Risk management framework

(1)

Risk management framework

Security classification: PUBLIC

Reference number: DSITI:FW:001P Policy owner: Executive Director, Strategic Transformation & Performance Contact officer: Principal Consultant, Risk Management (07) 3719 7887 [email protected] Version Effective Date Approved by Next review date

1.2 07/04/2015 Policy Coordinator November 2015

1 Introduction

While there are many varied definitions of risk it is generally accepted that if management know for certain something is going to happen it has no risk attached to it. Should there be an element of uncertainty surrounding it, then risk exists. Accordingly, the AS/NZS ISO 31000:2009: Risk management – principles and guidelines defines risk as ‘the effect of uncertainty on objectives’. Risk management is not a process for avoiding risk, but rather to manage risk. The public sector tends to focus on the downside aspect of risk. However, risk doesn’t just relate to the challenges facing the department, but also the opportunities; they are two sides of the same coin. The Queensland Government’s values certainly encourage a positive approach to risk taking. Therefore, the framework encompasses both possible threats and opportunities, reflecting the potential for either of these to impact positively or negatively on the department’s vision and purpose.

Risk management should be treated as an integral part of planning, management and decision making processes that need to be considered and addressed by everyone. Effective risk management is a useful discipline in a manager’s armoury and will help achieve objectives, improve service delivery, accountability and decision-making, and ultimately contribute to the success of the department.

2 Purpose

The risk management framework (the framework) provides an overview of the key concepts for managing risk within the department and guidance on how the risk management processes can be integrated with normal management processes and responsibilities.

The construct of the framework is based on the following prescribed legislative requirements, international best practice and government guidelines:

• Financial Accountability Act 2009

• Financial and Performance Management Standard 2009

• AS/NZS ISO 31000:2009: Risk management – principles and guidelines • Queensland Treasury and Trade’s A guide to risk management, July 2011.

3 Principles and benefits

The framework is based on the AS/NZS ISO 31000:2009 principles (Figure 1):

Figure 1 – Risk Management Principles

(3)

• Risk management will not make decisions for the business. • Risk management will not guarantee freedom from all risk.

• Risk assessments will not be all-encompassing and are therefore not fail-safe. The benefits of managing risk are depicted in Figure 2:

Figure 2 – Risk management benefits

4 The framework

A risk management framework is a ‘set of components that provide the foundations and

organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation1_{’. The framework (Figure 3) comprises the}

following four components, which are each described in the body of this document: 1. governance and assurance; 2. risk management policy; 3. risk management system; 4. risk management process.

Figure 3 - Components of the risk management framework

1_{AS/NZS ISO 31000:2009: Risk management - Principles and guidelines}

(4)

4.1 Risk governance and assurance

4.1.1 Risk governance

This component of the framework purposely aligns with the department’s governance framework, enabling risk related information to better inform decision-making. Figure 4 illustrates the four types of risk mapped against the department’s corporate governance framework.

Figure 4 –Risk types mapped against the DSITI leadership and accountability model

The risk governance arrangements ensure the Board of Management (BoM), governance committees, divisional heads and business area executives have the relevant information to oversee and manage their risks.

For strategic level governance:

• BoM provide corporate governance leadership and promote effective risk management. This includes the review of the department’s strategic risk profile, the associated treatment

strategies, setting the department’s risk appetite and moderating strategic and departmental risks from a whole-of-department perspective.

• The Audit and Risk Management Committee is responsible for reporting to the Director-General on the effectiveness of the risk management framework.

• Departmental risks will be captured in the departmental risk register, which will provide

divisional heads, functional heads and governance committees with an enterprise view of risks common across all divisions, in particular human resource, finance and information

communications technology related risks. For operational level governance:

(5)

• Executive management oversee and provide direction for risks within their business area. These risks will be captured at the operational or local level.

• Program and project boards will provide oversight and direction for project and program risks relating to change initiatives. These types of risks will be managed using prescribed

Queensland Government program and project management methodologies (see 4.4.4).

The risk governance model (Figure 5) depicts the relationship between the four risk types and how risks are captured, reported and may be escalated in line with the department’s governance and accountability arrangements.

Figure 5 – Risk Governance model 4.1.2 Risk assurance

Risk assurance is an important component of the framework as it provides feedback to

management that quality processes and controls are in place and effective. The two risk assurance mechanisms are:

Risk management monitoring and reporting

The department’s Risk management policy details the roles and responsibilities of key officers and governance committees in relation to monitoring and reporting on risk. The effective execution of these responsibilities will provide the department with the assurance that:

• risks have been assessed in accordance with the department’s risk management framework • risks are regularly monitored and reported

• emerging risks are escalated to the appropriate level of management

(6)

Internal Audit

Internal Audit’s annual plan tests the internal controls around DSITI’s material risks. Internal Audit may periodically conduct reviews of the risk management framework and report on its

effectiveness. They will bring objectivity and consultation by using a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

4.2 Risk management policy

The policy is a key component of the risk management framework and states the overall intention and direction of the department’s senior executive in relation to risk management, emphasising the risk management philosophy and responsibilities for managing risk. The key objective of the policy is to ensure everyone actively manages risk within their area of responsibility and fosters a culture where risk is appropriately identified, assessed, communicated and managed.

The policy is managed by the Strategic Transformation and Performance (STP) unit and will be reviewed annually to reflect any changing circumstances within the department.

4.3 Risk management system

Risk management capability is a key driver for the effective management of risk. This component of the framework describes the systems that support a risk capable organisation. To build a risk capable department it is important for staff to be provided with relevant training, tools and templates. Deputy/Assistant Directors-General, General Managers, Executive Directors and Directors are responsible for ensuring their staff are appropriately skilled, trained and supported to identify and manage risks effectively. By cultivating a risk capable organisation the department will enhance its awareness and responsiveness so that risks and opportunities can be identified and managed.

4.3.1 Culture and capability

All managers within the department have an important role in developing a risk aware culture. The Queensland Government’s values positively encourage a risk culture where understanding, managing and calculating a prudent level of risk is part of the everyday decision-making process. This is in contrast to a negative risk culture where people are risk averse, ignorant of risk or overconfident with risk-taking. The elements that will contribute to a positive

risk culture are:

• leadership, which is articulated in the policy • communicating the benefits of risk management

• integrating risk management with other business processes and systems so the task of managing risk is not regarded as an additional burden.

4.3.2 Tools and templates

STP has developed guidelines, tools and templates to assist staff in the identification, analysis and monitoring of risk. Refer to risk management processes and guidelines in section 4.

These tools and templates will include:

(7)

• departmental risk criteria (consequence and likelihood table and risk matrix (see Attachment 1))

• departmental risk register template and supporting guidelines.

4.3.3 Risk reporting

Risk reporting is an important way of communicating risk information across the department and to stakeholders. Therefore, risk reporting has been closely aligned with the department’s governance structure (Figure 5).

The department has multiple layers of reporting:

1. Strategic and significant operational risks that affect the department as a whole will be reported to BoM at least quarterly and more often when BoM identifies a need to monitor more regularly. The STP unit will coordinate risk reporting to BoM.

2. Departmental risks will be captured in the departmental risk register. These are the ‘high’ and ‘extreme’ risks extracted from the business area risk registers and reported to BoM,

governance committees and corporate functional heads. The secretariat of each governance committee will coordinate relevant risk reporting to the governance committees for

consideration at each meeting.

3. Divisional Heads, General Managers, Executive Directors and Directors should define risk reporting timeframes and requirements for their areas of responsibility. Risk reporting at the business area level should be integrated into existing reporting arrangements.

4.3.4 Evaluation and review

Risk management goes beyond reviewing the risks themselves and extends to reviewing the department’s risk management capability and governance systems. As risks, risk management capabilities and the risk environment are constantly changing and evolving, there will be a regular review of the risk management framework to ensure it is fit for purpose.

The Audit and Risk Management Committee is responsible for reviewing the adequacy of the department’s risk management framework and its application. While the committee has no responsibility for managing the risks themselves, they are responsible for regularly reviewing the framework to provide assurance to the Director-General that it remains relevant and robust. Business areas should periodically evaluate their local risk management practices to ensure they align with the framework and are operating effectively.

An emphasis will be placed on continual improvement in risk management through the review and subsequent modification of processes, systems, resources, capability and skills.

4.4 Risk management processes

The department aims to create a culture where understanding, managing and accepting risks are seen as part of everyone’s decision making processes. To do this, the management of risk is embedded within the department’s business processes. As shown in the risk governance model

(Figure 5) the framework defines four risk types. These are described briefly below.

4.4.1 Strategic risk

Strategic risks are the high level, long-term risks, which can be complex and less easy to quantify. They are the risks of most concern to the senior executive and therefore require direct attention by

(8)

BoM. They are usually identified through analysis of environmental factors, stakeholder

expectations and strategy development and will likely have a material impact on the department’s ability to achieve its government mandate and strategic objectives.

Strategic risk management is not intended to identify every risk facing the department but to identify those that are most significant to achieving its vision and purpose. Therefore, strategic risk management is most effective when conducted as an integral part of the strategic planning

process. This type of risk information will be presented via a strategic risk profile, i.e. a high-level synopsis of the department’s key risk factors, developed in consultation with senior management, which includes the risk treatment strategies that require implementation.

In determining the strategic risk profile the department will have to collect information, through environmental scanning, which is broad enough to include a range of trends, influences and time horizons. The department’s strategic risk profile will be refreshed on a six monthly basis to alert BoM to potentially significant changes to the operating environment. Knowledge of the internal and external challenges will also help determine the department’s risk appetite, which is the amount of risk the department is willing to accept in pursuit of its vision and purpose. A good understanding of the internal and external context, including government priorities and interagency demands, will increase awareness of the risks we face, identify threats and opportunities, build resilience, and improve long/medium term planning.

Refer to the Strategic risk management process and guidelines (under development) for a description of managing strategic risk.

4.4.2 Departmental risk

Departmental risk predominantly relates to corporate services and functional business processes that support the department’s service delivery objectives, e.g. finance, procurement, human resources, industrial relations management, information management, technology etc. On a quarterly basis the ‘high’ and ‘extreme’ risks will be extracted from the business areas’ risk registers and consolidated into a single departmental risk register, owned and maintained by the STP unit.

This risk type takes a horizontal perspective of risk across the department. Figure 6 illustrates the horizontal view in contrast to the vertical/hierarchical view of divisional and business area risk. The identification of departmental risks will support BoM, governance committees, divisional heads (ADG, DDG) and functional heads (CFO, CIO) in fulfilling their responsibility for overseeing risks across the department.

In view of this, corporate functional heads have to consider risk from two perspectives:

• business area risks – those risks that relate to their business area’s purpose, objectives and operations

• departmental risks – those risks that relate to the department as a whole, or a number of business areas.

While this risk type mainly focuses on corporate services, there may be risks that affect other agencies. In which case, ‘high’ and ‘extreme’ interagency risks should also be recorded under the departmental risk register.

(9)

Figure 6 – Departmental risk type (horizontal and vertical risk perspectives) 4.4.3 Business area risk

Business area risks (also known as operational risks) are the day-to-day risks associated with business area activities. It is these risks that will most likely have a material impact on a business areas’ ability to achieve its business and operational objectives. These risks are managed by the individual business areas and relate to the business area’s purpose, objectives and operations. By integrating risk management into business and operational planning, risks can be managed

vertically (Figure 6), linking operational plans and specific purpose plans with the department’s strategic plan.

Each business area has responsibility for managing their key risks and recording them in a risk register. The ‘high’ or ‘extreme’ risks, rated by the business areas, will be extracted and entered in the departmental risk register. Each risk rating will be re-evaluated against the DSITI risk

assessment matrix to ensure risks align with the broader departmental context. The risk management process to be used is based on AS/NZS ISO 31000:2009: Risk

management – Principles and guidelines (Figure 7). The business area Risk management process guideline describes the process for managing and assessing risk in greater detail. The guideline

includes:

• process description

• risk assessment matrix (see Attachments 1 and 2) • risk register template

(10)

• risk identification techniques • risk controls and effectiveness.

Figure 7 – AS/NZS ISO 31000 risk management process 4.4.4 Project and program risk

Project and program risk refers to the risks unique to a specific project/program. The department regularly undertakes significant projects and programs, management of which should be consistent with the Queensland Government Project and Program Management methodologies. These

methodologies stipulate the requirement and approach to managing risk within the project/program environment and align with the AS/NZS ISO 31000:2009 Risk management – Principles and

guidelines.

Projects and programs should maintain a separate risk register and regularly report the risks to the project/program governing body. Any significant risk that is strategic in nature should also be incorporated in the departmental risk register to ensure visibility across the enterprise.

Some technical projects may use customised likelihood and consequence scales, e.g. timeframes, budget, quality benefits. In these circumstances strategic or ‘extreme’ risks should be moderated against the department’s risk assessment matrix. For example, a cost over-run of 100% of a project budget may be ‘extreme’ within the context of the project, but only ‘moderate’ or ‘low’ within the broader departmental context.

(11)

4.4.5 Cross-agency risk

Cross-agency risk is a risk that relates to more than one agency and may require treatment by multiple agencies to be effective. As the Queensland Public Sector embarks on a number of major reform initiatives, cross-agency risk management will require a high level of collaboration.

DSITI is a major provider of services across government and has lead agency responsibility for whole-of-government ICT reform, as well as participatory responsibility for other government-wide initiatives. Therefore, any cross-agency risk that requires the department to contribute to the treatment strategy should be formally recorded and a suitable risk owner nominated to ensure the risk/treatment is managed effectively. If there is no suitable risk owner, i.e. the risk is beyond the nominee’s delegation, the risk should be formally escalated up the governance hierarchy for reassignment.

As a lead agency (ICT Reform) the department is responsible for opening up the dialogue within the cluster of departments and gaining a broader understanding of the relationship between the agency’s risks, cross-agency risks and whole-of-government risks.

4.4.6 Specific risk functions

Fraud and corruption

Fraud and corruption risk management is an important subset of the department’s overall risk management framework. The department and constituent business areas are required to conduct a fraud risk assessment on a regular basis, in doing so; the assessment should be consistent with the process prescribed in the framework (Figure 7). Correspondingly, provision for fraud has been integrated into the departmental risk register to enhance fraud and corruption reporting.

Refer to the Fraud and corruption prevention policy and Fraud and corruption reporting guideline. Business continuity management

Some risk is unavoidable and it is not within the ability of the department to completely manage, e.g. natural disasters. A key strategic risk for the department and its business areas is the inability to remain operational and continue delivering government services. In these instances, the only action that can be taken is the preparation of contingency plans for business continuity. Business continuity management is a key mitigating factor as it increases the department’s resilience in, response to and recovery from events that may disrupt business services and operations. Refer to the Business continuity and community resilience policy and framework.

Work Health and Safety

Officers (persons conducting a business or undertaking) are responsible for protecting workers and other persons against harm to health, safety and welfare through the elimination or minimisation of risks arising from work or from particular types of substances or plant. The management of risk is an important element in gaining an understanding of the operation and taking into account all relevant matters including:

• likelihood of the hazard or the risk concerned occurring • degree of harm that might result from the hazard or the risk

• what the person concerned knows, or ought reasonably to know about the hazard or the risk and ways of eliminating or minimising the risk

(12)

Non-compliance with Work Health and Safety legislation can result in severe consequences, including personal fines up to $600,000 or imprisonment for up to five years.

Refer to the Work health and safety policy.

5 Definitions

The following definitions are consistent with AS/NZS ISO 31000:2009 and ISO Guide 73:2009 (where applicable).

Term Definition

Business area _{A departmental unit that reports to an Assistant/Deputy Director-General}

Business area

risk Risks that relate to the business areas purpose, objectives and operations. Also

see Operational risk.

Cause _{Something that results in an event.}

Consequence _{The outcome of an event or circumstance affecting the achievement of objectives.}

• An event can lead to a range of consequences

• A consequence can be certain or uncertain and can have positive or negative effects on objectives

• Consequences can be expressed qualitatively or quantitatively • Initial consequences can escalate through knock-on effects.

Control _{Measure that is modifying risk.}

• Controls include any process, policy, device or practice, or other actions which modify risk

• Controls may not always exert the intended or assumed modifying effect.

Corruption _{Involves a breach of trust in the performance of official duties and includes conduct}

which does or could adversely affect the honest or impartial exercise of official functions by an employee, whether or not for the benefit of the person. It also includes conduct by an employee involving dishonesty or failure to impartially exercise an official function.

Current risk _{The risk remaining after risk treatment. It is the level of risk that remains after}

assessing the effectiveness of the controls, treatments and any management strategies and other mechanisms currently in place to modify a particular risk. Note: this is the same definition as ‘residual risk’ in the ISO Guide 73:2009. Efforts have been made to use everyday language rather than purist risk management speak.

Departmental

risk Operational risks that relate to the department as a whole, sometimes referred to

as 'corporate risk'. These risks are common across multiple business areas or potentially interagency.

(13)

Division _{A group of business areas that report to a Deputy/Assistant Director-General.}

Divisional head _{Deputy Director-General or Assistant Director-General responsible for a number of}

business areas.

Existing

control Controls that are in place at the time of risk identification and at the time of initial

risk rating.

Fraud _{Refers to an intentional dishonest act or omission done with the intent of deceiving.}

It may have the object of obtaining a benefit for some person or causing a detriment. It includes the situation where a person makes a false representation about something and lacks belief in the truth of the representation or makes it recklessly, not caring whether it is true or false.

Impact _{See Consequence}

Interagency

risk A risk that relates to more than one agency (for example, collaborative projects)

and requires treatment by multiple agencies to be effective.

Level of risk _{The magnitude of a risk measured in terms of the combination of the consequences}

and likelihood.

Likelihood _{The chance of something happening.}

Operational

risk Those risks that arise in day to day operations, and which require specific and

detailed response and monitoring regimes. If not treated and monitored

organisational risk could potentially results in major adverse consequences for the department. Queensland Treasury and Trade’s A guide to risk management further expands on this definition, stating:

A risk that may arise in day to day operations and could have an impact on the achievement of:

• the department’s strategic objectives from the perspective of actions undertaken by a particular division, business area, branch or work unit • program or project management objectives

Also see Business area risk.

Program _{A grouping or list of projects and activities planned and managed in a coordinated}

way in order to achieve outcomes and realise benefits.

Project _{A temporary process or endeavour which has a clearly defined start and end time,}

(14)

Project

management The management of the full project life cycle to ensure stakeholders are fully

engaged, risk is actively managed and outputs are delivered. It is the planning, monitoring and control of all aspects of the project to achieve the project objectives on time and to the specified cost, quality and performance.

Residual risk _{See Current risk}

Risk _{The effect of uncertainty on objectives.}

• An effect is a deviation from the expected – positive and/or negative.

• Objectives can have different aspects and can apply at different levels (such as strategic, organisation wide, project, product and process).

• Risk is often characterised by reference to potential events and consequences or a combination of these.

• Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.

• Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

Risk analysis _{The systematic process to comprehend the nature of risk and level of risk.}

Risk appetite _{The amount and type of risk the department/business area is prepared to pursue or}

take to achieve an objective.

Risk

assessment The three process steps of risk identification, risk analysis and risk evaluation form

the risk assessment.

Risk category _{A way of categorising a risk to enhance risk identification and analysis and risk}

reporting.

Risk criteria _{Terms of reference against which the significance of a risk is assessed.}

Risk

description Statement of risk, which describes the risk in terms of the risk event, causes and

consequences of the risk.

Risk escalation _{Process facilitating a change of risk ownership to a next higher management level}

in cases where the approval and management of additional controls is beyond the delegation/authority of the management level at which the risk was identified.

Risk evaluation _{Process of comparing the results of the risk analysis against risk criteria to}

(15)

Risk event _{An uncertain occurrence or set of circumstances, that should it occur will have an}

effect on the achievement of an objective.

• An event can consist of something not happening

• An event can be one or more occurrences, and can have several causes.

Risk treatment

action Any specific action designed to reduce the likelihood or consequence of a risk.

Strategic risk _{Risks that may affect the department’s ability to meet its overall purpose and}

strategic objectives and require direct oversight by BoM.

6 References

The requirements set out in this document are based on, and are consistent with, relevant

government legislation, regulations, directives, information standards and/or policies at the time of publication.

Legislation and regulations Financial Accountability Act 2009

Financial and Performance Management Standard 2009 Work Health and Safety Act 2011

Professional standards

AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines IEC/ISO 31010 – Risk Management – Risk assessment techniques

ISO Guide 73:2009 – Risk Management - Vocabulary

Standards Australia HB 89–2012 Risk Management – Guidelines on risk assessment techniques

Queensland Government documents

A Guide to Risk Management, Queensland Treasury and Trade

Beyond Agency Risk – Auditor-General of Queensland Report to Parliament No 6 for 2007

Better Practice Guide – Risk Management– Queensland Audit Office

Financial Accountability Handbook – Queensland Treasury and Trade

Queensland Government Project and Program Management methodologies

DSITI documents

Business continuity and community resilience framework Business continuity and community resilience policy

(16)

Fraud and corruption prevention guideline

Fraud and corruption prevention policy

Risk management policy

Risk management process guideline Risk register template

Strategic risk management process and guidelines (under development) Work health and safety policy

Other documents

Risk Management Toolkit for the NSW Public Sector

7 Licence

The Risk management framework by The State of Queensland, Department of Science, Information Technology and Innovation is licensed under a Creative Commons Attribution 4.0 International licence.

(17)

Attachment 1: DSITI risk assessment matrix

Likelihood level Unlikely Occurrence is conceivable, but not expected to occur. A < 30% chance of this risk eventuating Possible

The event may occur at some time A 30-60% chance of this risk eventuating Likely

The event may occur at least once over the coming year A 61-90% chance of risk eventuating Almost certain Can probably expect it to occur in most circumstances. A >90% chance of this risk eventuating

DSITI Consequence Description

C onsequence leve l S ever e

Threatens the department’s ability to meet government priorities, deliver public value or achieve strategic objectives.

Financial – Long term impact on departmental finances. Losses not recoverable beyond the next financial budget jeopardising

critical business functionality and services. Or, exposure of >$500k to unfunded financial commitments2 .

Service Delivery – Disruption to multiple critical deliverables3_{. Causes acute and protracted problems for clients and} stakeholders.

Reputation – Affects the department’s long term credibility with clients and stakeholders. Loss of public trust. Severe political

consequences that incur Parliamentary enquiries or prolonged public scrutiny / media attention.

People/WHS – Reduced workforce capability/capacity threatens long term service delivery. Death or permanent disablement. Environmental – Permanent damage to the environment.

Medium High Extreme Extreme

M

a

jor

Financial – Medium term impact on departmental finances. Losses not recoverable within current financial budget. Or, exposure

of between $100-$500k to unfunded financial commitments2_.

Service Delivery – Disruption to a critical deliverable3_{. Threaten the completion of strategic program/project and business case} benefits. Causes problems for clients and stakeholders in fulfilling their obligations.

Reputation – Have a detrimental effect on the department’s short term credibility with clients and stakeholders. Political

consequences for the department, incurring independent enquiry or short term public scrutiny / media attention.

People/WHS – Reduced workforce capability/capacity unable to support key services. Serious injury or work caused illness. Environmental – Long term detrimental impact on the environment.

Medium High High Extreme

M o d e ra te

Financial – Short term impact on departmental finances. Losses recoverable within the current financial budget. Or, exposure of

<$100k to unfunded financial commitments2_.

Service Delivery – Interruption to essential support deliverables and associated service performance targets. Threatens the

realisation of some program or project benefits.

Reputation – Cause client and stakeholder dissatisfaction, and has a detrimental affect on the business area’s credibility and

stakeholder relations. Incur significant review or change manner of delivery.

People/WHS – Reduced workforce capability/capacity affects service quality. Injury/illness requires medical treatment. Environmental –Short term impact on the environment. Able to be contained with specialist assistance.

Low Medium High High

M

in

o

r

Financial – Minimal impact on departmental finances. Losses recoverable within the current financial budget. It would have

some minor financial implications requiring a review of financial internal controls.

Service Delivery – Minor interruption to a service/s and associated service performance targets. It would be detrimental for some

aspects of the program or project.

Reputation – It would cause some client or stakeholder complaints requiring additional management.

People/WHS – Reduced workforce capability/capacity affects operational processes. Localised first aid required. Environmental – Minimal detrimental impact on the environment.

Low Low Medium Medium

2_{The $ value is a guide. Where necessary, advice should be sought from DSITI Finance, Procurement and Business Services to estimate materiality consequences}

(18)

Attachment 2: DSITI risk rating responses

Risk rating Response _{acceptability}Risk

Extreme

• Reported to Director-General via DDG/ADG and existing management structures within 48 hours of identification.

• Risk owner assigned.

• Risk target established and risk treatment actions developed including contingency plan.

• BoM/Governance committees to be made aware and provide guidance. • Progress regularly reported to BoM.

Unacceptable

High

• Reported to Director-General via DDG/ADG and existing management structures.

• Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan (where relevant).

• Progress reported to BoM, DDG/ADG or Functional Heads.

Unacceptable

Medium

• Reported to General Manager/ Executive Director/Director via existing management structures.

• Risk target established and where risk target is lower than overall risk rating, establish risk treatment actions and contingency plan, (where relevant).

• Progress reported regularly to GM/ ED/ Director or Functional Heads.

Risk eventuation may be tolerable under certain circumstances Low

• Monitor the risk.

• Should be managed via routine procedures and internal reporting mechanisms

Risk management framework