Risk Management Policy
Relevant Legislation, Standards and Agreements
The following Legislation and Standards apply to this policy and supporting documentation:
Purpose
The purpose of this risk management policy is to provide guidance regarding the management of risk to support the achievement of corporate objectives, protect staff and business assets and ensure financial effectiveness and sustainability.
Scope of Policy
This policy applies to all Next Challenge employees, contractors and volunteers and relates to all Next Challenge activities which form part of the Next Challenge governance framework.
Risk Responsibilities
The following Legislation and Standards apply to this policy and supporting documentation:
- Disability Services Act 1993– (WA)
- Occupational Health and Safety Act 1984– (WA)
- National Disability Insurance Scheme Act 2013
- AS/NZS ISO 31000:2009 Risk Management: Principles and Guidelines
- National Standards for Disability Services
- Department of Health Policy
- Department of Education Policy
Purpose
The purpose of this risk management policy is to provide guidance regarding the management of risk to support the achievement of corporate objectives, protect staff and business assets and ensure financial effectiveness and sustainability.
Scope of Policy
This policy applies to all Next Challenge employees, contractors and volunteers and relates to all Next Challenge activities which form part of the Next Challenge governance framework.
Risk Responsibilities
|
This structure illustrates that risk management is not the sole responsibility of one individual but is supported at all organisational levels.
Risk Management Process
When undertaking a risk management process the following steps must be taken:
Integration with other systems and processes
Risk management is factored into business planning, performance management, audit and assurance, business continuity management and project management.
Internal and External Audits review the effectiveness of controls and alignment between the audit function and that of the controls within the risk management process.
Business planning (including budget) identifies risk during the business planning process to set realistic delivery timelines for strategies/ activities or to choose to remove a strategy/ activity if the associated risks are too high or unmanageable.
Performance Management – All risk responsibilities, whether a general responsibility to use the risk management process or specific responsibilities such as risk ownership or implementation of risk treatments is to be included within the relevant individuals’ performance plans.
Risk Register
Implementation of a Risk Register is the responsibility of all, with specific risk responsibilities being allocated to different groups and levels within the organisation.
The objectives of the NC Risk Register is to:
Risks are identified using a range of tools and techniques, including strategic and business planning, consultation and feedback from staff and stakeholders, audit and event reports. For each identified risk, an analysis is performed on the likelihood of the risk occurring, the potential consequence or impact that would result if the risk was to occur, the controls currently in place to manage the risk by either reducing the consequence or likelihood of the risk, and a target risk rating aligned to the risk appetite statement.
Risk Reporting
The risk register is prepared by the Risk Manager and reviewed by the Management Team on a quarterly basis.
Risk Management Performance
Risk management performance indicators include:
Review and approval
Next Challenge Risk Register and associated risk management improvement plan is reviewed on a quarterly basis by the Management Team. The Risk Management Policy is reviewed every year by the Directors and will take into account progress made against the risk management improvement plan
Policy Statement
a) Risk appetite
Next Challenge’s risk appetite will guide decision making throughout the organisation and is summarised below:
i. Next Challenge has a low tolerance for adverse health, safety, service delivery and environmental outcomes. This extends to Next Challenge clients and families who expect services and products which meet best practice quality standards. Next Challenge expects low injury rates compared to our industry and high rankings for quality service provision compared to our industry.
ii. To foster innovation and agility, Next Challenge will adopt a higher tolerance for risk in some other areas. For example, and within the context of low-risk tolerances above, Next Challenge has a moderate tolerance for risk in relation to finances and a moderate tolerance for risks related to initiatives designed to improve business
b) Risk-aware behaviours
Next Challenge employees, contractors and volunteers will be risk aware as evidenced by the following expected behaviours:
i) Next Challenge values risk and will proactively integrate risk-aware behaviours into the business or activities and will embed Next Challenge’s risk assessment and treatment processes where required.
ii) Next Challenge will practise continuous disclosure by way of:
iii) Prudent decision making – policies, delegations, processes and procedures will reflect the degree of risk, empowering agility and innovation. Decisions will be timely and prudent, based on relevant information.
iv) Single line accountability, where individual staff will be held to account for the success of activities, projects or functions, even when working in groups or teams. Staff will be appropriately empowered to deliver agreed outcomes within Next Challenges risk appetite.
Interagency and State Significant Risks
As a private organisation, Next Challenge is not involved in managing state significant risks. If an inter-agency or state significant risk is brought to Next Challenge’s attention, Next Challenge will work collaboratively with the identifying agency in analysing and evaluating the risk and contribute, as appropriate, to the management of the risk. Likewise, Next Challenge will expect collaboration from other agencies when it raises with them the prospect of an inter-agency risk.
For inter-agency risk, Next Challenge’s approach includes:
Risk Assessment and Management Tool
Next Challenge utilises a risk matrix to determine the estimated level/severity of risk given the current circumstances. The matrix assesses the Likelihood and the Consequence. The allocation of a risk rating is not an exact science and therefore should involve a number of people in making this decision. A copy of the risk matrix can be downloaded as a Word document here.
Responsibility for Implementation, Compliance Monitoring, Measuring and Continual Improvement
The responsibility for implementing, monitoring, measuring and providing continual improvement of this policy rests with Next Challenge Directors including to:
Definitions
Any defined terms below are specific to this document:
Date of Policy: July 2019
Review Date: March 2021
Due for Review: March 2022
Risk Management Process
When undertaking a risk management process the following steps must be taken:
- Establish the context
- Identify the risk
- Analyse the risk
- Evaluate the risk
- Treat the risk, monitor, and review the risk
Integration with other systems and processes
Risk management is factored into business planning, performance management, audit and assurance, business continuity management and project management.
Internal and External Audits review the effectiveness of controls and alignment between the audit function and that of the controls within the risk management process.
Business planning (including budget) identifies risk during the business planning process to set realistic delivery timelines for strategies/ activities or to choose to remove a strategy/ activity if the associated risks are too high or unmanageable.
Performance Management – All risk responsibilities, whether a general responsibility to use the risk management process or specific responsibilities such as risk ownership or implementation of risk treatments is to be included within the relevant individuals’ performance plans.
Risk Register
Implementation of a Risk Register is the responsibility of all, with specific risk responsibilities being allocated to different groups and levels within the organisation.
The objectives of the NC Risk Register is to:
- provide a systematic approach to the early identification and management of risks
- provide consistent risk assessment criteria
- make accurate and concise risk information available that informs decision making including business direction
- adopt risk treatment strategies that are cost-effective and efficient in reducing risk to an acceptable level; and
- monitor and review risk levels to ensure that risk exposure remains within an acceptable level.
- inform NC assurance and compliance requirements
Risks are identified using a range of tools and techniques, including strategic and business planning, consultation and feedback from staff and stakeholders, audit and event reports. For each identified risk, an analysis is performed on the likelihood of the risk occurring, the potential consequence or impact that would result if the risk was to occur, the controls currently in place to manage the risk by either reducing the consequence or likelihood of the risk, and a target risk rating aligned to the risk appetite statement.
Risk Reporting
The risk register is prepared by the Risk Manager and reviewed by the Management Team on a quarterly basis.
Risk Management Performance
Risk management performance indicators include:
- timeliness of remediating internal audit findings
- outcomes of external audits
- reduction in the number of risks in the risk register
- reduction in the number of risks that exceed NC risk appetite.
Review and approval
Next Challenge Risk Register and associated risk management improvement plan is reviewed on a quarterly basis by the Management Team. The Risk Management Policy is reviewed every year by the Directors and will take into account progress made against the risk management improvement plan
Policy Statement
a) Risk appetite
Next Challenge’s risk appetite will guide decision making throughout the organisation and is summarised below:
i. Next Challenge has a low tolerance for adverse health, safety, service delivery and environmental outcomes. This extends to Next Challenge clients and families who expect services and products which meet best practice quality standards. Next Challenge expects low injury rates compared to our industry and high rankings for quality service provision compared to our industry.
ii. To foster innovation and agility, Next Challenge will adopt a higher tolerance for risk in some other areas. For example, and within the context of low-risk tolerances above, Next Challenge has a moderate tolerance for risk in relation to finances and a moderate tolerance for risks related to initiatives designed to improve business
b) Risk-aware behaviours
Next Challenge employees, contractors and volunteers will be risk aware as evidenced by the following expected behaviours:
i) Next Challenge values risk and will proactively integrate risk-aware behaviours into the business or activities and will embed Next Challenge’s risk assessment and treatment processes where required.
ii) Next Challenge will practise continuous disclosure by way of:
- Employees, contractors and volunteers being encouraged to speak openly and honestly.
- Senior Therapists will listen to and respond appropriately to concerns or opportunities.
- Senior Therapists will monitor risk and disclose risks identified as approaching or exceeding Next Challenge’s risk appetite.
- Senior Therapists will consider and monitor the risk management performance indicators.
iii) Prudent decision making – policies, delegations, processes and procedures will reflect the degree of risk, empowering agility and innovation. Decisions will be timely and prudent, based on relevant information.
iv) Single line accountability, where individual staff will be held to account for the success of activities, projects or functions, even when working in groups or teams. Staff will be appropriately empowered to deliver agreed outcomes within Next Challenges risk appetite.
Interagency and State Significant Risks
As a private organisation, Next Challenge is not involved in managing state significant risks. If an inter-agency or state significant risk is brought to Next Challenge’s attention, Next Challenge will work collaboratively with the identifying agency in analysing and evaluating the risk and contribute, as appropriate, to the management of the risk. Likewise, Next Challenge will expect collaboration from other agencies when it raises with them the prospect of an inter-agency risk.
For inter-agency risk, Next Challenge’s approach includes:
- identifying current and emerging risks and other agencies likely to be affected by those risks;
- analysing and evaluating identified risks in consultation with other affected agencies;
- agreeing on a lead agency and relative responsibilities of affected agencies;
- implementing appropriate measures to manage the risks; appropriate monitoring and reporting.
Risk Assessment and Management Tool
Next Challenge utilises a risk matrix to determine the estimated level/severity of risk given the current circumstances. The matrix assesses the Likelihood and the Consequence. The allocation of a risk rating is not an exact science and therefore should involve a number of people in making this decision. A copy of the risk matrix can be downloaded as a Word document here.
Responsibility for Implementation, Compliance Monitoring, Measuring and Continual Improvement
The responsibility for implementing, monitoring, measuring and providing continual improvement of this policy rests with Next Challenge Directors including to:
- promote risk awareness behaviours;
- monitor and action risk reports, including those on the effectiveness of risk management framework; and
- provide stewardship in times of crisis; and
- advise the Risk Manager and take action as authorised in respect of Next Challenge’ risk appetite and risk profile; and
- recommend actions and review the status of individual risks.
Definitions
Any defined terms below are specific to this document:
- Consequence – The outcome of an event that has an effect on objectives. A single event can generate a range of consequences which can have both positive and negative effects on objectives.
- Governance – The system by which an organisation is controlled and operates the mechanisms by which it and its people are held to account.
- Likelihood – The chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively.
- Risk – The chance of something happening that will have an impact on objectives (AS/NZS ISO31000:2009).
- Risk appetite – Amount and type of risk an organisation is prepared to pursue or retain to achieve its objectives.
- Risk assessment – A process to identify, analyse and evaluate risk. It provides an understanding of risks, their causes, consequences and likelihood.
- Risk aware – Decisions are made in a disciplined way, taking into account considerations of risk and reward on an informed basis.
- Risk management – The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects (AS/NZS ISO31000:2009).
- Risk management framework – A set of components, which include the risk register, the risk management policy, other risk-related policies, the risk management procedure, aligned to the objectives, mandate and commitment that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
- Risk treatment – Agreeing and implementing options that change the likelihood and/or the consequence of a risk. Options may be to avoid the risk, reduce the risk, remove the source of the risk, modify the consequences, share the risk with others, retain the risk, or increase the risk in order to pursue an opportunity. Once a treatment has been implemented, it becomes a control or it modifies existing controls. There can be multiple treatments for a risk.
Date of Policy: July 2019
Review Date: March 2021
Due for Review: March 2022