Policy Number: 040 Risk Management August 2018

Transcription

1 Policy Number: 040 Risk Management August 2018

2 Policy Details 1. Owner Manager, Business Services 2. Compliance is required by Staff, contractors and volunteers 3. Approved by The Commissioner 4. Date created February Date of this review August Next review due July Driver NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03) 8. References NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03) NSW Treasury Risk Management Toolkit for NSW Public Sector Agencies ISO 31000:2009 Risk Management Principles and Guidelines 9. Contact Officer/Maintained by Corporate Governance Officer who monitors changes to legislation, policies and procedures and recommends any amendment to the Risk Management Policy 10. Search terms Risk, likelihood, consequence 11. Compliance assurance method By incident monitoring 12. Policy Document location TD14/482 Policy The Mental Health Commission of NSW complies with the NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector ( TPP ). TPP sets out principles and core requirements to guide agencies in the fulfilment of their legislative obligation under section 11 of the Public Finance and Audit Act 1983, that is, that an agency establish and maintain an effective internal audit function. Principle 1 of TPP relates to risk management: The agency has a risk management framework in place that supports the agency to achieve its objectives by systematically identifying and managing risks to: Increase the likelihood and impact of positive events Mitigate the likelihood and impact of negative events Core Requirements 1.1 and 1.2 stem from this principle: Core Requirement 1.1 The Commissioner is ultimately responsible and accountable for risk management in the agency. Core Requirement 1.2 A risk management framework that is appropriate to the agency has been established and maintained and the framework is consistent with AS / NZS ISO 31000:2009. Staff, contractors and volunteers at the Commission must comply with the policy and procedures. The Commission has established a risk management framework to assist the management of its fiscal, environmental and social responsibilities and the successful delivery of its results and services and obligations under the NSW State Plan and its enabling legislation.

3 The Commission has developed a risk management framework and operational model to provide for effective and consistent risk management across the whole organisation. It includes a risk register that is used to record, rate, monitor and report risk and risks are managed and escalated using structured processes at all business unit levels. The Commission also has an established process for monitoring and reviewing risk control and governance systems. Risk Management Framework The framework and operational model establishes risk management as an integral part of the Commission s management to achieve organisational objectives and complies with the international standard AS/NZS ISO 31000:2009. Purpose The Commission has developed a framework and process to provide for effective and consistent risk management across the whole organisation. Pursuant to AS/NZS ISO 31000:2009, the framework provides for a structured, consistent and continuous process across the whole organisation for identifying, assessing and deciding on responses to and reporting on opportunities and threats that affect the achievement of objectives. Specifically, the framework: Assists in strategic decision making by providing a basis for identifying and controlling factors which may impact on the achievement of organisational objectives; Enhances the safety of staff, members of public and clients involved in the work of the Commission; Provides a basis for responsible risk taking to enable and encourage innovation; Provides assurance that organisational objectives will be achieved within an acceptable degree of risk; Provides a basis for demonstrating due diligence in the event of adverse outcomes. Risk Management at the Commission Under AS/NZS ISO 31000:2009, risk is defined as the effect of uncertainty on objectives. The framework and operational model divides risk into 2 major categories of strategic risk and operational risk. Strategic risks are those risks associated with poor business decisions or external influences that are beyond the control of the Commission s Management and may include: Changes in the government disposition to the Commission s objectives Implementation of a major business initiative with significant financial impacts Sustained economic downturn. Operational risks are those risks associated with inadequate or failed internal processes, people or systems, or from external events. Operational risks include those risks associated with individual projects and activities undertaken by the Commission. Examples of operational risks are: Internal Fraud - misappropriation of assets, bribery External Fraud- theft of information, hacking of IT systems and electronic data, theft and forgery Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety Clients, Products, & Business Practice - market manipulation, improper trade, product and service defects, fiduciary breaches Damage to Physical Assets - natural disasters, vandalism, terrorism, accident

4 Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures Execution, Delivery and Process Management - data entry errors, accounting errors, failed mandatory reporting. AS/NZS ISO 31000:2009 provides a generic process (fig.1) for managing risk within an organisation. The framework and operational model complies with this process. Figure 1: Commission s Risk Management Process Establish the Context Risk Identification Risk Analysis Communication and Consultation Risk Evaluation Monitoring and Review Risk Treatment The Commission establishes the corporate risk appetite by setting the risk boundaries, ratings and reporting requirements under the framework (tables 1-4).

5 Risk Management Framework The risk categories under the framework identify the context within which the Commission manages risk and accounts for both internal and external factors affecting the ability of the Commission to deliver on its corporate objectives. Preliminary risk categories under the framework include: Financial and Economic Health and Safety Reputation Political Environment Compliance. AS/NZS ISO 31000:2009 provides for risks to be analysed and scaled according to likelihood and consequence. The framework provides boundaries defining the likelihood and consequence of risk as follows. Table 1: Likelihood of risk definitions Rating Almost Certain Likely Possible Unlikely Rare Likelihood of Occurrence (Qualitative) Occurs regularly; expected to occur in most circumstances Will probably occur May occur at some time Doubtful that it will occur May occur only in exceptional circumstances Likelihood of Occurrence (Quantitative) The risk may occur several times over a short period, say 6 months The risk may occur once or twice a year The risk may occur once in a period of several years The risk which is yet to occur but could occur over time The risk that is relatively unknown and has not been experienced to date

6 Table 2: Consequence of risk definitions Consequence Risk: Insignificant Minor Moderate Major Significant Financial and Economic (including assets) Impact on budget insignificant and managed within discretionary limits of single business portfolio Less than $1k Impact on budget is managed within discretionary limits of single business portfolio unit budget less than$10k Impacts budget at Division level Significant impact on organisational contingency between $10K-$50K Impact exceeds MHC s contingency capacity Additional funding necessary over $50K Impact exceeds MHC s contingency capacity. Additional funding necessary over $100k Insignificant loss/damage to assets- no redirection of existing budget required. Loss/damage to assets may require redirection of existing budget Loss /damage to significant items of critical plant & equipment requiring coordinated project and significant redirection of budget to restore Major loss/damage to an item of plant & equipment that is restorable at a cost of $25k plus Major loss/damage to an item of plant & equipment that is not restorable and is required to be replaced at a cost of over $50k. Health and Safety Minor injury requiring first aid and no lost time Minor Injury requiring medical treatment No lost time, but minor temporary incapacity Temporary incapacity or lost-time injury Hospitalization Short-term absence Permanent incapacity and long term absence Permanent incapacity and long term absence, with possibility of no return to work Reputation User complaints direct to MHC either by phone, in writing or person. Can be dealt with by Team management. Possible minor local media attention, resulting in some MHC embarrassment, requiring attention by Director, Strategic Operations and Communications. Widespread user complaints and Adverse Media attention requiring attention by Director, Strategic Operations and Communications and or Deputy Commissioner. Sustained demonstration of user concern and Sustained national adverse media coverage, requiring attention by Commissioner Sustained demonstration of user and media concerns resulting in Ministerial embarrassment and possible loss of political support. Requiring attention by Commissioner Environmental Brief impact resulting in minor diversion of resources for less than 1 day. Brief impact resulting in minor diversion of resources for more than 1 day. Short-term impact resulting in diversion of resources for more than 3 days and affects other business activities Sustained impact Resulting in diversion of resources from other business activities for more than 5 days Significant impact resulting in diversion of resources from other business activities for more than 10 days. Compliance Non-compliance rectified with immediate management intervention. Non-compliance readily rectified with Management intervention and notifying the regulatory agency and addressed by management Non-compliance resulting in a notification from the regulatory agency and addressed by management Non-compliance resulting in penalty or prosecution or restriction order and addressed by the Chief Audit Executive. Significant non compliance resulting in a Ministerial warning and possible mention in Parliament requiring intervention by the Commissioner.

7 The framework derives risk ratings from likelihood and consequence as follows. Table 3: Risk ratings Mental Health Commission of New South Wales Rating Insignificant Minor Moderate Major Significant Almost Certain Medium Medium High Extreme Extreme Likely Low Medium High High Extreme Possible Low Low Medium High Extreme Unlikely Low Low Medium Medium High Rare Low Low Low Medium High The framework provides for risk reporting and action as follows. Table 4: Risk reporting and actions Risk Rating Consequence of Occurrence Action Reporting Loss of ability to sustain ongoing operations. An event Significant that would cause operations to be substantially disrupted resulting in severe impact upon public image and reputation. Immediate Commissioner Significantly reduced ability to achieve corporate Director, Major objectives, impacting our overall business operations, e.g. short term loss of service Engagement & Operations Moderate Minor Insignificant Disruption to normal operations with a moderate effect on the achievement of objectives, e.g. temporary loss of service and/or processing capability. Limited impact on the achievement of objectives No impact on the achievement of objectives readily resolvable by management with no consequences to the business Manager, Business Services Manager, Business Services Manager, Business Services

8 Risk Register The Commission has developed a centralised, electronic risk database which acts as a central register and repository for specific risk management data. The Risk Register permits timely reporting of risk exposure to inform management action. The Risk Register identifies the Commission s strategic and operational risks, ascribes an internal owner to each risk, describes the existing controls that are in place to manage the risk and assigns a risk rating based upon the likelihood and consequence of the risk occurring. Proposed risk mitigation strategies for each risk are also described with the outcomes of these control strategies then creating a target risk rating (that is, the residual risk after proposed control strategies are implemented). The Commission s Risk Register can be accessed via Trim Reference TF14/46. Operational Model The risk management model for the Commission is at Figure 2 and takes account of the physically dispersed nature of the Commission s operations and aligns with the current organisational structure. The model integrates risk management with the Commission s management structure and establishes risk management as a structured, consistent and continuous process across the whole organisation in compliance with AS/NZS ISO 31000:2009. Under the model, strategic risk is managed by the Director, Engagement and Operations who is the Chief Audit Executive and a report on strategic risks is made on a quarterly basis to the Audit & Risk Committee. Operational Risk is managed by the Manager, Business Services and a report on operational risks is made on a quarterly basis to the Audit & Risk Committee. Roles and Responsibilities The Commission s staff, contractors and volunteers will: Manage risks that is, identify, assess and treat risks, in the course of their work Promptly report any existing or potential risk to their manager Managers will: Foster an environment that promotes risk management as part of everyday decision making. Ensure staff have an awareness of internal controls and are accountable for managing risk in their roles Assess known risks using the risk framework and escalate responsibility as appropriate Manage project risks in a way that is consistent with, and linked to the Risk Management Framework Identify uncertainties that will affect the achievement of Commission objectives Establish policies, operating and performance standards, budgets, plans, systems and procedures to address identified risks and reduce them to an acceptable or tolerable level Monitor the effectiveness of controls Undertake self-assessments (where directed) to certify the effectiveness of controls addressing risks for which they are responsible. Manager, Business Services will: Report on operational risks on a quarterly basis to the Audit and Risk Committee Act as the primary champion for risk management at the operational level Prepare the Commission s attestation for compliance with the NSW Treasury Internal Audit and Risk Management Policy for the NSW Government Sector Maintain the Commission s Risk Management Framework and Risk Register Monitor compliance with risk management policy and procedures.

9 Director, Engagement and Operations / Chief Audit Executive will: Report on strategic risks on a quarterly basis to the Audit and Risk Committee Act as the primary champion for risk management at the strategic level Review the Commission s approach and activities with regard to risk management Review recommendations from the Audit and Risk Committee and ensure they are implemented Ensure risk management planning is part of the strategic, operational and annual business planning activities of the Commission Review risk treatment plans and risk management reports, including the Risk Register. Commissioner will: Have ultimate responsibility and accountability for risk management in the Commission. Ensure that a risk management framework that is appropriate to the Commission and consistent with ISO 31000:2009 is established and maintained within the Commission Formally attest to NSW Treasury compliance with NSW Treasury Internal Audit and Risk Management Policy for the NSW Government Sector and publish the attestation in the Annual Report. Determine and articulate the level of risk the Commission is willing to accept or tolerate. Approve, monitor and communicate the Commission s Risk Management Policy and Plans. Promote and communicate a positive risk culture Ensure that managers and decision makers in the Commission understand that they are accountable for managing risk within their sphere of authority and in relation to the decisions they take. Further Guidance and Resources The NSW Treasury Risk Management Toolkit for the NSW Public Sector provides a range of tools to support agencies to develop and implement their risk management framework and processes. The Toolkit provides detailed and practical advice on the various elements of ISO 31000, templates and some worked examples based on a hypothetical agency. It can be accessed via the following website:

10 66