Risk Management Policy Version Version 1.0 Short Description This policy outlines SmarTech’s commitment to risk management. Approving Authority Board of Directors Approval Date 20 September 2015 Next Scheduled Review September 2020 Responsible Officer Quality Coordinator Responsible Office Risk Management and Quality Assurance Category Risk Management – Risk Management Processes File Number RMP-32-11 Policy Owner Director, Planning and Strategic Management Scope and Application This policy applies across all business units and organisational levels within SmarTech. Relevant Standards, Guidelines, Policies, Legislation and Regulations  AS NZS ISO 31000-2009 Risk Management – Principles and Guidelines  SA/SNZ HB 436:2013 Risk Management Guidelines – Companion to AS/NZS ISO 31000:2009  Quality Management Policy  WHS Policy  Environment Policy  WHS Act 2011 and relevant Regulation and Codes of Practice  Privacy Act 1988  Anti-discrimination legislation including: - Sex Discrimination Act 1984 - Age Discrimination Act 2004 - Disability Discrimination Act 1992 - Racial Discrimination Act 1975 Key Words risk, mitigation, control, likelihood, impact, consequenceTable of Contents Version Control ................................................................................................................................................................. 1 1 Policy Purpose and Objectives ....................................................................................................................................... 2 2 Scope.............................................................................................................................................................................. 2 3 Policy Principles.............................................................................................................................................................. 2 4 Roles and Responsibilities.............................................................................................................................................. 3 5 Risk Management Framework ....................................................................................................................................... 4 6 Risk Management Process ............................................................................................................................................. 5 7 Recording the Risk Management Process...................................................................................................................... 7 7.1 Stakeholder Analysis ............................................................................................................................................... 7 7.2 Communications Plan ............................................................................................................................................. 7 7.3 Industry Analysis ..................................................................................................................................................... 8 7.4 Risk Assessment Template...................................................................................................................................... 9 7.5 Risk Treatment and Action Plan............................................................................................................................10Risk Management Policy v1.0 20 September 2015 Page 1 Version Control Policy Manager Quality Coordinator Contact Darren Williams | Risk Management and Quality Assurance [email protected] | (02) 9998 4445 Approval Authority The Executive Team Board of Directors Version 1.0 Review Date 01 September 2016 Revision History Revision # Approved/ Amended/ Rescinded Date Authority Changes New Approved 20 September 2015 CRMO Board of Directors NoneRisk Management Policy v1.0 20 September 2015 Page 2 1 Policy Purpose and Objectives The purpose of this Risk Management Policy (‘the Policy’) is to provide guidance and direction as to the management of risk within all organisational levels and business units of SmarTech. The Policy aims to ensure that the activities of SmarTech are carried out within a Board approved risk management framework which has the sole purpose of describing the minimum risk management requirements that must be met to ensure risks are managed effectively and efficiently across the company. 2 Scope The Policy is consistent with the international standard AS/NZS ISO 31000:2009 and provides a set of information components that provide the foundations, processes and organisational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management processes throughout the organisation. Although the Policy is aligned with current standards, it has been further refined and applied to SmarTech business context. This policy applies across all business units and organisational levels within SmarTech. Effective and timely risk management is the responsibility of all SmarTech staff and all areas of the organisation. 3 Policy Principles SmarTech is committed to achieve excellence through sustainable and innovative continuous improvement strategies whilst ensuring a low-risk profile in all of the organisation’s business units. To achieve this goal, the following risk management principles must be exercised across the organisation in order to establish a risk-aware culture which aims to provide motivation for managing risks: The Eleven Principles of ISO 31000:2009 How these principles exercised in SmarTech Creates and protects value Robust risk management framework contributes to the achievement of SmarTech’s organisational strategic initiatives through the application of best practices companywide and continuous monitoring and review of internal processes and external landscape. Integral part of all organisational processes Risk management is embedded in all business units, systems, processes, and organisational strategic plans to ensure risks are effectively managed at all times. Part of decision making Risk Management Plan is regularly reviewed and updated to ensure current, timely and complete risk management information is inputted to decision makers. Explicitly addresses uncertainty Business impact analysis is integrated within the risk management processes which decodes uncertainty into its root causes as well as how it can be controlled. Systematic, structured and timely A systematic approach of risk identification, assessment, evaluation, and treatment processes is implemented to consistently achieve a low-risk profile. Based on the best available information Risk management processes are fed with information that is collected from reliable, unbiased and authentic sources including observation, historical data, stakeholders, lessons learnt, and timely updated SmarTech Risk Management Wizard software. Tailored – not generic Risk management practices are not standalone and aligned with the specific risk context. Takes human and cultural factors into account Recognises internal competencies, individual perceptions, attitudes, organisational culture, and external expertise in achieving set objectives. Transparent and inclusive Stakeholders are timely, productively and constantly involved throughout the endless life of the risk management process. Dynamic, iterative and responsive to change Applies an agile risk management methodology which is capable to adapt to constantly changing internal and external dynamics. Facilitates continual improvement Continuously communicates and consults with key stakeholders, monitors and reviews internal as well as external changes, and evaluates risk management processes.Risk Management Policy v1.0 20 September 2015 Page 3 4 Roles and ResponsibilitiesRisk Management Policy v1.0 20 September 2015 Page 4 5 Risk Management Framework Risks will be managed based on the risk management framework in AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines with further refinements applied to SmarTech business context:Risk Management Policy v1.0 20 September 2015 Page 5 6 Risk Management Process Risks will be managed based on the risk management framework in AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines with further refinements applied to SmarTech business context: Risk Assessment – Likelihood scale Score Flag Range Description 5 Almost Certain 0.67-0.99 Risk is almost expected to occur. 4 Likely 0.33-0.67 Risk is common and will probably occur. 3 Possible 0.15-0.33 Risk may happen under certain situations. 2 Unlikely 0.05-0.15 Risk will probably not occur. 1 Rare 0.01-0.05 Risk is very uncommon and will probably occur under the most exceptional situations.Risk Management Policy v1.0 20 September 2015 Page 6 Risk Assessment – Impact scale Score Flag Financial Impact Political Impact Time Impact 5 Extreme Loss of $5 million and above. Alternative, including external, funding required to recover. Long-term national damage in organisational image. Rebranding required. Organisation can recover from all dimensions of impact in one-three years. 4 High Loss of $1 million to $5 million. Budget can be recovered through major cuts to organisational activities and business units. Long-term state wide damage in organisational image. Restructuring required. Organisation can recover from all dimensions of impact in six months to one year. 3 Moderate Loss of $250,000 to $1 million. Budget through cutting an array of organisational activities and business units. Medium-term regional damage in organisational image. Organisation can recover from all dimensions of impact in three to six months’ time. 2 Low Insignificant loss of $100,000 to $250,000. Budget can be recovered through simple tactics. Minor, short-term isolated damage in organisational image. Organisation can recover from all dimensions of impact in one to three months’ time. 1 Insignificant Loss of $0 to $249,999. No noticeable impact on organisational image. Organisation can easily and quickly manoeuvre from all dimensions of impact. Risk Level and Ranking 𝐵𝐵 𝐵𝐵𝐵𝐵 = 𝐵𝐵𝐵ℎ𝐵𝐵𝐵𝐵𝐵𝐵𝐵 𝐠𝐵𝐵𝐵(𝐵𝐵𝐵𝐵𝐬𝐵𝐵𝐵𝐵𝐬𝐵𝐵) Risk Level Low (1-4) Minor (5-10) Serious (11-15) Major (16-25) Catastrophic (>25) Insignificant financial loss. Minimal time to recover. Brand image is protected. Minor financial loss. Short time scale to recover both financially and politically. Considerable financial loss and reputation. Reasonable time to recover. Consequential financial loss. Major environmental implications and business interruption. Long time to recover. Excessive long term injuries. Severe financial loss and damage in reputation. Significant business interruption.Risk Management Policy v1.0 20 September 2015 Page 7 7 Recording the Risk Management Process The following templates must be used when recording the Risk Management Process: 7.1 Stakeholder Analysis Stakeholder 1 Stakeholder 2 Stakeholder 3 Stakeholder 4 Stakeholder 5 Role Describe the role of the stakeholder in the context of the risk management process. Internal/External Is the stakeholder internal or external? Interests What interests does the stakeholder have in the work? E.g.; financial, political, reputational, emotional, etc. Contribution What is the expected contribution to the work by the stakeholder? Level of Influence (Low, Medium, High) How much power does the stakeholder have to influence the work? Significant changes? Or relatively low changes? What is the stakeholder’s capacity to cause change? Level of Importance (Low, Medium, High) How much effort the stakeholder is likely to commit to the work? Level of Interest (Low, Medium, High) How much the stakeholder has to lose or gain from the work? Priority (1, 2, 3, 4, 5, …, n; 1 being the highest) Rank each stakeholder based on the following factors: level of influence, level of importance and level of interest. Method of communication What are the communication tools and channels to keep the stakeholders involved? Frequency How frequently each stakeholder to be communicated? Issues if not involved What are the potential issues that may arise in case a stakeholder is not involved or neglected throughout the risk management process? 7.2 Communications Plan Communications Plan Stakeholder 1 Stakeholder 2 Stakeholder 3 Stakeholder 4 Stakeholder 5 Outcomes What is the main motivation behind the communication? What is aimed to be achieved? Key Message What content to be communicated? Channel How to communicate with the stakeholder? Which communication mediums to be used? Responsible Who is responsible to communicate with the stakeholder? When/Frequency When to communicate? To what frequency? E.g.; At the beginning of the risk management process. Weekly progress meetings.Risk Management Policy v1.0 20 September 2015 Page 8 7.3 Industry Analysis Dimension Details Social Technological Economic Legal Political Policy Government Policy Organisational PolicyRisk Management Policy v1.0 20 September 2015 Page 9 7.4 Risk Assessment Template Risk ID Risk Risk Area Likelihood Impact Consequence Risk Ranking Risk Level Legend: Risk ID: unique identification number to be assigned to each identified risk. Risk: potential risk associated with SmarTech’s organisational change. Risk Area: Financial? work health and safety? commercial/market? Operational? Technology? Schedule? external environmental? Likelihood: The probability of risk occurring. Impact: What is the level of impact if risk occurs? Consequence: What may happen if risk occurs. Risk Ranking: Likelihood x Impact. Risk Level: The level of risk based on likelihood, impact and consequence (Risk Ranking).Risk Management Policy v1.0 20 September 2015 Page 10 7.5 Risk Treatment and Action Plan Risk ID Risk Risk Area Ranking Risk Root Causes Treatment Risk Risk Control Measures Actions to be Taken Monitoring Procedures Responsible Person Timeline Legend: Risk ID: unique identification number to be assigned to each identified risk. Risk: potential risk associated with SmarTech’s organisational change. Risk Area: Financial? work health and safety? commercial/market? Operational? Technology? Schedule? external environmental? Risk Ranking: Likelihood x Impact. Root Causes: Potential causes – mechanisms of failure for the risk event. Risk Treatment: What are the risk treatment options?  avoid risk?  remove the risk source?  mitigate risk?  transfer risk?  accept risk? Risk Control Measures What are the actions to be taken to control the risk event? Monitoring Procedures How will these risk treatment actions be monitored? Responsible Person Who are the stakeholders responsible for applying the risk control measures? Timelines What is the time frame required to take the necessary actions to control the risk event?