Risk Management Policy

Transcription

1 Risk Management Plicy 1. Purpse The purpse f this plicy is t prvide clear guidelines fr the management f risk. Risk is defined as the effect f uncertainty n bjectives. 1 Risk Management is the discipline f: identifying and assessing risk designing and implementing a risk mitigatin plan actins t avid, reduce, share r accept risk mnitring risk within acceptable appetite levels. The Bard requires that apprpriate Risk Management prcedures are in place and in use t identify the principal risks f the business and that apprpriate systems are implemented t manage these risks. 2. Scpe The plicy frms a part f POAL s gvernance plicies. The plicy applies t all cmpanies in the POAL grup and cvers all aspects f Risk Management. 3. Plicy All staff are required t apply the methdlgies and prcesses established in this dcument in rder t: Prvide assurance that risks are being: Identified and effectively cntrlled where they arise in the rganisatin; and Escalated thrugh the line management reprting structure t a level where they can be either effectively cntrlled r accepted Allw POAL t recgnise, priritise and respnd t risks arising frm change; and Optimise allcatin f resurces t risk management. 4. Risk Management Framewrk 4.1 Risk Ownership Every emplyee has a duty fr the management f risks in the area in which they wrk. When staff take up new rles their line manager has a respnsibility t instruct them n the risks they face, the 1 Definitin frm ISO Prts f Auckland I Risk Management Plicy 1

2 cntrls they are respnsible fr and any treatments they must actin. Specific risk respnsibilities are listed in sectin Risk Appetite Risk appetite is the amunt and type f risk that the business is willing t pursue r retain - because an acceptance f a level f risk is necessary t achieve business bjectives. The Bard is respnsible fr determining POAL s risk appetite. The Bard must be made aware f risks that may have a critical cnsequence (e.g. lss f life r serius injury, cessatin f prt peratins fr an extended perid, significant envirnmental damage, significant reputatinal damage, and material financial lss) in rder t prvide guidance n what level f risk is acceptable. Refer t Appendix 2 fr the Risk Appetite Table. This table infrms the quantitative and qualitative measures fr risk evaluatin. 4.3 Risk Identificatin & Assessment Awareness f risk is an nging, daily activity fr every member f staff r cntractr that extends beynd their immediate wrk envirnment. Everyne needs t be mindful f the risks they encunter and pint ut risks t thers that may nt be bvius. At least annually each business unit must review their internal and external envirnment t identify new risks that their business unit faces. During annual planning each business unit must identify risks that are material t the achievement f their bjectives and incrprate risk mitigatin strategies int their plans. Treatment wners and target dates fr cmpletin must be agreed and incrprated int individual and team KPI s. Sufficient capital and peratinal budget must be requested t cver the cst f treatment plans. Befre decisins are made the risks f each ptential curse f actin must be identified and assessed and used as an input int the decisin making prcess. Internal incidents and relevant external events must be reviewed in a timely manner t determine whether they identify new risks r impact n previusly identified risks. Business units are respnsible fr assessing their wn risks by using the POAL Risk Matrix (attached as Appendix 1). 4.4 Risk Mitigatin Risk mitigatins include cntrls (prcedures r plicies that prvide assurance) and treatments (planned actins t lwer risk). Each cntrl shuld have a cntrl wner and, where reasnably pssible, a plan fr checking the effectiveness f the cntrl. Each treatment shuld have a treatment wner and an agreed target date fr cmpletin f the treatment. Risk wners remain accuntable fr the effectiveness f cntrls and the successful implementatin f treatments. The residual risk is the risk which remains after all the risk mitigatins are in place and is therefre the risk that the business is making a decisin t accept. It is imprtant that this decisin is made at an apprpriate level (as specified in the POAL Risk Matrix) and with cnsideratin f POAL s Risk Appetite. The Bard will prvide guidance n accepting residual risk fr Key Risks (see sectin 3.6). 4.5 Risk Registers The risk register recrds each material risk tgether with its risk mitigatin plan. General Managers are respnsible fr ensuring their business unit(s) has a risk register and that the risk register is kept current. Prts f Auckland I Risk Management Plicy 2

3 Risk registers must include: Business unit name Risk register wner Date f last risk meeting List f all material risks currently faced Each listed risk must include: Risk descriptin Risk wner Date risk was last reviewed Residual risk assessment (after risk mitigatins), cmprising f: Ptential cnsequence (wrst case) Ptential likelihd (f that wrst case ccurring) Risk scre (accrding t POAL Risk Matrix) List f cntrls in place, with each cntrl having a: Cntrl wner Cntrl assurance prcess (if assurance prcess exists) Date assurance prcess was last perfrmed r reviewed List f treatments planned, with each treatment having a: Treatment wner Planned treatment cmpletin date 4.6 PrtSafe PrtSafe is a prt-wide health and safety applicatin. All health and safety risks must be included in PrtSafe. Risks recrded in PrtSafe d nt need t be repeated in the business units risk register. 4.7 Escalatin f High Risks and Extreme Risks Managers are respnsible fr the reprting t their General Manager all newly assessed risks with a residual risk level (after cntrls) f Extreme r High. The General Manager is respnsible fr reprting these risks t the Executive and Bard (via the mnthly CEO Reprt). 4.8 Key Risks Key Risks are thse risks with an Assessed Risk Level f High r Extreme plus ther risks that the Executive Team believes warrant their inclusin as a Key Risk. A separate Key Risk Register will be maintained by Gvernance and Risk Manager cmprising f all Key Risks. Nte similar risks frm multiple business unit risk registers may be cmbined int a single high-level risk n the Key Risk Register. The Key Risk Register will be reviewed by the Executive team n an annual basis. 4.9 Bard Risk Reprting The full Key Risk Register will be presented t the Bard fr review n an annual basis. New Key Risks, and any material change t an existing Key Risk, will be reprted t the Bard at the next Prts f Auckland I Risk Management Plicy 3

4 scheduled Bard meeting within the mnthly CEO reprt, in either the Current Issues r Risk and Cmpliance sectins. The Bard will receive, n a regular basis, a Bard paper n a pre-selected Key Risk prepared by the risk wner. Key Risks that are f a strategic nature will be discussed during the curse f the Bard s regular strategy discussins Risk Management Assurance The risk management functin will wrk clsely with the Insurance and Internal Audit areas and ther relevant external parties (e.g. Maritime NZ, NZ Custms) t ensure there is a cmmn understanding f the purpse and effectiveness f cntrls that mitigate risks and ensure thse risks which remain are acceptable. 5. Respnsibilities 5.1 Gvernance Structure Bard Bard f Directrs Audit Cmmittee Management Chief Executive Officer Executive Team Gvernance & Risk Manager Internal Audit functin 5.2 Bard f Directrs The Bard f Directrs are respnsible fr: apprval f the Risk Management Plicy setting the tne and culture fr risk management establishing POAL s risk appetite btaining assurance n: the effectiveness f the management f risks the level f cmpliance with the Risk Management Plicy Prts f Auckland I Risk Management Plicy 4

5 5.3 Chief Executive Officer The CEO is respnsible fr: develping and maintaining the Risk Management Plicy and ensuring it is implemented and effective setting the tne and culture fr risk management delegating adequate authrity and resurces t staff t enable them t effectively identify and manage risks within the cmpany s risk appetite prviding apprpriate, timely and accurate risk infrmatin t the Bard n High and Extreme risks. 5.4 General Managers Each General Manager is respnsible fr: supprting the effective implementatin and peratin f the Risk Management Plicy champining initiatives t imprve the management f risks reviewing risks that have been assessed with a residual risk level (after cntrls) f Extreme r High, and reprting these t the Executive team and the Gvernance and Risk Manager 5.5 Managers Each Manager is respnsible fr: taking respnsibility fr managing risk, safety, health and cmpliance in their wn area f respnsibility identifying the risks relating t wn area (peratinal, financial, plitical etc.) and ensuring that there are adequate mitigatin strategies in place t effectively manage thse risks maintaining knwledge abut the key risks keeping their business unit risk register current and ensuring their General Manager is infrmed n their risks and risk mitigatin strategies. 5.6 All staff All staff are respnsible fr: identifying ptential risks within their business area identifying perceived shrtcmings in risk cntrls the timely cmpletin f risk treatments cmplying with the Risk Management Plicy 5.7 Gvernance and Risk Manager The Gvernance and Risk Manager is respnsible fr: prviding the tls and advice t enable managers t implement the Risk Management Plicy mnitring the applicatin and effectiveness f the Risk Management Plicy maintaining and reprting the Key Risks Register t the Executive Team and the Bard Prts f Auckland I Risk Management Plicy 5

6 tracking the cmpletin f risk treatments fr Key Risks crdinating cmpany-wide initiatives t imprve prcesses that identify and manage risks advising, caching and training staff n risk management techniques assisting the internal audit functin t prvide assurance n risk management. 5.8 Audit Cmmittee The Audit Cmmittee is respnsible fr ensuring the annual internal audit plan takes accunt f the key areas f risk. 2 Bard Apprval: 19 March 2018 Plicy Owner: Plicy Review: Gvernance and Risk Manager Biennially 2 POAL Audit Cmmittee Charter April 2017 Prts f Auckland I Risk Management Plicy 6

7 Appendix 1 POAL Risk Matrix Likelihd Cnsequence Insignificant Minr Mderate Majr Critical Almst certain Likely Pssible Unlikely Rare Assessed Risk Level Lw (1-8) Medium (9-15) High (16-22) Extreme (23-25) Likelihd Almst certain Likely Pssible Unlikely Rare Descriptin f Likelihd Almst certain t ccur within the freseeable future. Greater than 80% prbability that the risk will ccur within next 12 mnths (and likely t have multiple ccurrences). Likely t ccur within the freseeable future. 50% - 80% prbability that the risk will ccur within next 12 mnths May ccur within the freseeable future. 20% - 50% prbability that the risk will ccur within next 12 mnths (between a 1 in 2 and a 1 in 5 year ccurrence). Nt likely t ccur within the freseeable future. 2% - 20% prbability that the risk will ccur within next 12 mnths (between a 1 in 5 and a 1 in 50 year ccurrence). Will nly ccur in exceptinal circumstances. Less than 2% prbability that the risk will ccur within next 12 mnths (less than 1 in 50 year ccurrence). Cnsequence Insignificant Minr Mderate Majr Critical Safety and Wellbeing Very minr injury if first aid required is selfadministered immediately back t wrk with n impact n perfrmance Minr injury r illness requiring first aid treatment n site back t wrk with n LTI Injury r illness requiring ff-site medical treatment and/r LTI Ntifiable injury r illness (as defined by WrkSafe) Fatality r near miss that culd result in a fatality Emplyee engagement Minr impact n ne emplyee Minr impact n limited number f emplyees r prspective emplyees Minr widespread impact r majr impact n a limited number f emplyees Small drp in verall mrale, a few emplyees leaving, negative impact n recruitment utcmes Large drp in mrale, many emplyees leaving, remuneratin increases required t keep existing and recruit new staff Public reputatin Islated minr cmplaint frm member f public. Multiple cmplaints frm a stakehlder grup that are easily reslved. Multiple cmplaints frm a stakehlder grup that are nt easily reslved. Small drp in verall public perceptin r substantial drp in a stakehlder grup. Negative news stries r prtests. Substantial drp in public perceptin resulting in negative impacts n business strategy. Material impact n ur licence t perate. Prts f Auckland I Risk Management Plicy 7

8 Cnsequence Insignificant Minr Mderate Majr Critical Envirnmental N effect n envirnment. Insignificant fleeting effect n envirnment. Minr shrt-term effect n the envirnment. Mderate shrtterm r minr lng-term effect n envirnment. Significant shrtterm r mderate lng-term effect n envirnment. Material impact n ur licence t perate. Operatinal Disruptin f a nn-critical prcess fr less than 4 hurs Disruptin f a nn-critical prcess fr 4-48 hurs. Disruptin f a nn-critical prcess fr mre than 48 hurs. Disruptin f a critical prcess fr mre than 24 hurs. Disruptin f a critical prcess fr mre than 1 week. Disruptin f a critical prcess fr less than 4 hurs. Disruptin f a critical prcess fr 4-24 hurs. Cmplete prt shut-dwn fr less than 4 hurs. Cmplete prt shut-dwn fr 4-12 hurs. Cmplete prt shut-dwn fr mre than 12 hurs. Market Minr custmer incnvenience - quickly frgtten Dissatisfied custmer with frmal cmplaint requiring actin Dissatisfied custmer resulting in reductin in ttal revenue f less than 1% Lss f a belw tp 10 custmer r reductin in ttal revenue f 1%-5% Lss f a tp 10 custmer r reductin in ttal revenue f mre than 5% Financial One-ff financial lss f less than $1,000 One-ff financial lss $1,000 - $20,000 One-ff financial lss $20,000 - $500,000 One-ff financial lss $500,000 - $5M One-ff financial lss exceeding $5M Level f Authrity Assessed Risk Level Lw (1-8) Medium (9-15) High (16-22) Extreme (23-25) Apprval t undertake risk activity (includes apprving the risk assessment and risk mitigatin strategy) Supervisr r Team Leader Business Unit Manager r Direct Reprt t a GM General Manager Executive Team r CEO Prts f Auckland I Risk Management Plicy 8

9 Appendix 2 POAL Risk Appetite Table The fllwing table indicates the amunt f risk POAL is prepared t assume in pursuit f its strategic bjectives. Use the table when reviewing risk t guide the decisin n whether the risk cntrls and treatments are sufficient. Risk dmain Risk averse Balanced Risk tlerant Safety and wellbeing Emplyee reputatin Public reputatin Envirnmental prtectin Operatinal cntinuity Market reputatin Financial perfrmance Regulatry cmpliance Risk dmain is the categry the risk being assessed best fits shuld the risk eventuate. The risk dmains used align with the cnsequences frm the Risk Matrix specified in Appendix 1, with the additin f regulatry cmpliance. Risk averse indicates dmains where POAL will take all reasnable practical steps t avid and/r mitigate the risk. Balanced indicates dmains where POAL has flexibility in its apprach t the risk, t ensure an apprpriate balance between risk and reward. Risk tlerant indicates dmains where POAL is willing t take n mre risk in the search fr greater reward. Prts f Auckland I Risk Management Plicy 9