directly linked to corporate objectives and will be allocated a risk owner from SMT who will be charged with completing a Risk Treatment form, which will outline how they propose to manage the risk. Identifying any further actions to be undertaken, by whom and by when. Risk owners will report to SMT whom will monitor progress on risk action plans on a monthly basis. Definition of Likelihood and Impact is presented. (Appendix 1) Risk Rating Classification is presented. (Appendix 2) in accordance with AS/NZS 4360:2004 guidance A Risk Treatment form for Corporate Risk No 1 is presented. (Appendix 4) 14

15 BSO Corporate Risks: Treatment Plans Appendix 4 Corporate Risk No 1 Risk Assessment (Mitigated by Current Controls) Inability to develop new structures Likelihood Severity Risk Priority Source Corporate Assurance Framework Risk Owner Chief Executive Risk Managed? Fully Partially Not Managed Specific Objectives Impacted by the Risk Implications if the Risk Occurs To develop the organisation from the legacy structures into an effective and efficient Business Services Organisation BSO will not achieve its objectives Potential Root Causes of the Risk How is the Risk / Root Cause Currently Managed RPA Management of process by Senior Management Team Ability to appoint Tier 3 & Tier 4 post holders Additional Actions to Manage the Risk / Root Cause Responsibility Est Date Level of Risk (when treated) Develop BSO Reconfiguration plan SMT Monitoring of BSO Reconfiguration Plan on monthly basis Monthly Progress Report to BSO Board CX / SMT CX / SMT CX / SMT May 09 Apr -March 10 Apr -March 10 15