8/13/2019 1 Developing a Risk Profile (1)
1/15
Risk Insight Series
Developing a Risk Profile
8/13/2019 1 Developing a Risk Profile (1)
2/15
Developing A Risk Prof ile
Front Cover taken from the VMIA Corporate objectives
THEMES OBJECTIVES
Alert Deliver timely advice to Government.
Prevent Implement quality risk management advice and support to clients.
Protect Tailored and Appropriate Insurance Products and Services.
Enable Ensure that client needs are understood and addressed.
Establish and retain an internal capability.
Disclaimer
This Risk Insight communication provides general information, current at the time of production. Theinformation contained in this communication does not constitute advice and should not be relied on assuch. Professional advice should be sought prior to actions being taken on any of the information.
VMIA disclaims all responsibility and liability arising from anything done or omitted to be done by anyparty in reliance, whether wholly or partially, on any of the information. Any party that relies on theinformation does so at its own risk.
Acknowledgments
VMIA would like to acknowledge the contribution of Australian Risk Services Pty Ltd in thedevelopment of this document.
Version
SPO RI-1 1107
8/13/2019 1 Developing a Risk Profile (1)
3/15
Developing A Risk Prof ile
1
Introduction
During the 2006 Risk Framework Quality Review it was identified that many organisations were
unclear on the concept of what their risk profile was or how to accurately define one. This edition of
Risk Insights seeks to clarify the role, function and development of a Risk Profile.
Risk Management Background
The Australian and New Zealand Risk Management Standard,
AS/NZS 4360:2004, defines risk as: ...the chance of somethinghappening that will have an impact on objectives.
Corporate governance can be defined as the system by which
organisations are directed and controlled. It is concerned with improving
the performance of companies for the benefit of stakeholders. Risk
management contributes to good corporate governance by providing
reasonable assurance to boards and senior managers that the
organisational objectives will be achieved within a tolerable degree of
residual risk (defined by AS4306 as risk remaining after implementation ofrisk treatment).
Risk management is a comprehensive process, supported by appropriate strategies and frameworks
that are designed to identify, analyse, evaluate, treat, monitor and communicate those risks that could
prevent a department or agency from achieving its objectives. It covers strategic as well as
operational, financial and compliance risks. The Victorian public sector and the private sector use the
term enterprise-wide risk management to describe this comprehensive approach.
This document is intended to provide an overview of the key elements of establishing a risk profile. It
is not a how to guide. For more information on how the Australian New Zealand Risk Management
Standard AS:NZS:4360 can be applied to the risk management needs of a Victorian public sector
agency please contact your VMIA Risk Management Advisor.
Risk Management Process
The first step is ensuring that you have a sound risk management framework, consistent with the
Australian and New Zealand Risk Management Standard, AS/NZS 4360:2004. The key elements of
which are noted below:
8/13/2019 1 Developing a Risk Profile (1)
4/15
Developing A Risk Prof ile
2
Establish the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Monitor and review
Communication
The risk management strategy describes the principles
that underpin an organisations approach to risk and
should be supported by risk management policies and
procedures that describe the processes that will
establish identification, analysis, evaluation, treatment
and reporting framework for risk. The purpose of the St
how risk management will evolve.
rategy is to define
Management of risk is an integral part of good business practice and quality management. Learning
how to manage risk effectively enables managers to improve outcomes by identifying and analysing
the wider range of issues and providing a systematic way to make informed decisions. A structured
risk management approach also enhances and encourages the identification of greater opportunities
for continuous improvement through innovation. This will assist to identify the risks you face and
prioritise them according to the likelihood of them occurring and the resulting impact on the business.
It must be emphasised that effective risk management involves more than merely creating a
risk profile, all the stages of the process described in Australian New Zealand Risk
Management Standard AS:NZS:4360 are equally impor tant.
For a risk management program to be effective it needs to demonstrate a number of key
principles:
It is systematic, structured and evidence based where practicable.
It explicitly addresses uncertainty and the causes of uncertainty.
It is a core organisation process and an integral part of decision making.
It leads to the optimisation of control and maximisation of net benefit.
It is specific to the organisation, applied enterprise wide and tailored to its external and internal
context.
It forms part of the organisational culture, is transparent and understood by all interested
parties through their inclusion and involvement in the process.
It is dynamic, iterative and responsive to change.
8/13/2019 1 Developing a Risk Profile (1)
5/15
Developing A Risk Prof ile
3
It involves continuous communications and highly visible comprehensive and frequent
reporting of risk
This document will however allow you to begin your risk management journey.
Establishing a Risk Profile for your Organisation
The risk profile is a snapshot of the organisation's operating environment and its capacity to deal with
key high-level risks and opportunities linked to the achievement of corporate objectives and results.
There are three outcomes as a result of developing the risk profile:
Threats and Opportunities are identified.
Current status of risk management within the organisation is assessed and recognised inorder to plan risk management strategies.
The organisations risk profile is defined key risk areas, risk tolerance, ability and capacity to
mitigate as well as learning needs.
Organisations take stock of their operating environment, identify key risks, and review the
organisation's capacity to deal with these risks. The Australian Standard in Risk Management AS4360
best represents this process. The stages of Risk Identification, Risk Analysis, Risk Evaluation and
Treatment of that standard describe the processes that lead to describing the Risk Profile of an
organisation.
Develop risk cri teria (Likelihood & Consequence)
Decide the criteria against which risk is to be evaluated. Decisions concerning whether risk treatment
is required may be based on operational, technical, financial, legal, social, environmental,
humanitarian or other criteria. The criteria should reflect the context initially established.
Criteria may be affected by the perceptions of stakeholders and by legal or regulatory requirements. It
is important that appropriate criteria be determined at the outset.
Although the broad criteria for making decisions are initially developed as part of establishing the risk
management context, they may be further developed and refined subsequently as particular risks are
identified and risk analysis techniques are chosen. The risk criteria must correspond to the type of
risks and the way in which risk levels are expressed.
8/13/2019 1 Developing a Risk Profile (1)
6/15
4
Sample risk cri teria and matrix
Consequence
E Extreme risk detailed action plan
required
H - High risk needs senior management
attention
M Medium risk specify management
responsibility
L Low risk manage by routine
procedures
High or Extreme risks must be reported to
Senior Management and require detailedtreatment plans to reduce the risk to Low or
Medium.
PeopleInjuries or ailments
not requiringmedical treatment.
Minor injury or FirstAid Treatment Case.
Serious injurycausing
hospitalisation ormultiple medical
treatment cases.
Life threateninjury or mulserious injur
causing
hospitalisati
Reputation Internal ReviewScrutiny required byinternal committeesor internal audit toprevent escalation.
Scrutiny required byexternal committees
or ACT AuditorGenerals Office, or
inquest, etc.
Intense pubpolitical and mscrutiny. Eg:
page headlinesetc.
Business
Process &
Systems
Minor errors insystems or
processes requiringcorrective action, orminor delay without
impact on overallschedule.
Policy proceduralrule occasionally notmet or services do
not fully meet
needs.
One or more keyaccountability
requirements notmet. Inconvenient
but not client welfarethreatening.
Strategies nconsistent wGovernmen
agenda. Treshow service
degraded
Financial 1% of Budgetor
8/13/2019 1 Developing a Risk Profile (1)
7/15
Developing A Risk Prof ile
5
Each topic is somewhat narrower than the
activity as a whole, allowing those performing
the identification to focus their thoughts and go
into more depth than they would if they tried to
deal with everything at once. A well-designed
set of key elements will stimulate creative
thought, and ensure that all-important issues
are put before those responsible for identifying
risks.
Risk identification will generally be unproductive if an attempt is made to consider the organisation or
activity as a whole. It is much more effective to disaggregate the activity into categories or key
elements. This concept is sometimes referred
to as the risk universe.
This involves subdividing the activity, process, project or change into a set of elements or steps in
order to provide a logical framework that helps ensure significant risks are not overlooked. The
structure chosen depends on the nature of the risks and the scope of the project, process or activity
being assessed.
Define the structure for the rest of the process
Risk tolerance and performance expectations should be linked directly at the corporate level.
Organisations should understand the correlation between the degree and duration of unfavourable
variances from established performance expectations or targets and the level of risk exposure
An organisation's tolerance for risk varies with its culture and with evolving conditions in its internal
and external environments. An organisation's risk tolerance and that of its key stakeholders must be
understood, because both will influence and guide decision-making. Management must determine
which risks the organisation should accept at which levels, then re-evaluate these choices as
circumstances change.
Risk Tolerance/Appetite
Risk Universe: Ernst & Young
8/13/2019 1 Developing a Risk Profile (1)
8/15
Developing A Risk Prof ile
6
Identify risks
PropertyThe Australian Standard refers to risk categories to prompt risk
identification. Prompt lists include (but are not limited to): Operational
Compliance
Public Liability
Where resources available for risk identification and analysis
are constrained, the structure and approach may have to be
adapted to achieve efficient outcomes within resource
limitations. For example, where less time is available, a smaller
number of key elements may be considered at a higher level, or
a checklist may be used. Building upon this over time will allow
you to further develop the framework into a more
comprehensive enterprise wide profile.
Business Continuity / Disasters
Legal
Occupational Health & Safety
Environmental
Technology
Transaction Processing
Human Resources
Fraud
Security
Analyse the risks
The process of analysis will often commence with a simple qualitative approach that gives a general
understanding. Where greater detail or understanding is required, more focused and robust
investigation may be needed as well. It is inappropriate to assume that quantitative is superior toqualitative analysis. It is more appropriate to ensure the best approach to fit the situation at hand.
The analysis can be conducted at various points, such as at the outset of a new project, as part of
ongoing management, or as a study of what may occur after risks have been treated. Usually the
analysis looks at the consequences of the event, should it occur and the likelihood of the event and its
associated consequences are assessed in the context of the effectiveness of the existing controls /
strategies. During the risk identification step, many risks have been identified and it is often not
possible to try to address all those identified.
The risk analysis step will assist in determining which risks have a greater consequence or impact
than others. This will assist in providing a better understanding of the possible impact of a risk, or the
likelihood of it occurring, in order to make a decision about committing resources to control the risk.
Risk analysis involves combining the possible consequences, or impact, of an event, with the
likelihood of that event occurring. The result is a level of risk. The risk criteria and matrix shown
above describes how this is done for qualitatively rated risks. When accurate quantified risk measures
are available, the level of risk may be calculated: e.g.
Level of Risk = consequence x likelihood
8/13/2019 1 Developing a Risk Profile (1)
9/15
Developing A Risk Prof ile
7
For each risk, you are required to define its Level of Risk using likelihood and consequences criteria.
Methods of analysis
There are two primary types of analysis. Qualitative methods include, evaluation using multi-
disciplinary groups; specialist and expert judgment; and structured interviews and questionnaires.
Quantitative methods of risk analysis include, statistical analysis of historical data; simulation and
computer modelling; and statistical and numerical analysis.
Risk Evaluation
The purpose of risk evaluation is to enable more informed decision-making, based upon an analysis of
risk, treatments and priorities. Risk evaluation involves comparing the level of risk found during the
analysis process with risk criteria established when the context was considered.
Risk treatment
Knowing the risks of an organisation will not of itself reduce the risk exposure. Improvement in the risk
environment stems only from the implementation of effective risk controls or treatments. Risk
evaluation provides a list of risks requiring treatment, often with associated ratings or priorities. Risktreatment involves identifying a range of options for treating these risks, evaluating those options,
preparing treatment plans and implementing them.
Before appropriate treatment actions can be determined, the analysis of each risk may need to be
revisited and extended to draw out the information needed to identify and explore different treatment
options.
The design of risk treatment measures should be based on a comprehensive understanding of the
risks concerned; this understanding comes from an appropriate level of risk analysis. It is particularly
important to identify the causes of the risks, control effectiveness and gaps so that preventative risk
treatments can be applied as well as mitigating treatments that will reduce the consequences,
likelihood or the symptoms of risk events.
The treatment plan should include:
Proposed action
Resource requirements
Responsibilities
Timing Performance measures and
Reporting and monitoring requirements
8/13/2019 1 Developing a Risk Profile (1)
10/15
Developing A Risk Prof ile
8
It will usually not be cost-effective or even desirable to implement all possible risk treatments. It is,
however, necessary to choose, prioritise and implement the most appropriate combination of risktreatments. Treatment options, or more usually combinations of options, are selected by considering
factors such as costs and benefits, effectiveness and other criteria of relevance to the organisation.
Factors such as legal, social, political and economic considerations may need to be taken into
account.
Treatment of individual risks will seldom occur in isolation and should be part of an overall treatment
strategy. Having a clear understanding of a complete treatment strategy is important to ensure that
critical dependencies and linkages are not compromised. For this reason development of an overall
treatment strategy should be a top-down process, driven jointly by the need to achieve business
objectives while controlling uncertainty to the extent that is desirable.
It is prudent to be flexible and consult broadly about risk treatment with stakeholders and perhaps the
wider community as well as peers and specialists. Many treatments need to be acceptable to
stakeholders or those who are involved in implementation if they are to be effective and sustainable. If
after treatment there is residual risk, a decision should be taken about whether to retain this risk or
repeat the risk process.
The Risk Register
A key step is to produce a document depicting the organisational risk profile. This usually flows from
the risk register. The objective of the risk register is To capture, rank and report on risk. Therefore
you:
Need a database/spreadsheet/specialist system to capture & report
Scoring mechanism for risks & controls to enable ranking of risk usually the Level of Risk
described above is used for this purpose
The register captures the results of the environmental scans, risk assessment, and analysis and
identifies areas requiring corporate decisions or direction regarding risk management strategies.
Organisations have developed various ways to present results, including matrices, risk maps, and
reports with summaries by risk area.
8/13/2019 1 Developing a Risk Profile (1)
11/15
Developing A Risk Prof ile
9
Use of a Risk Profile
The corporate risk profile is also intended to inform staff and stakeholders about the following:
(Sample of risk profile)
risks emerging from the changing operating environment;
priority risks and how such risks are to be mitigated and managed;
risk tolerances and how they are to be communicated;
current capacity of the department to manage and mitigate significant risks; and
learning and support needs, structures, and actions to sustain integrated management of risk
within the organisation.
The corporate risk profile is updated annually and approved by senior management.
A risk profile may be represented in the form below which is known as a heat map.
8/13/2019 1 Developing a Risk Profile (1)
12/15
Developing A Risk Prof ile
10
Monitoring and review
Ongoing review is essential to ensure that the risk management plan remains relevant. Factors that
may affect the likelihood and consequences of an outcome may change, as may the factors that affect
the suitability or cost of the treatment options. It is therefore necessary to repeat the risk management
cycle regularly. Periodic reviews of risks and treatment strategies are particularly useful when they are
associated with business and strategic plan development and change management.
Actual progress against risk treatment plans provide an important performance measure and should
be incorporated into the organisations performance management, measurement and reporting system
along with the Key Risk Indicators. Monitoring and review also involves learning lessons from the risk
management process, by reviewing events, the treatment plans and their outcomes.
e.g. Treatment Report
8/13/2019 1 Developing a Risk Profile (1)
13/15
Developing A Risk Prof ile
11
How VMIA can assist
Who We Are / What We Do
The Victorian Managed Insurance Authority (VMIA) is a statutory body established to provide riskmanagement services to Victorian State Government departments and agencies.
The VMIA provides risk management advisory services, insurance products and support and site risksurveys. These services are benchmarked against commercial equivalent practices andorganisations. Insurance products provide coverage at levels equivalent to best market coverage withthe value added risk management services costed within market competitive premiums.
Our Focus
In order to enhance the service we offer, VMIA have introduced a new client centric business model.Corporate wide we have established three centres of excellence in the areas of client service,insurance/ risk management products and services and corporate governance.
A greater focus and emphasis is being placed on meeting our clients needs through a team ofspecialists focused on providing strategic risk management consulting services in addition toinsurance advice and coverage.
Risk Management Services
The VMIA develop and tailor its Risk Management and Insurance Services to clients needs. If youwould like to know more about our risk services contact your Risk Management Advisor or access theVMIA website at www.vmia.vic.gov.au
Training
The Training Essentials program consists of training sessions, in-house training, seminars andnetworking events throughout the year. The aim of the Risk Management and Insurance trainingprograms is to equip VMIA clients with the knowledge and skills to understand and plan for risk, andhave in place the appropriate insurance policies.
The VMIA launched its new look Risk Leadership In Government seminar in mid July 2007. Theseries, consisting of workshops and seminars, presents the latest topics in Risk Management andInsurance and provide great opportunity for participants to engage with leading professionals in theRisk Management and Insurance field.
For more information visit our website at: www.vmia.vic.gov.au
http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/8/13/2019 1 Developing a Risk Profile (1)
14/15
Level 30, 35 Collins StreetMelbourne, Victoria, 3000.
Phone: 03 99116900Fax: 03 92706803
Email: [email protected]
Website: www.vmia.vic.gov.au
http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/8/13/2019 1 Developing a Risk Profile (1)
15/15
Top Related