Risk Management Assessment Service

(RMAS)

Amanda Dobie-BrownProject / Risk Manager - RMAS

Echelon Australia

Enterprise Risk Enterprise Risk ManagementManagement

New ApproachNew Approach• Integrated• Self sustaining• Underlying value system• Performance improvement• All organisational levels• Existing resources• Align efforts to risk appetite

TodayToday’’s Sessions Session

• Why RMAS?• RMAS update• Agency benefits• Report format• RMAS ‘experience’ -

relevanceagency feedback

???

RMAS UpdateRMAS Update• First 12 months • Slow uptake• Very positive feedback• Process working well• Agency size not predictive of

results• Refining approach

RMAS PositivesRMAS Positives

• Free service• Independent review and analysis• Framework, Context & Culture

considered• Minimal impact on agency time

and resources• Enterprise Risk Management

approach

Agency BenefitsAgency Benefits• High quality, practical feedback• Detailed findings and tailored

recommendations• Agency may test or confirm

existing perceptions of capability• Increases profile of risk

management amongst staff• Qualitative measure of enterprise

risk management capability

AssuranceAssurance

May assist annual compliance reporting by contributing quality risk management information to

the assurance process

Report FormatReport FormatOverview of Format

ElementsCriteria

Results TablesRecommendations

Analysis TablesSign-off

Report FormatReport FormatAgency Sign-off Senior management acknowledge assessment findings and

recommendations through formal sign-off.

Executive Summary Key Findings, Overall Results and Key Recommendations provided in summarised form.

Part I: Summary of Results

Results for seven key elements provided in table format, including breakdown of contributing factors to score.

Brief guidance as to the maturity continuum and key elements applied, to assist interpretation of results.

Part II: Findings & Discussion

Assessment results and findings in full for each key element, including detailed recommendations and additional comments by Risk Assessor.

Separate analysis tables for each key element, showing survey, document review and interview scores.

Elements

a) Risk Management Policyb) Aligned to Organisational Structurec) Resources allocatedd) Communication Strategye) Risk Training Strategyf) Business Continuity Preparednessg) Risk Reporting Framework

Criteria

1. Context & Planning2. Framework3. Risk Profile4. Implementation5. Risk Treatment6. Compliance & Review7. Consolidation

Measuring Criteria

Context

Framework

Risk Profile

Implemented

Treatment

Compliance

Consolidation

RM Maturity

Overall ResultsOverall Results

Results TablesResults Tables(d) Risk Communication StrategyThis element measures agency capability with regard to development of a strategy for the communication of risk issues to internal and external stakeholders, including documented guidance as to when, why and how to implement risk management in line with agency objectives.

Assessment findings support achievement of the following stages of maturity for this element:

Context & Planning

Framework Risk Profile Implementatin Risk Treatment Compliance & Review

Consolidation

Overall Result

SurveyDocument ReviewInterview

Combination of survey, document review and interview scores provides the following overall result for this element:Consideration of Risk Profile working toward achievement of Implementation

in development of an enterprise risk management system.

RecommendationsRecommendations

• Key Recommendations‘next step’ for each element

• Summary Tablesshort form recommendations

• Assessment Results & Recommendations

detailed strengths & weaknesses

RecommendationsRecommendationsRecommendations:

29. An appropriate level of resources and infrastructure must exist to support all stages of response / recovery from business interruption.

30. Staff must understand the key stages of response / recovery as relevant to their role, including but not limited to emergency evacuation.

31. The agency must take action to ensure a state of readiness exists for a range of business interruption scenarios.

32. Response / recovery planning must be subject to regular testing and review, including documented results and debriefing sessions.

33. Testing should occur at least annually and be appropriate to the potential level of risk in terms of type of testing undertaken.

StrengthsStrengthsElement (b) Aligned to Organisational Structure (cont.)

The following is a description of the current strengths of the agency’srisk management arrangements:

Staff articulate who has responsibility for risk management within the agency, confirmed as not being limited to a central coordinating team or individual. Staff describe their own risk management responsibilities in broad terms. Risk management issues are noted during performance reviews or discussions.

Management have direct involvement in promotion of risk management processes and monitoring of risk issues for their area of responsibility. Staff articulate the meaning of 'organisation-wide' risks, providing a key risk example from their area of responsibility. Risk management responsibilities are clearly defined within documentation such as Position Descriptions / Duty Statements or similar.

Risk assessment is routinely undertaken for significant work processes or business functions. A Risk Register exists reflecting key risks for all business units, including remote locations. Key risks represent a wide spectrum of risk categories, including insurable / non-insurable and risks without direct financial value (eg. reputation risks). Risk issues are escalated appropriately for action once identified.

Element DescriptionsElement DescriptionsElement (b) Aligned to Organisational Structure

Stage of Maturity Achieved: Context & Planning

This element measures agency capability with regard to allocation of responsibilities and accountabilities for risk management, including acknowledgement that all staff have some responsibility for the management of risk within the agency. It incorporates review of whether performance management processes support compliance with risk management arrangements, and whether feedback mechanisms exist to encourage ‘ownership’ of risk issues and their management.

Evidence is sought as to whether the agency utilises a risk register or similar to record, communicate and prioritise for action the key risk issues of the agency. Assessment considers the extent to which the agency has sought to address a wide range of risk issues, including non-insurable / insurable risks and risks without direct financial value (eg. reputational risks).

The level of risk awareness across the agency, including whether risk issues are escalated for action as required, and whether risk management is regularly applied to business planning and decision-making is a key area assessed in this element. Assessment also seeks evidence of staff / management utilisation of any central risk management function.

(a) Policy(a) Policy

High level documentation to guide risk management efforts

Creates link to organisational objectives

Determine ‘risk appetite’ for organisation

(b) Org Structure(b) Org Structure

Allocation of responsibilities and ‘ownership’ at all levels

Application of risk management to key points / decisions

Existence of feedback mechanismsCentral coordination

(c) Resources(c) Resources

Staff input into level / type of resources available

Application to prevention of riskReduce duplication

Feedback mechanisms

(d) Communication(d) Communication

Defines how, why, when risk should be dealt with

Consultation mechanismsSuitability of communicationKnowledge of key risk issues

(e) Training(e) Training

Define knowledge and competency needs of roles

Coordinated processesConsideration of risk issues

Commitment to training

(f) Business Continuity(f) Business Continuity

Documentation to guide emergency response, business continuity

preparedness, disaster recoveryBased on critical business functions

Input from all areasPlan testing & maintenance

(g) Reporting(g) Reporting

Based on appropriate framework

Information as basis for decision-making

Formal and informal mechanisms

Consistent application

Analysis TablesAnalysis TablesEl e me nt ( f ) - Busi ne ss Cont i nui t y P r e pa r e dne ss

0

20

40

60

80

100

Con t ext & Plan n in g Fr amewor k Risk Pr of ile I mplemen t at ion Risk T r eat men t Complian ce & Review Con solidat ion

C r i t e r i a

Survey Doc Review Interview

Agency SignAgency Sign--offoffAcknowledgement:As the nominated senior management representative of

[Agency Name], I acknowledge the assessment findings and recommendations provided within this report.

I acknowledge that appropriate opportunity has been provided to discuss results with Echelon Australia and to provide feedback or comment on any issues arising from review of this report.

I …………………………………………………..(print name) hereby provide sign-off on the RMAS Report compiled for [Agency Name], according to the acknowledgement provided above and subject to comments included overleaf as provided by this agency.

Signature: ……………………………………………………………

Date: ……………………………………………

How relevant is RMAS?

Equine Flu• One risk issue can have far

reaching consequences

Flow on effects:• Stranded horses = stranded people• Loss of income• Olympic preparations• APEC security arrangements• Reputational damage• Questions of compensation

Flow-on Effects

• Unknown impacts always exist

• How can these be anticipated or managed?

• Risk is not just a compliance issue

• The organisation must constantly learn from risk

What does this tell us?What does this tell us?

Determining that a risk exists and evaluating its impact is only one aspect of risk management

FrameworkContextCulture

Organisational ResilienceOrganisational Resilience

• Early recognition of opportunities• Innovation• Focus on organisational

performance• Communication, commitment &

trust• Shared vision

Risk Management Risk Management MaturityMaturity

• AWARENESS ensures staff are part of the bigger picture

• UNDERSTANDING = knowing the ‘why’ not just the ‘what’

Risk Management Risk Management MaturityMaturity

• RELEVANCE = when personal & organisational goals align

• Personnel then ENGAGEwillingly

RMASRMAS

• Measures ability of organisation to proactively manage risk issues

• Not merely torecognise andmonitor risk

You are the winner!You are the winner!

RISK MANAGEMENT

The RMAS The RMAS ‘‘ExperienceExperience’’

• National Archives of AustraliaJames Barr

• Rural Industries Research & Development Corporation

Jeff Storer