Risk management

PURPOSE:

The purpose of this risk management policy is to give direction that will allow QLeave to systemically manage risk and thereby eliminate or minimise potential costs or losses and to strengthen QLeave's ability to achieve its objectives.

SCOPE:

The General Manager has overall accountability for the management of risk in QLeave and will be advised by a Risk Management Committee.

Leadership Team members will be identify and manage the strategic risks faced in achieving organisational objectives identified in the Strategic Plan.

Business Managers will identify and manage operational risks associated with achieving the performance objectives in their unit plans. Managers should involve staff in the risk management process.

Project Managers are specifically responsible for managing the risks to project objectives using the approved project management methodology. The Information Services Steering Committee will be responsible for overseeing the management (including risk) of all ICT projects in conjunction with the Internal Auditor.

All staff will play a key role in maintaining and implementing the risk management process including identifying risks, working as a team to manage and contain risks and monitoring the internal and external environment.

CONTEXT:

This policy is drafted to comply with the :

  • Financial Accountability Act 2009 (section 61)
  • Financial and Performance Management Standard 2009 (section 28)
  • AS/NZS 31000:2009 Risk Management - Principles and guidelines

This policy forms part of the Risk Management Framework

POLICY: 

QLeave is committed to establishing an organisational philosophy and culture that ensures effective business risk management is an integral part of all QLeave activities and core management capabilities.

This policy does not intend to eliminate risk completely, rather it sets the framework to manage effectively the risks involved in all QLeave activities. The purpose of risk management is to make it possible for risk exposures to be managed professionally. This is achieved by determining an acceptable level of risk for each risk exposure and then introducing appropriate procedures to protect QLeave from unacceptable costs and losses.

The principles of risk management can be applied to almost every type of activity, including strategic/operational planning, business decisions, purchasing methods, fraud control, systems appraisals and ICT Projects.

The objectives of this policy are to ensure:

  • embedding the culture of risk management through senior management, front line managers and all staff
  • integrating risk management with other processes such as strategic and operational planning
  • a systematic approach to identify, manage and monitor risk and
  • timely reporting on risk management systems to the General Manager and the Board through the Audit, Risk Management and Compliance Committee.


RISK MANAGEMENT COMMITTEE

A risk management committee shall be established in accordance with Financial and Performance Management Standard 2009 (Section 28).

It will be chaired by the General Manager (GM) and comprise members of the senior management team, a representative from the WH&S committee and the Internal Auditor.

The committee will meet regularly, as determined by the GM, and report progress to the Board through the Audit, Risk Management and Compliance Committee on a quarterly basis.

The role of this committee is to undertake the identification, analysis and management of those risks which threaten QLeave. It will be directly responsible for the results of the risk management activities and in particular those statutory obligations under relevant legislation strategies.

An approved terms of reference will guide the Risk Management Committee and be reviewed annually for relevance and effectiveness. Each year efforts will be made to improve and strengthen this policy and the risk management competencies of staff.


RISK MANAGEMENT APPROACH

The formal risk management approach used in QLeave shall be in accordance with AS/NZS 31000:2009 Risk Management - Principles and guidelines. 

The risk management process utilised within QLeave is as follows:

  1. Establish the context. Establish the strategic, organisational and risk management context for the process. To ensure that all risks are identified the service or process being assessed can be delineated into components using categories such as personnel, environment, technology, property, product, financial and administration.
  2. Describe the risk: Each risk identified should be adequately documented.
  3. Analyse the risks: This assessment will involve 2 aspects - the likelihood that the risk will eventuate and the potential adverse consequences if the event occurs. Consequence and likelihood are considered together to estimate the risk rating using the Risk Assessment Proforma and Level of Risk Chart.
  4. Identify Residual Risk: This step includes examining the adequacy of existing systems, controls and predictors to determine a residual risk rating. The nature and extent of the risks associated with operations should be identified and assessed against the original risk rating to see if the level of threat the risk poses to the organisation's operations can be reduced through these measures.
  5. Risk Treatment: Identify suitable treatments in accordance with the risk treatment options detailed in the Risk Assessment Proforma and Level of Risk Chart. Note: Detailed Risk Treatment strategies need to be identified for any risk that has a Residual Risk Rating of Significant or High.
  6. Monitor and review. Risk assessment should be part of the normal business process and reviewed regularly to identify new risks or eliminate previously identified ones. (This is undertaken through an annual audit of identified risks and reviewed quarterly by the Risk Management Committee).
  7. Communicate and consult: Communicate and consult with all parties as it is important that their perceptions of risk and benefit are understood and addressed.


MONITORING

Risk in any organisation is not static. New risks may emerge and the likelihood and consequence of any existing risk may change because of a change to the external or internal environment, government priorities or milestones being reached for plans or objectives. Accordingly, the risk register is to be monitored regularly and updated quarterly.

A regular review of the risk register will remind business and project managers of the risks and also assist with conducting environmental scans to assess changes in risk.

For any risk incidents reports are to be completed by the relevant affected area detailing date, impact, actions taken, proposed remedy and forwarded immediately to the General Manager. The General Manager will escalate this at his discretion.

The Risk Assessment Proforma and Level of Risk chart to be used in assessing business risks are detailed in Q*Docs, General Managers Office/Form/Building and Construction/Risk Management Proforma, and form part of this Risk Management Policy.

Risk Assessment Proforma and Level of Risk Chart FM/GO/10126.4