Risk Management Framework
Risk Management Framework
Framework
Foreword
The South Australian Government Risk Management Policy
Statement 2009 advocates that consistent and systematic
application of risk management is central to maximising community
outcomes, deriving the benefit of opportunities, managing
uncertainty and minimising the impact of adverse events.
Consistent with this policy the Department for Communities and
Social Inclusion (DCSI) is committed to protecting itself, employees
and others from situations or events that would prevent it from
achieving its strategic goals and objectives. Risk management is an
integral part of good management practice and the provision of safe
workplace environments.
A systematic approach to managing risks and opportunities is more
effective and efficient than allowing informal, intuitive processes to
operate.
DCSIs adoption of a structured approach to risk management:
Andrew Thompson
Executive Director
Financial Services
TABLE OF CONTENTS
Foreword .............................................................................................................................................. 3
1. Introduction ..................................................................................................................................... 5
2. What is Risk Management? ............................................................................................................ 7
3. Risk Management Principles.......................................................................................................... 8
4. The Approach to Managing Risks................................................................................................ 10
5. The Risk Management Process ................................................................................................... 12
6. Roles and Responsibilities........................................................................................................... 16
7. Recording and Reporting Requirements..................................................................................... 18
Appendices ........................................................................................................................................ 21
Appendix 1 - SA Government Risk Management Policy Statement..................................................... 23
Appendix 2 DCSI Risk Management Policy ..................................................................................... 24
Appendix 3 - DCSI Risk Management Plan......................................................................................... 27
Appendix 4 - Detailed Risk Management Process .............................................................................. 28
Appendix 5 - Risk Categories and Potential Sources of Risk .............................................................. 36
Appendix 6 - DCSI Risk Assessment Matrix ....................................................................................... 37
Appendix 7 - DCSI Risk Escalation Flowchart ..................................................................................... 39
Appendix 8 - DCSI Risk Management Glossary .................................................................................. 40
Version 2.0
December 2012
A5013136
Page 4 of 42
1. Introduction
The purpose of this framework is to;
ensures that the information about risks derived from the risk
management process is accurately reported; and
A5013136
Page 5 of 42
risk management
contributes to the
creation of sustainable
value
Further, the Risk Management Policy Statement indicates that the Chief
Executive of the Department for Communities and Social Inclusion (DCSI)
is accountable to the relevant ministers for the development and
implementation of a risk management framework specific to the
departments business and organisational needs.
The key principle which underpins this statement is that risk
management contributes to the creation of sustainable value.
(The Policy Statement is contained in Appendix 1)
Human Resources
Chief Executive
State Recovery
Multicultural SA
Disability SA
A5013136
Disability &
Domiciliary Care
Services
Policy &
Community
Development
Financial Services
Youth Justice,
Community
Engagement &
Organisational
Support
Housing SA
Page 6 of 42
A5013136
Page 7 of 42
3.
How it aligns to
SAHPFC
ABEF
Risk management
creates and protects
value
Risk management is an
integral part of all
organisational processes
Risk management
explicitly addresses
uncertainty
Risk management is
systematic, structured
and timely
Risk management is
based on the best
available information
DCSI has rich data sources that are fostered by open channels of
communication, allowing the highest level of information to be
conveyed effectively to stakeholders.
Risk management is
tailored
The whole of DCSI, its divisions, and all of its business units,
work with risk management procedures that are tailored to meet
their specific needs.
10
Risk management is
transparent and inclusive
Risk management is
dynamic, iterative and
responsive to change
Risk management
facilitates continual
improvement of the
organisation
A5013136
Page 8 of 42
Are strategic
Are accountable
10
Focus on results
Clear direction and mutually agreed plans enable organisation alignment and a focus on the achievement of
goals.
Understanding what customers and other stakeholders value, now and in the future, enables organisational
direction, strategy and action.
All people work in a system; outcomes are improved when people work on a system and its associated
processes.
Innovation and learning influence the agility and responsiveness of the organisation
Sustainable performance is determined by and organisations ability to deliver value for all stakeholders in an
ethically, socially and environmentally responsible manner.
Leaders determine the culture and value system of the organisation through their decisions and behaviour
A5013136
Page 9 of 42
a culture that is not risk averse but is prepared to manage risks within
an appetite that is set and reviewed by the Executive Leadership Team
(ELT);
..the nature of
risk is that it is
unpredictable.
Full accountability for managing and reporting significant risks at all levels of
the organisation (strategic and operational):
A5013136
Page 10 of 42
A5013136
Page 11 of 42
Risk, control and treatment owners are required to liaise with the RAF
for their area, and if required, other owners to ensure all elements of
the risk management process are considered.
Risk Owner
Risks in the strategic risk register must be owned by either the Chief
Executive or an Executive Director.
All other risks are owned by a person in the business unit who has the
overall responsibility of the risk, e.g. Director, Manager.
Risks owners are accountable for the acceptance of risks that are
outside the parameters set by the department. These parameters are
identified in the risk matrix. When a risk has been accepted in these
circumstances, the risk owner is required to provide a documented
explanation as to why the risk has been accepted as it stands.
Control Owner
If a control requires a treatment(s), the control owner will liaise with the
treatment owner(s) to ensure appropriate actions are undertaken to
modify and strengthen the control.
Treatment Owner
Any updates to the treatments are to be advised to the RAF when they
occur or at the time of quarterly reporting.
A5013136
Page 12 of 42
Types of risk
Within this department, 3 types of risks are considered. They are;
a strategic risk
is simply a risk that
has the ability to
impact on the
achievement of
strategic objectives.
Project Risks that are linked to projects and programs that exist
within the department and are generally captured using the Project
Management Office system. They are medium to long term risks and
dont require much change, however when elements of a project or
program do change, the risks, controls or treatments may require
review. Project risks that remain once the project or program reaches
the transition to operational phase; need to be entered on the
appropriate risk register to facilitate continuing monitoring and review.
The SWOT analysis is useful to identify these risks.
A5013136
Page 13 of 42
Page 14 of 42
The diagram below summarises the Risk Management Process (AS/NZS ISO 31000:2009)
Strategic context
Organisational context
Risk management framework / structures
Develop evaluation criteria
Internal / external context / stakeholders
RISK ASSESSMENT
IDENTIFY RISKS
ANALYSE RISKS
Determine existing controls
Determine
likelihood
Determine
consequence
s
EVALUATE RISKS
TREAT
RISKS?
No
Yes
TREAT RISKS
A5013136
Page 15 of 42
...enables better
discussions with
others who play a role
in the mitigation of
risk
A5013136
Page 16 of 42
Employees
Risk Management
The risk management team is responsible to the Director, Quality
Assurance, Risk & Business Improvement for:
The risk management team work with areas in the department to assist
with the implementation of the Risk Management Policy and Framework,
while providing training and support to Managers and the RAFs.
Internal Audit
the internal audit
program is
risk-based
A5013136
Page 17 of 42
Where the action required to address the risk, requires a higher level
of authority; and
Employees
All employees are expected to actively support and contribute to the
recording and reporting of risks, through participation in risk assessment
workshops when required and by discussing risks associated with their
role with their RAF.
A5013136
Page 18 of 42
Risk Management
Risk Management will report quarterly on Strategic and Divisional risks,
controls and treatments to Divisional Risk Management Committees and
Housing Leadership Group meetings. Reports focus on matters arising,
from new and emerging risks to the Department and work to be
undertaken.
Internal audit
Internal Audit plans are developed to contribute to the assessment of the
departments business processes and activities. Internal audits provide
assurance to departmental executives regarding the identification of key
risks, and the effectiveness of the control and management of those risks.
Risk Management and Audit Committees
The Committees report to the Chief Executive on any major risks or
issues that are of continuing concern and ratify reports on activities and
outcomes prepared by QARBI and Internal Audit for inclusion in the DCSI
Annual Report as evidence of compliance with Government policy.
Risk Escalation Flowchart
This flowchart has been designed to demonstrate how risks are first
identified and then recorded on the risk register. The flowchart illustrates
how risks outside of the departments risk appetite are referred to senior
management and executive. It should be noted that risks also can be
downgraded. The flowchart is provided in Appendix 7.
Risk Management Reporting
Risk reporting involves a structured process to record information at each
stage of the risk management process. The department maintains a risk
risk registers are
maintained as living
documents.
A5013136
Page 19 of 42
A5013136
Page 20 of 42
APPENDICES
A5013136
Page 22 of 42
A5013136
Page 23 of 42
RAL/137
2.1
March 2013
All DCSI staff
Ongoing
Quality Assurance, Risk & Business Improvement
(QARBI)
Jonathan Boyd, A/Director, QARBI
Brenda Head, Principal Risk Management
Consultant
March 2014
C2: restricted internal
SA Strategic Plan:
T1.8
Policy number:
Version:
Date of version:
Applies to:
Implementation date:
Issued by:
Delegated authority:
Policy custodian:
Printed version of this document may be superseded Refer to online policies and procedure s for most current version.
Intent
This policy describes the Department for Communities and Social Inclusion (DCSI) responsibilities
under the South Australian Government Risk Management Policy Statement: 2009
Context
The South Australian Government Risk Management Policy Statement 2009 (hereinafter referred to as
Policy Statement: 2009) is based on the international standard AS/NZS ISO 31000:2009: Risk
Management Principles and Guidelines. The Policy Statement 2009 is explicit in asserting that the
consistent and systematic application of risk management is central to maximising community
outcomes, effectively leveraging the benefit of opportunities, managing uncertainty and minimising the
impact of adverse events.
In addition, the Premiers Declaration for Safety and Wellbeing in the Public Sector 2010 - 2015
outlines the requirement that all executives and managers are trained in risk management for the
purpose of establishing integrated reporting systems.
Through this DCSI policy, the DCSI Risk Management Framework and supporting procedures, DCSI
promotes a culture of enquiry, learning and trust to anticipate and assess risks and opportunities.
DCSIs assessment of risks associated with decision-making, business planning and practices and its
performance reporting activities are fundamental to establishing a safe working environment.
This policy and the supporting Framework and Procedure documents are based on the principle that
sound risk management enhances the agencys opportunities to achieve its goal to deliver better
outcomes for the most vulnerable in the community.
Risk
This policy mitigates the risk that DCSI will not meet the obligations mandated for government
agencies in the Policy Statement: 2009.
Failure to apply this policy would place in jeopardy the sound management of DCSIs extensive
resources and the safe and secure management of its employees.
A5013136
Page 24 of 42
Premiers Declaration for Safety and Wellbeing in the Public Sector 2010 2015
Chief Executives Safety Commitment 2012
WorkCover SA Performance Standards for Self Insured Employers April 2008
Supporting Documents
This document is to be used in conjunction with:
DCSI Risk Management Framework (incorporating a glossary)
Related Documents and Resources
AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines
Scope
This Risk Management Policy applies to all DCSI divisions, business units and agencies.
Definitions
Risk effect of uncertainty on objectives.
Risk Management coordinated activities to direct and control an organisation with regard to risk
Risk Management Framework is a set of information components that provide the foundations and
organisational arrangements for designing, implementing, monitoring, reviewing and continually
improving risk management processes throughout the organisation.
Policy Detail
Consistent with the international standard AS/NZS ISO 31000:2009 and Policy Statement:2009, DCSI
is committed to maintaining and continuously improving an enterprise wide system that manages risks
to protect itself, its employees and others from situations or events that would prevent the achievement
of its strategic objectives.
DCSI will reduce its exposure to risk and optimise its opportunities by continuing to adopt a systematic
and transparent approach to identification, analysis, evaluation and management of risks.
DCSI will create risk information and knowledge that is concise accurate, timely and complete, with
clearly defined assumptions and limitations that support informed discussion on risks and opportunities
across all of its functions, so that risks are clearly articulated, mitigated, monitored and reviewed.
DCSI will promote within business units consideration of risk in modifying behaviours or actions in the
context of local needs and in consideration of the opportunities that might arise from different
behaviours or actions being taken.
In DCSI, risk management will be a consideration in all initiatives and all project proposals.
Responsibilities:
The Chief Executive is accountable to the Minister for the development and implementation of a risk
management framework (based on the AS/NZS ISO 31000:2009: Risk Management Principles and
Guidelines) specific to the organisations business and the organisational context. (SA Government
Risk Management Policy Statement, 2009)
Executives and Senior Management are responsible for ensuring a systematic and integrated
approach to risk management throughout their Division/Business Unit which complements the DCSI
Policy and Framework.
A5013136
Page 25 of 42
Risk Assessment Facilitators (RAFs) are nominated by their Executive and Senior Management to
assist with Divisional/Business Unit risk assessment workshops and quarterly reviewing of risks and
promoting the integration of risk management throughout all business practices.
All staff are expected to have an awareness of the risks and opportunities within their work group and
to actively support and contribute to the risk management system.
The Director Quality Assurance, Risk & Business Improvement (QARBI) is responsible for
ensuring that the Risk Management Team work collaboratively with Executive, Senior Management
and staff to assist with the implementation of the Risk Management Policy and Framework, and in
providing advice, training and support to the Risk Assessment Facilitators.
DCSI Risk Management and Audit Committee and SAHT Board Audit & Finance Committee
monitor risk management within DCSI and provide oversight of the functions of the Risk Management
Unit. The Committees assist the Chief Executive in developing and implementing strategies for
effective risk management and ensuring accountabilities are met.
Policy Approval
Content Author:
Date:
Name
Brenda Head
Position Principal Risk Management
Consultant
A5013136
Delegated
Authority:
(Director or authorised delegate)
Date:
Date:
Name
Jonathan Boyd
Position A/Director, Quality Assurance,
Risk & Business Improvement
Name
Andrew Thompson
Position Executive Director
Financial Services
Page 26 of 42
Description
When
Who
Risk management will be incorporated into normal business activities including planning, decision making and
operational processes, leading to the achievement of organisational goals.
Biennially
All staff
Policy review is every year. This allows for any updates and organisational changes to be incorporated into the
policy and keep the information as contemporary as possible.
Annually
QARBI
Risk Management
Framework
A review every two years of the framework allows the organisation to continually improve its processes without
deviating too far from the policy and procedures.
Biennially
Risk
Management
Risk Assessments
Formal risk assessment workshops are to be undertaken as part of the annual business plan cycle, new initiatives,
budget bids, cabinet submissions etc.
Annually
All Business
Units/Divisions
Roles and responsibilities are reviewed on a quarterly basis during the reporting cycle. If responsibilities for risks,
controls or treatments have changed, it will be reflected in the report.
Quarterly
All Business
Units/Divisions
The Manage Risk Course, Risk Awareness to Action Workshops and Business Development packages and
presentations will be presented.
Bi-annually
Risk
Management
Risk Management
Reporting Process
RAFs, Directors and Executive Directors review risk registers on a quarterly basis. The Chief Executive is then
provided with a memo outlining the results of the compliance program undertaken from the quarterly reporting
process. Risk Management Committees, HLG and the ELT are then provided with reports outlining the results.
Any feedback from these groups is then incorporated into the RMAC and SAHTBAF reports.
Quarterly
All Business
Units/Divisions
Escalation process
(Appendix 7)
Any risks that have a high or extreme controlled level of risk OR have controls rated as less than effective require
treatment plans. If the treatment plan does not reduce the level of risk or increase control effectiveness, the risk is
required to be escalated to management for further attention or authority to issue additional action. Management
determines if the risk should be escalated further through to the Executive Director. The ELT review the risk and
determine whether the risk is to be on the directorate or strategic risk register.
As
required
All Business
Units/Divisions
Risk treatment plans exist where a risk has been rated as either extreme or high, or the control effectiveness has
been rated as less than effective. These treatment plans are reviewed on a regular basis by the risk, control and
treatment owners however are only reported on a quarterly basis.
Quarterly
All Business
Units/Divisions
Quarterly declarations are submitted every three months and undergo a testing process to determine the quality of
the report and the level of compliance.
Quarterly
Risk
Management
Communication
Communication and consultation occurs on a regular basis to ensure key stakeholders (both internal and external)
are consulted, engaged and actively involved throughout the risk management process. This promotes a
consolidated awareness of the departments risk management system and influences behavioural shifts in relation
to management of risks. The department has a risk management site which allows all staff to easily access
information, tools (i.e matrix, control descriptors etc), manuals and templates. The department also has regular
RAF forums to allow networking and sharing of information and experience relating to risk management.
Continually
All Business
Units/Divisions
This allows for lessons learned to be identified and applied to continuously improve upon the DCSI risk
management framework and associated practices. This encourages and increases the successful achievement of
strategic and business objectives.
Quarterly
All Business
Units/Divisions
A5013136
Page 28 of 42
What threats do you see that may affect the achievement of our
business units goals and objectives?
Internal
A5013136
Page 29 of 42
Appendix 4
Identify the risks
This step is the first step of the risk assessment.
To identify risks, a list of potential things that could stop the organisation
from achieving its goals must be developed.
This list should always be wide-ranging as unidentified risks can cause
major losses through missed opportunities or adverse events occurring.
Brainstorming will always produce a broad range of ideas and all things
should be considered as potential risks. Relevant stakeholders are
considered to be the subject experts when considering potential risks to
the objectives of the work environment and should be included in all risk
assessments being undertaken. Key risks to the organisation/unit can
then be identified and captured in the risk assessment worksheet
The sources and categories of risk template can be useful again in this
step to determine which area the risk falls under. There may be more
than one area that the risk effects.
When identifying risks, consider the following:
This step also is where opportunities for enhancement or gain across the
organisation can be found.
Risks can also be identified through other business operations including
policy and procedure development, internal and external audits,
customer complaints, incidents and systems analysis.
A5013136
Page 30 of 42
Appendix 4
Analyse the risk
The second step in the risk assessment is to analyse the risk. This
means to understand the essence of the risk and determine the causes
and consequences and to identify any existing controls.
Existing controls are things that are already in place such as policies,
procedures, training programs etc. These controls require rating as
either effective, requires improvement or ineffective.
Once this has occurred, the level of risk can be ascertained. This is
done by using the risk assessment matrix. (Appendix 6)
The department has created a risk assessment matrix based on its risk
appetite and what is and isnt acceptable within the organisational
structure. The department has determined that it is not prepared to
accept a controlled level of risk above moderate and therefore anything
above that rating must have controls recorded as less than effective and
have a treatment plan put in place.
However, there are circumstances where a high or extreme level of risk
is not treated due to the financial impact and therefore remains at this
level. Should this occur, an explanation from the risk owner is then
required.
Risk descriptions describe what the risk is, the cause of the risk and
the consequences. As the risk description is only meant to be a short,
contextual statement, the causes and consequences that are included
should centre on the context that the risk is seen in.
Control descriptions describe what the control is, what it does, who
performs it and how it is done. If the control is a process or task
performed by a particular role (committee, unit or person), they must be
named in the control description as the control owner is not always the
person undertaking the process or task. Not every control will require
every component; however, the description must reflect exactly how the
control is working. If it requires improvement, the weakness of the
control is also captured on the risk register.
Treatment descriptions describe what the treatment is, what action is
required and who performs the task. As with controls, the person
undertaking the task is not always the treatment owner and therefore
must be identified in the description.
A5013136
Page 31 of 42
Appendix 4
Evaluate the risk
Risk evaluation uses the information obtained during the analysis to
make decisions about whether the risk is acceptable in its current state
or whether further action needs to be taken to mitigate the risk.
Decisions regarding whether treatments need to be implemented are
required and then the priority of those treatments is established.
To evaluate the risk, the departmental risk assessment matrix (Appendix
6) is used to determine the levels of risk at the inherent and controlled
stages. The control effectiveness is also considered at this point and
plays a part in the decision whether treatments are then required.
The Department has ascertained that:
Any risk where controls are less than effective require a treatment
plan
Risks that are rated at the controlled level of risk as extreme or high
must have controls rated as less than effective and therefore require a
treatment plan
Risks that are rated at the controlled level of risk as either moderate
or low can be accepted and monitored. (Provided that the controls
have been assessed as effective)
no treatment is available
Risk Appetite
Action required when rating is at controlled level of risk
Extreme:
High:
Appendix 4
Treat / action the risk
Treating / actioning the risk involves selecting measures that contribute
to either mitigating the risk or strengthening current controls.
It is probable that a combination of options will be required to treat
complex risks. The most suitable risk treatment / action options are
generally identified as:
Risk Acceptance:
When all treatment options have been explored and there is no
course of action likely to be effective or, the option will cost more than
the benefits gained. It could also be when the risk is of low
consequence and unlikely to occur, then it is appropriate to accept
the risk. (this may require an explanatory note from the risk owner if
the controlled level of risk is rated at extreme or high)
Risk Retention:
When after careful analysis of the risk, it cannot be avoided, reduced
or transferred, or where the cost to do so is not justified.
(this requires an explanatory note from the risk owner stating the
situation and they are aware of the current status of the risk)
Risk Avoidance:
This is when stopping or not proceeding with the activity, or choosing
an alternative, eliminates the risk. This is not often an option in the
Public Sector.
Risk Transfer:
This is when the risk is transferred to other parties. This includes
taking out insurance policies, outsourcing activities or moving
operations to a better equipped part of the department that can
handle the risk. In some cases, liability cannot be transferred as
contractors may cap their level of liability and therefore responsibility
remains with the Government.
A5013136
Page 33 of 42
Appendix 4
Treat / action the risk (cont)
This element also incorporates evaluating the options, preparing
treatment / action plans and implementation of those plans. The
treatment plan may incorporate one or more of the above options and will
document how chosen treatment options will be implemented.
Information that needs to be included in treatment plans are as follows:
the original due date and the current due date (which can either be
brought forward or go beyond the original date)
A5013136
Page 34 of 42
Appendix 4
Two ongoing themes are constant throughout the risk management process, these are:
Communication and consultation
Effective communication and consultation are essential to ensure that
those responsible for managing risk, and those with a vested interest,
understand the basis on which decisions are made and why particular
treatment / action options are selected or the reasons to accept risks
have changed.
Monitoring and review
It is essential to monitor and review the management of risks as
changing circumstances may result in some risks increasing or
decreasing in significance. By regularly reviewing the effectiveness and
efficiency of controls and the appropriateness of treatment / action
options selected, we can determine if the organisations resources are
being put to the best use possible.
During the quarterly reporting process, management are required to
review any risks within their area and follow up on controls and
treatments / action that are mitigating those risks. This allows them to
identify any action that is out of date and requires further attention
It is also the time when completed treatments can be converted to
controls, levels of risk are confirmed and the retirement or escalation of
risks is implemented.
Monitoring and the reviewing of risks, controls and treatments also
applies to any actions / treatments to come out of an internal audit. The
audit report will provide recommendations that effectively are treatments
for controls and risks that have been tested during an internal review.
Retiring a risk
Retirement of a risk occurs when the organisation no longer
considers the risk relevant, in existence or has mitigated it to a point
where the risk has been accepted. However, this can only be when
the controlled level of risk is either moderate or low.
Risks are retired for a variety of reasons can be reactivated should
there be a change in the organisational objectives or its
internal/external environment.
Retired risks are not deleted from the risk register but may be
archived after a period of time.
A5013136
Page 35 of 42
Political environment
Leadership and management processes
Government involvement and directions
Ministerial processes
Parliamentary processes and requirements
Financial requirements and conditions
Leadership &
Strategic
Planning
Knowledge
Management /
Information
Technology
Records management
Business continuity and disaster response
Advancement in technology
Partnerships /
Stakeholder
Legislative requirements
Legal and governance obstructions
Industry regulations and standards
Legal liabilities
OHS&W
Departmental guidelines
(Working Together)
reporting
Corporate practices
Protective security
Business continuity and disaster response
Customer
Service
Legal
Compliance
Procurement &
Contract
Management
Human
Resource
Management
Managerial responsibilities
Policies & Procedures
Legislative requirement
Recruitment and allocation of resources
OHS&W
10
Finance
Clinical /
Practice
12
13
A5013136
Skilled resources
Privacy & confidentiality
Resource allocation
Training & credentialing of clinicians
/practitioners
Documentation
Procurement & contract management
Illegal activity
Page 36 of 42
4 - Major
3 - Moderate
2 - Minor
1 - Insignificant
5 - Almost Certain
Extreme
Extreme
High
High
High
4 - Likely
Extreme
High
High
Moderate
Moderate
3 - Possible
High
High
Moderate
Moderate
Low
2 - Unlikely
High
Moderate
Moderate
Low
Low
Moderate
Moderate
Low
Low
Low
1 - Rare
Risk Appetite
Action required when rating is at controlled level of risk
Extreme:
High:
Level
Descriptor
Almost Certain
Daily To Weekly
Likely
Possible
Annually
Unlikely
Once in 5 Years
Rare
Once in 10 Years
Qualitative
Quantitative
Quantitative
90 -99% certainty of occurrence
A5013136
Page 37 of 42
Impact Categories
Client
Insignificant Near miss, no injury
No increase in care
Non-essential item affected not
likely to result in injury or
medical treatment being
required
OHS
Incident report or first aid treatment
required
Human Resources
Organisational
Financial
Negligible financial loss or
over expenditure within cost
centre
Requires monitoring and
corrective action within
existing cost centre budget
Minor
Moderate
Temporary breakdown in
key relationship
Widespread negative
reporting in media
Premier or Ministerial
involvement
Prosecution of a staff
member
Major
Hospitalisation, Dangerous
Occurrence, Notifiable Work related
injury/illness/death
Multiple non conformances from
WorkCover evaluation leading to
financial penalties and stringent
administrative controls
SafeWork SA intervention due to
non compliance with legislation,
regulations or codes leading to the
issuing of multiple Improvement
Notices
Ongoing widespread
negative reporting in
media
High-level independent
investigation with adverse
findings
Department being
sued/prosecuted
Multiple deaths
SafeWork SA intervention due to
non compliance with legislation,
regulations or codes leading to the
issuing of a Prohibition Notice or
prosecution
Loss of a majority of
departmental workforce
Inability to replace critical
services
A5013136
Page 38 of 42
OR
No escalation
required
- manage risk
at local level
No
Is the control
effectiveness rated as
less than
effective?
Yes
Treatment / action
plan required
No
No escalation
required
- manage risk
at local level
Yes
No further escalation
required monitor and
review at local level
Yes
No
Escalation to management required
through the quarterly reporting process
No further escalation
required monitor and
review at local level
Yes
No further escalation
required monitor and
review at local level
Yes
Yes
No further escalation
required monitor and
review at local level
Yes
A5013136
Page 39 of 42
Clinical Governance: The system by which the governing body, managers and clinicians
share responsibility and are held accountable for consumer care,
minimising risks to clients and for continuously monitoring and
improving the quality of clinical care. Ensure accountability structures
are in place to manage performance issues.
Control Owners: The owners of a control process that mitigates an identified risk. Where
controls are evaluated as requiring improvement or not effective,
the control owner will participate in developing a treatment to ensure
the effectiveness of the control.
Corporate Governance: For the Public Sector there is a very broad coverage including how an
organisation is managed its corporate and other structures, its culture
policies and strategies and the way it deals with its various
stakeholders.
Good governance is important to provide adequate accountability to
the many stakeholders and to encourage performance improvement
while satisfying control and compliance requirements.
External Context: The external environment in which the organisation seeks to achieve
its objectives (i.e. Political, Economical, Socio-Economical,
Technological, Legislative and Environmental aspects).
Risk Event: The occurrence of risk. The risk may occur as a once off event or may
continue to occur as an ongoing event.
Internal Context: The environment in which the organisation seeks to achieve its
objectives (i.e. Strengths, Weaknesses, Opportunities and Threats).
Level of Risk (LoR): The magnitude of a risk expressed in terms of the combination of
consequences and their likelihood.
Inherent LoR:
A5013136
Page 40 of 42
Risk Analysis: Process used to understand the nature of risk and to determine the
level of risk.
Risk Assessment: Process of risk identification, risk analysis and risk evaluation.
Risk Appetite: The amount and type of risk that an organisation is prepared to pursue,
retain or take this is illustrated by the risk assessment matrix
Risk Description: A short statement using the formula Risk Name due to Cause results in
Consequences.
Risk Evaluation: Process of comparing the results of risk analysis against risk criteria to
determine whether the level of risk is acceptable or tolerable.
Risk Financing: Form of risk treatments involving budgetary arrangements to meet the
financial costs should a risk occur.
Risk Management Framework: Set of components that provide the foundations and organisational
arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management processes throughout the
organisation.
Risk Assessment Matrix: The tool for ranking and displaying risks by defining ranges for
likelihood and consequence.
A5013136
Page 41 of 42
Risk Register: A set of identified risks, controls and treatments (also known as Risk
Profile).
Risk Retention: Form of risk treatment where there is acceptance of the benefit of gain,
or burden of loss, from a particular risk.
Risk Sharing: Form of risk treatment involving the agreed distribution of risk with
other parties.
Risk Source: Anything which alone or in combination has the intrinsic potential to
give rise to risk.
Risk Tolerance: An individuals or organisations readiness to bear the risk after risk
treatments in order to achieve its objectives.
Risk Transfer: Move the liability for the risk to another party or share the risk
(contracting, outsourcing, insuring)
Risk Treatment / Action: Process of selection and implementation of measures to modify risk
Stakeholder: Any person or organisation that can affect, be affected by, or perceive
(Internal and External) themselves to be affected by a decision or activity.
Treatment / Action Owners: Treatment owners are responsible for the implementation of
treatments. Treatment owners should agree the treatment design,
resourcing and agree timeframes for implementation with Directors,
Risk owners, and possibly Control owners.
A5013136
Page 42 of 42