MSO Policy Template€¦ · Web view[SOURCE: ISO Guide 73:2009, definition 3.3.1.3] Risk...

RSK_01_RMP RISK MANAGEMENTPOLICY, FRAMEWORK &PROCEDURE

Applies to: All personnel, internal and external stakeholders Version: 2

Specific responsibility: Board of Management, Executive Director, Operations Manager

Date approved: 12/8/19

Next review date:

August 2021

Policy context: This policy relates to the HCC RULES. and the HCC Strategic Plan 2017 – 2020

Standards or other external requirements AS/NZS ISO 31000:2009 Risk Management Standards

Quality Management Framework for Community Managed Organisations 2014

Legislation or other requirements Incorporated Associations Act 2016

ACNC

Occupational Safety and Health Act 1984

The National Safety and Quality Health Service Standards 2012

/tt/file_convert/6091a8b998eb9a01bb16ceae/document.doc P a g e | 1

ContentsRISK MANAGEMENT 1

POLICY, FRAMEWORK &PROCEDURE 1

POLICY 3

1. Policy Statement 3

2. Purpose 3

3. Scope 4

4. Delegations 4

5. Terms and Definitions 5

RISK MANAGEMENT PRINCIPLES and FRAMEWORK 7

6. Risk Management Principles 8

7. Risk Management Framework 9

8. Guidelines 11

Process and PROCEDURES 12

9 Communication and Consultation 12

10 Risk Assessment 12

11. Risk Treatment 15

12 Monitoring and Review 19

DOCUMENTATION 20


POLICY

1. Policy StatementThe Health Consumers’ Council (HCC) is an independent community based organisation, representing the consumers’ ‘voice’ in health policy, planning, research and service delivery. The HCC advocates on behalf of consumers to government, doctors, other health professionals, hospitals and the wider health system.

HCC is committed to ensuring effective risk management and will undertake responsible monitoring and support improvement process

The practice of Risk Management and its reporting is designed to provide standardised, integrated and sustainable processes to meet the organisational needs and governance requirements of the Health Consumers Council that comply with all relevant statutory codes of practice and Australian standards.

2. PurposeRisk management standards aim to prevent injury or harm to individuals, to protect the assets and interests of the HCC and to limit the impact of risks. The purpose of this document is to ensure the consistent application of risk management principles, framework and processes are executed throughout all decision making, operations and activities of the HCC in accordance with the Strategic Plan 201-2020.

Key objectives are as follows;

2.1 Optimise the success of HCC’s vision, mission, purpose and values.2.2 Achieve effective Governance and adherence to relevant statutory, regulatory

and compliance obligations2.3 Provide transparent, formal oversight of the risk and control environment to

enable effective decision making2.4 Embed appropriate and effective controls to mitigate risk which will reduce

unexpected and costly surprises2.5 Enhance risk versus return within our risk appetite, enabling a balance between

opportunity and risk2.6 More effective and efficient allocation of resources through operational, project

and strategic activities2.7 Incorporate continuous improvement2.8 Maintain records for evidence of the risk management process


3. ScopeThe practice of risk management applies to all activities undertaken in the operating environment whether on HCC premises or at other locations. It includes, however is not limited to;

3.1 Building premises3.2 Staff attending functions or events3.3 Current service provision3.4 Tendering scopes of work3.5 Business continuity3.6 Work Safety3.7 Business sustainability3.8 Financial management

4. DelegationsThe scope and delegations outline responsibilities for the implementation of risk management procedures and for ensuring stakeholder compliance of these procedures.

Table 1. Delegations of responsibility

Position Application ApprovalBoard Overseeing role & compliance Endorse via Management

CommitteeExecutive Director Policy Approval All business and workplace

requirementsOperations Manager Implement day to day procedures All business and workplace

requirementsEmployees Compliance with Policy and procedures All business and workplace

requirementsVolunteers Compliance with Policy and procedures All business and workplace

requirements


5. Terms and DefinitionsCommunication and Consultation: The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and treatment of the management of risk. Consultation is a two-way process of informed communication between HCC and its stakeholders on an issue prior to making a decision or determining a direction on that issue. [SOURCE: ISO Guide 73:2009, definition 3.2.1]Consequence: is the outcome of an event affecting objectives (table 12.2.3). An event can lead to a range of consequences that can be certain or uncertain and can have positive or negative effects on objectives. [SOURCE: ISO Guide 73:2009, definition 3.6.1.3]Establishing the context: involves defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy [SOURCE: ISO Guide 73:2009, definition 3.3.1]Event: An occurrence (one or more) or change of a particular set of circumstances. An event can sometimes be referred to as an “incident” or “accident” or an event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or “close call”. [SOURCE: ISO Guide 73:2009, definition 3.5.1.3]External context: is an external environment in which HCC seeks to achieve its objectives. External context can include:— The cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;— Key drivers and trends having impact on the objectives of the organisation; and— Relationships, perceptions and values of external stakeholders. [SOURCE: ISO Guide 73:2009, definition 3.3.1.1]Internal context: the internal environment in which HCC seeks to achieve its objectives. Internal context can include:— Governance, organisational structure, roles and accountabilities;— Policies, objectives, and the strategies that are in place to achieve them;— The capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);— Information systems, information flows and decision-making processes (formal & informal);— Relationships with, and perceptions and values of, internal stakeholders;— Standards, guidelines and models adopted by the organisation; and— Form and extent of contractual relationships. [SOURCE: ISO Guide 73:2009, definition 3.3.1.2]Level of Risk: Is the magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood. [SOURCE: ISO Guide 73:2009, definition 3.6.1.8]Likelihood: Is the chance of something happening (table 12.2.6). In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or


quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period). [SOURCE: ISO Guide 73:2009, definition 3.6.1.1]Risk: Is an effect of uncertainty on objectives, where the full effect can be a positive or negative deviation from the expected. Objectives can relate to different aspects of the organisation (financial, health, safety, and environmental goals) and can apply at different levels (strategic, organisation-wide, projects or processes). [SOURCE: ISO Guide 73:2009, definition 2.1]Risk Analysis: is the process to comprehend the nature of risk and to determine the level of risk. Risk analysis provides the basis for evaluation and decisions about risk treatment. [SOURCE: ISO Guide 73:2009, definition 3.6.1]Risk Criteria: are the terms of reference against which the significance of a risk is evaluated. The risk criteria are based on HCC objectives, external and internal context and derived from standards, laws, policies and other requirements. [SOURCE: ISO Guide 73:2009, definition 3.3.1.3]Risk Management: Is the process of dealing with uncertainty. It is broadly described in the International Standard for Risk Management (AS/NZS ISO 31000:2009) as the principles, framework and processes for effective risk management and encompasses all related risk activities. (see 7.1 The relationship between the risk management principles, framework & process)Risk Management Plan: specifies the approach, the management components and resources to be applied to the management of risk. Risk Management Process: Is the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk[SOURCE: ISO Guide 73:2009, definition 2.8]Risk Profile: is the description of any set of risks containing those that relate to the whole organisation, part of the organisation, or as otherwise defined. [SOURCE: ISO Guide 73:2009, definition 3.8.2.5]Risk Source: is the element which alone or in combination has the intrinsic potential to give rise to risk. [SOURCE: ISO Guide 73:2009, definition 3.5.1.2]Risk Treatment: involves identifying the range of options for treating risk, assessing those options, preparing risk treatment plans and implementing them. Risk treatment can involve:— Avoiding the risk by deciding not to start or continue with activity that gives rise to the risk;— Taking or increasing risk in order to pursue an opportunity;— Removing the risk source;— Changing the likelihood;— Changing the consequences;—Sharing the risk with another party or parties (including contracts and risk financing); and— Retaining the risk by informed decision.Stakeholders: are those individuals who are, or perceive themselves to be, affected by a decision or activity.


https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en:term:2.28

RISK MANAGEMENT PRINCIPLES and FRAMEWORK Diagram 1. The relationship between the risk management principles, framework and

process (AS/NZS ISO 31000:2009 Risk Management Standards)


6. Risk Management PrinciplesAt all stages of the Risk Management process the emphasis of communication and consultation is vital for successful outcomes. This is to ensure those responsible for managing risk, and those with vested interests understand the basis on which decisions are made, why particular treatment options are selected or why certain risks are accepted/tolerated.Without an effective communication and consultation process, all relevant parties will not be aware of why risk management policies have been developed and implemented, neither will they understand their individual roles and responsibilities. The 11 principles for managing risk as listed by the AS/NZS ISO 31000:2009 Risk Management Standards (Clause 3) are as follows;

6.1 Creates ValueThis principle recognises that risk management helps the organisation achieve its objectives, improves stakeholder confidence, minimises loss, improves operational effectiveness and efficiency and establishes a reliable basis for decision making and planning.

6.2 Integral part of organisational processesRisk management activities should not be separate from the main activities and processes of the organisation, rather incorporated into business processes and management controls at all levels and part of the management responsibilities.

6.3 Part of decision makingThis principle recognises that good risk management helps managers make better decisions to minimise risk and optimise every opportunity

6.4 Explicitly addresses uncertaintyUncertainty is inherent in every business and by identifying and analysing a range of risks, risk owners are better to implement controls and treatments to mitigate the likelihood and/or consequence of uncertainty and establish a more resilient organisation.

6.5 Systemic, structured and timelyThe risk management system requires organised planning to ensure efficiency. The standard itself promotes a structured and systemic risk management process and risk management framework in order to achieve a consistent and reliable result.

6.6 Based on the best value informationClosely linked to addressing uncertainty, this principle reads a little like a disclaimer. It recognises the fact that information is often limited, costly and imperfect. However, good risk management will consider information from many sources including observation, experience, forecasts and experts.

6.7 TailoredThis Risk management document is tailored to the needs of HCC considering the stakeholders, context and risk profile


6.8 Takes human and cultural factors into account This principle is linked to the principle that risk management is tailored whereby the organisations risk framework considers cultural elements and both internal and external people – particularly their skills, capabilities, perceptions and intentions.

6.9 Transparent and inclusiveInternal and external stakeholders can have a major impact on the organisation. This principle recognises the need to include stakeholders throughout the risk management process including when establishing context and determining risk criteria.

6.10 Dynamic, iterative and responsive to change The risk management procedures involve responding to changes in the internal and external environments by amending strategies, management and financial plans and organisational structures.

6.11 Facilitates continuous improvement and enhancement of the organisationThis principle builds on the last principle that risk management is dynamic and iterative. It encourages HCC to be flexible and continually improve the risk management maturity framework along with other elements of the organisation to build resilience and capacity to maximise opportunities.

7. Risk Management FrameworkDiagram 2. Risk Management Framework AS/NZS ISO 31000:2009 Risk Management

Standards (Clause 4)


7.1 Mandate and CommitmentRisk Management is not a one off project; it is an ongoing activity requiring ongoing commitment. It must be mandated from the Board, implemented by the Executive Director and supported by all levels of personnel and risk owners to be sustainable.

7.2 Design of framework for managing riskThis includes defining the context of the risk management framework, formulating a risk management policy, embedding processes into practice, assigning resources and determining responsibility are all key elements of designing an effective framework to manage risk. Periodic reporting to stakeholders and effective communication mechanisms will support effective implementation.

7.3 Implementing Risk ManagementImplementation is executing the theory of the risk management framework and ensuring the risk management process is understood by risk owners (through communication & training). This also relates to ensuring risk management activities take place (risk assessments & risk workshops etc.) and decisions in the organisational processes actually factor in risk thinking.

7.4 Monitoring and review of the frameworkInvolves confirmation that the various risk management elements and activities are actually working effectively in line with expectations. Any gaps identified will need to be documented and remediated.

7.5 Continual improvement of the frameworkTo continue to enhance key elements of the risk management framework to either improve current processes and/or progress towards a more mature risk management framework. HCC commits to undertake a review every 2 years or sooner if required.


8. Guidelines Diagram 3. The Guidelines of Risk Management AS/NZS ISO 31000:2009 Risk Management

Standards (Clause 5)


Process and PROCEDURES

9 Communication and ConsultationEffective communication and consultation is essential to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and the reasons why particular treatment options are selected. Methods of communication and consultation may include;a) Board/ Staff Meetings.b) Distribution of minutes.c) Reports.d) Staff awareness and training session.e) Internal Audits

10 Risk Assessment10.1 Establish the context – identify and understand the operating environment of HCC

in order for the risk management program to be effective. a) Define the scope of what activity, decision, project or program or issue needs analysisb) Identify relevant stakeholders/ areas involved or impactedc) Internal and/or external environment factors

10.2 Risk Assessment – comprises of the processes for identifying, analysing and evaluating risks. AS/NZS ISO 31000:2009 provides guidance on selection and application of systemic techniques for risk assessment. The techniques involve measuring the adequacy of existing management, systems and procedures to control the risk, and assess their effectiveness. The three step process consists of determining the likelihood of risk, categorising the consequences and identifying the responsibilities to action. 10.2.1 Identify – Identify and assess possible internal and external risks that may pose a threat by considering the following questions;a) What could happen?b) How and where it could happen?c) Why it could happen?d) What is the impact or potential impact?10.2.2 Analyse – the risk in terms of the HCC operational environment to understand the nature of risk and to identify tasks for further action. (13.2.3)a) Identify the causes, contributing factors and actual or potential consequencesb) Identify existing or current controlsc) Assess the likelihood & impact/ consequence to determine the risk rating


Table 2. Consequence Categories Table

Health Impacts

Service Interruption

Compliance Financial Impact

Property Reputation

1 Insignificant Negligible injuries

No material service interruption

No noticeable regulatory or statutory impact

Less than $5000

Inconsequential or no damage

Unsubstantiated, low impact, low profile item, no social media attention

2 Minor First Aid injuries

Short term temporary interruption – backlog cleared <1day

Some temporary non compliances

$5001 - $50 000

Localised damage rectified by routine internal procedures

Substantiated, low impact, low news item, limited social media attention

3 Moderate Loss time injuries <2 days

Medium term interruption – backlog cleared by additional resources <1week

Short term noncompliance but with significant regulatory requirement imposed

$50 001 - $500 000

Localised damage requiring external resources to rectify

Substantiated, public embarrassment, high impact, high news profile, third party actions, requires immediate and ongoing social media response and monitoring

4 Major Loss time injuries > 2 days

Prolonged interruption to services – additional resources; performance affected <1month

Noncompliance results in termination of services or imposed penalties

$500 001 - $1 000 000

Significant damage requiring internal & external resources to rectify

Deliberate breach, or gross negligence, significant harm, formal investigation, disciplinary action, ministerial involvement

5 Catastrophic Fatality, permanent disability

Indeterminate prolonged interruption of services – nonperformance >1month

Noncompliance results in litigation, criminal charges or significant damages or penalties

More than $1 000 000

Extensive damage requiring prolonged period of restitution. Complete loss of equipment or building

Serious and wilful breach, criminal negligence, act litigation or prosecution with significant penalty, dismissal, ministerial censure


10.2.4 Evaluate – evaluate the risks and compare against acceptability criteria to develop a prioritized list of risks for further action (Risk Assessment Matrix 13.2.6)a) Is the risk acceptable or unacceptable?b) Does the risk need treatment or further action?c) Do the opportunities outweigh the threats?

Table 3. Likelihood Categories Table - The level of risk is determined by the relationship between the consequence and likelihood applicable to each of the identified risks located within the area of review.

LEVEL LIKELIHOOD EXPECTED or ACTUAL FREQUENCY EXPECTED1 Rare Once in more than 10 years2 Unlikely At least once in 5 to 10 years3 Possible At least once in 3 to 5 years4 Likely At least once in 1 to 3 years5 Almost Certain More than once a year

Table 4. Risk Assessment Matrix

CONSEQUENCELIKELIHOOD Insignificant

(1)Minor

(2)Moderate

(3)Major

(4)Catastrophic

(5)Rare(1)

LOW1

LOW2

LOW3

MODERATE4

MODERATE5

Unlikely(2)

LOW2

LOW4

MODERATE6

MODERATE8

HIGH10

Possible(3)

LOW3

MODERATE6

MODERATE9

HIGH12

HIGH15

Likely(4)

LOW4

MODERATE8

HIGH12

HIGH16

EXTREME20

Almost Certain (5)

MODERATE5

HIGH10

HIGH15

EXTREME20

EXTREME25


11. Risk TreatmentInvolves ensuring that effective strategies are in place to minimise the frequency and severity of the identified risk. It includes developing actions and implementing treatments that aim to control the risk. This consists of the five following considerations;11.1 If the goal is to reduce the likelihood or possibility of the risk, then you may need to alter

the approach, depending on the causal link between the threat and its impact.11.2 If the goal is to reduce the consequence or the impact of the risk, then contingency plans

might be required to respond to a threatening event if it occurs.11.3 If the goal is to share the risk, then involving another party, such as an insurer may help

so risk is shared contractually and by mutual agreement. This must be formally recorded through a contract agreement or letter.

11.4 If the risk is so significant that the goal is to eliminate or avoid it altogether then the options are limited to changing project materially, choosing alternative approaches/ processes to render the risk irrelevant.

11.5 Occasionally the decision is made to accept or tolerate the risk, due to the low likelihood or minor consequences of the risk event, or the fact that the cost of effectively controlling the risk is unjustified.

11.6 Work safety assessments will be in accordance with hierarchy of control as per table 5

Table 5. Treatment Hierarchy

Elimination

Substitution

Engineering controls

Administration controls

PPE

Once the risk assessment phase is complete, identify the options for treatment if there are any; otherwise tolerate the risk. Where options for treatment are available and appropriate, record those treatment options as part of the risk treatment plan. Utilising the combination of the Likelihood Categories Table 3, the Risk Assessment Matrix table 4, the Responsibilities table 7 to deliver a Risk Treatment Plan table 6 outcome.


The cyclic process of treating a risk, deciding whether risk levels are tolerable and assessing the effectiveness of that treatment are all case by case assessments that depend on a good understanding of both the risk and the end objective of the activity being assessed. The following process is required for an effective Risk Treatment Plan;11.6 Document the risk treatment plan11.7 Implement agreed treatments11.8 Assess and monitor the risk treatment (15)

Table 6. Example of the Risk Treatment Plan The following table offers an example of existing identified risks at HCC and an approach for risk treatment plan and record keeping:Risk Risk

StatusResource Requirements

Proposed Actions Timeline Responsibility

Legislation 1. Incorporations Associations Act 2016

2. ACNC

1. In force July 2016 – ability to comply; impact

Now – July 2016

Nominations & Governance Committee

Financial 1.Cash Flow (trading solvent)

2. Insurance Portfolios

3. Contracts register

4. IT systems management

5. Organisational Funding Requirements

Ongoing Finance Committee

External Relationships

1. Consumers2. Government3. NGO’s4. Patient

Experience Surveys

1. Follow up on Strategic Plan consultants contacts – transparency/ integrity

Executive Director

Workforce 1. Appropriate Staff

2.Environment “Health Checks”

3. Performance4. Resourced

1. Align staff to contract needs – training requirement

Executive Director/ Chair


Risk Risk Status

Resource Requirements


1. Delivering Community Services in Partnership Policy

2. Relationship – Government Contract Manager

1. DCSPP checklist2. Feedback

Executive Director

Reputation 1. research & evaluation

2. provide valued effective services

3. Credibility check on collaborations

4. Best use of funding

5. Media management

6. Meeting outcomes/ strategic plan

1.Develop framework

Executive Director/ Chair

Work Safety 1. Reference AS/NZS 4801:2001

2. Reference OSH Act & Regulations

3. Electrical (RCD)4. Manual

Handling5. Evacuation6. Stress7. Staff training

Ongoing All Staff


Risk Risk Status

Resource Requirements


Quality 1. ISO 9004: 2009 Principles

Operations Manager

Sustainability 1. Fee for service development

2. Business continuity planning

3. Marketing plan4. Collaboration

assessment5. Innovation6. Resilience

Consumer & Community Engagement Manager

Membership 1. Communication (quality)

2. Remain relevant

Operations Manager

Board 1. Relates to ACNC Governance Standards

2. Commitment3. Evaluation &

Review4. Skill sets5. Insurance

Protection

Nominations & Governance Committee

Management 1. Reports to Board2. Training on risk assessment

1. Quarterly update on Risk Treatment Plan2. Monitoring regime to be established


12 Monitoring and Review

Planned, regular monitoring of the risks and the risk management framework including processes is critical to keeping the risk management framework relevant to the changing needs of the organisation and external influences.

Monitoring and review will be undertaken by risk owners, the Executive Director and the Management Committee.Table 7. The Responsibilities Table provides an outline of responsibilities and

actions. Including the level at which there can be qualified acceptance of identified risks and how they are documented.

Risk Rank Description Criteria ResponsibilityLow Acceptable Risk acceptable with adequate controls,

managed by routine procedures and subject to annual monitoring

All Stakeholders

Moderate Monitor Risk acceptable with adequate controls, managed by specific procedures and subject to semi-annual monitoring

Operations Manager

High Urgent Action Required

Risk acceptable with effective controls, subject to monthly monitoring

Executive Director & Risk Management Committee

Extreme Unacceptable Risk only acceptable with effective controls and all treatment plans need to be explored and implemented where possible and subject to continuous monitoring

Risk Management Committee & the Board

12.2 Continuous Monitoring – once the risks have been identified, recorded and analysed, and the agreed treatments have been implemented, an appropriate monitoring and reporting regime needs to be established.


DOCUMENTATION

Documents related to this policy

Related policies Occupational Health & Safety Act 1984

Forms, record keeping or other organisational documents

S:\REGISTERS\RISK REGISTER\Risk Register

S:\ADMINISTRATION\Templates\2016project plan

Reviewing and approving this policy

Frequency Person responsible Approval

Risk management will be a standing item of the board agenda for status reporting

Executive Director Chair

A report on Risk Management and treatment plans to be provided on the last Wednesday of the month in April, August and December annually

Risk Management Committee

Management Committee

Policy review and version tracking

Review Date Approved Approved by Next Review Due

1 3/8/2016 Management Committee 3/8/2018

2 12/8/19 Management Committee 12/8/2021

3

•ISO Guide 73:2009, Risk management - Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk. •ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk assessment. Risk assessment helps decision makers understand the risks that could affect the achievement of objectives as well as the adequacy of the controls already in place.


MSO Policy Template€¦ · Web view[SOURCE: ISO Guide 73:2009, definition 3.3.1.3] Risk...

Documents

Transcript of MSO Policy Template€¦ · Web view[SOURCE: ISO Guide 73:2009, definition 3.3.1.3] Risk...