Risk Management Assessment Service (RMAS) · PDF fileall stages of response / recovery from...
Transcript of Risk Management Assessment Service (RMAS) · PDF fileall stages of response / recovery from...
Risk Management Assessment Service
(RMAS)
Amanda Dobie-BrownProject / Risk Manager - RMAS
Echelon Australia
Enterprise Risk Enterprise Risk ManagementManagement
New ApproachNew Approach• Integrated• Self sustaining• Underlying value system• Performance improvement• All organisational levels• Existing resources• Align efforts to risk appetite
TodayToday’’s Sessions Session
• Why RMAS?• RMAS update• Agency benefits• Report format• RMAS ‘experience’ -
relevanceagency feedback
???
RMAS UpdateRMAS Update• First 12 months • Slow uptake• Very positive feedback• Process working well• Agency size not predictive of
results• Refining approach
RMAS PositivesRMAS Positives
• Free service• Independent review and analysis• Framework, Context & Culture
considered• Minimal impact on agency time
and resources• Enterprise Risk Management
approach
Agency BenefitsAgency Benefits• High quality, practical feedback• Detailed findings and tailored
recommendations• Agency may test or confirm
existing perceptions of capability• Increases profile of risk
management amongst staff• Qualitative measure of enterprise
risk management capability
AssuranceAssurance
May assist annual compliance reporting by contributing quality risk management information to
the assurance process
Report FormatReport FormatOverview of Format
ElementsCriteria
Results TablesRecommendations
Analysis TablesSign-off
Report FormatReport FormatAgency Sign-off Senior management acknowledge assessment findings and
recommendations through formal sign-off.
Executive Summary Key Findings, Overall Results and Key Recommendations provided in summarised form.
Part I: Summary of Results
Results for seven key elements provided in table format, including breakdown of contributing factors to score.
Brief guidance as to the maturity continuum and key elements applied, to assist interpretation of results.
Part II: Findings & Discussion
Assessment results and findings in full for each key element, including detailed recommendations and additional comments by Risk Assessor.
Separate analysis tables for each key element, showing survey, document review and interview scores.
Elements
a) Risk Management Policyb) Aligned to Organisational Structurec) Resources allocatedd) Communication Strategye) Risk Training Strategyf) Business Continuity Preparednessg) Risk Reporting Framework
Criteria
1. Context & Planning2. Framework3. Risk Profile4. Implementation5. Risk Treatment6. Compliance & Review7. Consolidation
Measuring Criteria
Context
Framework
Risk Profile
Implemented
Treatment
Compliance
Consolidation
RM Maturity
Overall ResultsOverall Results
Results TablesResults Tables(d) Risk Communication StrategyThis element measures agency capability with regard to development of a strategy for the communication of risk issues to internal and external stakeholders, including documented guidance as to when, why and how to implement risk management in line with agency objectives.
Assessment findings support achievement of the following stages of maturity for this element:
Context & Planning
Framework Risk Profile Implementatin Risk Treatment Compliance & Review
Consolidation
Overall Result
SurveyDocument ReviewInterview
Combination of survey, document review and interview scores provides the following overall result for this element:Consideration of Risk Profile working toward achievement of Implementation
in development of an enterprise risk management system.
RecommendationsRecommendations
• Key Recommendations‘next step’ for each element
• Summary Tablesshort form recommendations
• Assessment Results & Recommendations
detailed strengths & weaknesses
RecommendationsRecommendationsRecommendations:
29. An appropriate level of resources and infrastructure must exist to support all stages of response / recovery from business interruption.
30. Staff must understand the key stages of response / recovery as relevant to their role, including but not limited to emergency evacuation.
31. The agency must take action to ensure a state of readiness exists for a range of business interruption scenarios.
32. Response / recovery planning must be subject to regular testing and review, including documented results and debriefing sessions.
33. Testing should occur at least annually and be appropriate to the potential level of risk in terms of type of testing undertaken.
StrengthsStrengthsElement (b) Aligned to Organisational Structure (cont.)
The following is a description of the current strengths of the agency’srisk management arrangements:
Staff articulate who has responsibility for risk management within the agency, confirmed as not being limited to a central coordinating team or individual. Staff describe their own risk management responsibilities in broad terms. Risk management issues are noted during performance reviews or discussions.
Management have direct involvement in promotion of risk management processes and monitoring of risk issues for their area of responsibility. Staff articulate the meaning of 'organisation-wide' risks, providing a key risk example from their area of responsibility. Risk management responsibilities are clearly defined within documentation such as Position Descriptions / Duty Statements or similar.
Risk assessment is routinely undertaken for significant work processes or business functions. A Risk Register exists reflecting key risks for all business units, including remote locations. Key risks represent a wide spectrum of risk categories, including insurable / non-insurable and risks without direct financial value (eg. reputation risks). Risk issues are escalated appropriately for action once identified.
Element DescriptionsElement DescriptionsElement (b) Aligned to Organisational Structure
Stage of Maturity Achieved: Context & Planning
This element measures agency capability with regard to allocation of responsibilities and accountabilities for risk management, including acknowledgement that all staff have some responsibility for the management of risk within the agency. It incorporates review of whether performance management processes support compliance with risk management arrangements, and whether feedback mechanisms exist to encourage ‘ownership’ of risk issues and their management.
Evidence is sought as to whether the agency utilises a risk register or similar to record, communicate and prioritise for action the key risk issues of the agency. Assessment considers the extent to which the agency has sought to address a wide range of risk issues, including non-insurable / insurable risks and risks without direct financial value (eg. reputational risks).
The level of risk awareness across the agency, including whether risk issues are escalated for action as required, and whether risk management is regularly applied to business planning and decision-making is a key area assessed in this element. Assessment also seeks evidence of staff / management utilisation of any central risk management function.
(a) Policy(a) Policy
High level documentation to guide risk management efforts
Creates link to organisational objectives
Determine ‘risk appetite’ for organisation
(b) Org Structure(b) Org Structure
Allocation of responsibilities and ‘ownership’ at all levels
Application of risk management to key points / decisions
Existence of feedback mechanismsCentral coordination
(c) Resources(c) Resources
Staff input into level / type of resources available
Application to prevention of riskReduce duplication
Feedback mechanisms
(d) Communication(d) Communication
Defines how, why, when risk should be dealt with
Consultation mechanismsSuitability of communicationKnowledge of key risk issues
(e) Training(e) Training
Define knowledge and competency needs of roles
Coordinated processesConsideration of risk issues
Commitment to training
(f) Business Continuity(f) Business Continuity
Documentation to guide emergency response, business continuity
preparedness, disaster recoveryBased on critical business functions
Input from all areasPlan testing & maintenance
(g) Reporting(g) Reporting
Based on appropriate framework
Information as basis for decision-making
Formal and informal mechanisms
Consistent application
Analysis TablesAnalysis TablesEl e me nt ( f ) - Busi ne ss Cont i nui t y P r e pa r e dne ss
0
20
40
60
80
100
Con t ext & Plan n in g Fr amewor k Risk Pr of ile I mplemen t at ion Risk T r eat men t Complian ce & Review Con solidat ion
C r i t e r i a
Survey Doc Review Interview
Agency SignAgency Sign--offoffAcknowledgement:As the nominated senior management representative of
[Agency Name], I acknowledge the assessment findings and recommendations provided within this report.
I acknowledge that appropriate opportunity has been provided to discuss results with Echelon Australia and to provide feedback or comment on any issues arising from review of this report.
I …………………………………………………..(print name) hereby provide sign-off on the RMAS Report compiled for [Agency Name], according to the acknowledgement provided above and subject to comments included overleaf as provided by this agency.
Signature: ……………………………………………………………
Date: ……………………………………………
How relevant is RMAS?
Equine Flu• One risk issue can have far
reaching consequences
Flow on effects:• Stranded horses = stranded people• Loss of income• Olympic preparations• APEC security arrangements• Reputational damage• Questions of compensation
Flow-on Effects
• Unknown impacts always exist
• How can these be anticipated or managed?
• Risk is not just a compliance issue
• The organisation must constantly learn from risk
What does this tell us?What does this tell us?
Determining that a risk exists and evaluating its impact is only one aspect of risk management
FrameworkContextCulture
Organisational ResilienceOrganisational Resilience
• Early recognition of opportunities• Innovation• Focus on organisational
performance• Communication, commitment &
trust• Shared vision
Risk Management Risk Management MaturityMaturity
• AWARENESS ensures staff are part of the bigger picture
• UNDERSTANDING = knowing the ‘why’ not just the ‘what’
Risk Management Risk Management MaturityMaturity
• RELEVANCE = when personal & organisational goals align
• Personnel then ENGAGEwillingly
RMASRMAS
• Measures ability of organisation to proactively manage risk issues
• Not merely torecognise andmonitor risk
You are the winner!You are the winner!
RISK MANAGEMENT
The RMAS The RMAS ‘‘ExperienceExperience’’
• National Archives of AustraliaJames Barr
• Rural Industries Research & Development Corporation
Jeff Storer