kidsafe nsw risk management plan

Kidsafe NSW

Risk Management Plan

August 2014

Kidsafe NSW Risk Management Plan of 22


Document Control

Document Approval

Name & Position Signature Date

Document Version Control

Version Status Date Prepared By Comments

Document Reviewers

Name & Position Signature Date



Contents Page

1 . I N T R O D U C T I O N .......................................................................................... 4

1.1 Purpose ................................................................................................................................ 4 1.2 Scope ................................................................................................................................... 4

2 . R I S K M A N A G E M E N T P R O C E S S .................................... 5

2.1 What is Risk Management? ................................................................................................. 5 2.2 Risk Management in Practice .............................................................................................. 5

3 . C O N T I N U A L I M P R O V E M E N T O F T H E R I S K F R A M E W O R K ..................................................................................................... 1 2

4 . R E V I E W A N D A P P R O V A L ..................................................... 1 3

A P P E N D I X A – R I S K R A T I N G C R I T E R I A ............... 1 4

A P P E N D I X B – R I S K R E G I S T E R T E M P L A T E 1 8

A P P E N D I X C – R I S K E V E N T R E G I S T E R T E M P L A T E .............................................................................................................. 1 9

A P P E N D I X D – N E W A N D E M E R G I N G R I S K S T E M P L A T E .............................................................................................................. 2 0

A P P E N D I X E – D E F I N I T I O N S .................................................... 2 1

A P P E N D I X F – R E L A T E D P O L I C I E S A N D D O C U M E N T S ...................................................................................................... 2 2



1. Introduction

1.1 Purpose

The Risk Management Plan has been developed to support Kidsafe NSW in managing risk across the organisation including:

► The process to identify, assess, treat, monitor and review risks.

► The criteria for assessing risk, including evaluation of controls.

► Guidance for the documentation, reporting and escalation of risks.

1.2 Scope

The Procedure complies with the follow guidance and is applicable to all employees of Kidsafe NSW:



2. Risk Management Process

2.1 What is Risk Management?

Risk is defined as the effect of uncertainty on objectives (ISO 31000:2009). Risk management is a set of coordinated activities that enables the identification and management of risk in a consistent, systematic, credible and timely manner. The purpose of risk management is to minimise the impact of uncertainty and undesirable events on operations and to provide adequate information to enable effective decision making and the protection of value.

2.2 Risk Management in Practice

A risk management process is a systematic application of management policies, procedures and practices to the activities of communicating and consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. This Procedure is structured in accordance with the process defined in ISO 31000:2009 and detailed below in Figure 1.

Figure 1: Kidsafe NSW - Risk Management Process

2.2.1 Communication and Consultation

Communication and consultation with external and internal stakeholders is an ongoing activity which should be conducted across all stages of the risk management process. It will enable the provision, sharing and obtaining of risk information and will ensure that stakeholders understand the basis upon which decisions are made, and the reasons why particular actions are required.



2.2.2 Establishing the Context

This step considers both the external and internal parameters to be taken into account when identifying and managing risk, and sets the scope and risk criteria for the remaining process.

The external context can include, but is not limited to:

► The social and cultural, political, legal, regulatory, financial, technological, economic and competitive environment.

► Key drivers and trends having impact on the objectives of Kidsafe NSW.

► Relationships with, perceptions and values of external stakeholders.

The internal context can include, but is not limited to:

► Kidsafe NSW‟s governance, organisational structure, roles and accountabilities.

► Policies, objectives, and the strategies that are in place to achieve them.

► Capabilities in relation to resources and knowledge.

► The relationships with and perceptions and values of internal stakeholders and the organisational culture.

2.2.3 Risk Identification

Risk identification involves identifying sources of risk, areas of impact and causes and potential consequences of risks. The aim of this step is to generate a comprehensive list of risks based on those events which might create, enhance, prevent, degrade, accelerate or delay the achievement of Kidsafe NSW‟s strategic objectives.

Kidsafe NSW is required by to assign identified risk to a risk category, in line with their Risk Categories. These are contained in Appendix A of this procedure, to assist in identifying sources of risk. Additional methods of identifying risk include:

► A structured brainstorming session based on the risk categories listed in Appendix A.

► Review of past events.

► Review of external and internal audit report.

► Consideration of community/ client complaints.

► Results from monitoring activities.

► Benchmarking with competitors.

► Advice from external experts.

► Focus group discussions (facilitated internally or externally) where more detailed discussions are held relating to risk.

To assist in the clarity, consistency, and comparability of risks identified, Kidsafe NSW will capture risk information in the Kidsafe NSW Risk Register Template defined in Appendix B of this Procedure. The structure of the Kidsafe NSW Risk Register is compliant with the requirements of the QIC Standards. Each risk record documented in the risk register should include the following details:

► Unique risk identification number

► The linkage of the risk into the Kidsafe NSW Strategic Direction.

► The Kidsafe risk category to which the risk pertains.

► The assigned risk owner.

► The date on which the risk was raised.

► A description of the nature of the risk.

► The causes which might give risk to the risk.

► The potential consequences of the risk.

► The nature of existing controls currently in place.

The above requirements are documented in the Kidsafe NSW Risk Register Template which is provided in Appendix B of this Procedure.



2.2.4 Risk Analysis

Risk analysis is the process to comprehend the nature of the risk and to determine the level of risk. The assessment process involves a consideration of the risk criteria in terms of likelihood and consequence. Existing controls and their effectiveness should also be taken into account.

The risk analysis process involves the assignment of an overall residual risk rating for each risk documented in the risk register through the following steps.

► Inherent risk – determine the likelihood and consequence of a risk event if it were to occur in the absence of controls.

► Identify and assess controls – identify the existing controls in place to address the risk and assess how effectively these are in operation.

► Residual risk rating – determine the likelihood and consequence of a risk event, taking into consideration the effectiveness of the control environment.

To support employees in the analysis of risk, Kidsafe NSW has adopted standardised risk rating criteria to be applied across the organisation.

Step 1: Inherent Risk Considerations

Consideration should be given to the likelihood and consequence of a risk occurring, in the absence of existing controls. The inherent nature of the risk event will facilitate an understanding of the extent of controls or treatment plans required to mitigate the risk to an acceptable level.

For each risk identified, the inherent likelihood, consequence and overall risk rating should be documented in the Kidsafe NSW Risk Register. The Kidsafe NSW risk tolerance level should also be recorded in the Kidsafe NSW Risk Register.

Step 2: Identify and Assess Controls

A control is any process, policy, device, practice, or other actions that modify a risk. There may be one or more existing controls in place to prevent, detect and mitigate the identified risk. For each control identified the following should be recorded in the Kidsafe NSW Risk Register:

► A control description which succinctly describes the action used to modify the likelihood or the consequence of the risk.

► A control owner should be assigned.

► An assessment of the operating effectiveness of controls should be determined on a holistic basis, using the criteria set out in Appendix A.

Step 3: Residual Risk Rating

The residual risk rating will be determined by combining the likelihood and consequence of the risk taking into account the effectiveness of existing controls:

► Likelihood refers to the chance of something happening. The Kidsafe NSW risk likelihood criteria is outlined in Appendix A.

► Consequence refers to the outcome of an event affecting objectives. This should be quantified based on the most credible (not the worst case) impact of the risk. The consequence criteria provided in Appendix B provides guidance on the indicative consequence for risks and has been developed with consideration to Kidsafe NSW‟s Risk Appetite.



2.2.5 Risk Evaluation

The purpose of risk evaluation is to assist in making decisions around which risks require further treatment, based on the outcomes of the risk analysis. Risk evaluation will enable the prioritisation of risk treatments and the direction of resources towards high priority risk areas. Kidsafe NSW has adopted the following matrix to guide the actions required for risks based on their overall residual risk rating.

Rating Description

Catastrophic ► Risks to be escalated to the Council and Governance Committee.

► The Executive Oficer will escalate all Catsstrophic, High and Moderate rated risks to the the Council and Governance Committee.

► Risk treatment plans should be developed and directed towards reducing the severity of the risk.

► Risk owners should be assigned to perform ongoing monitoring of the progress of risk treatment plans. Monitoring should occur on a monthly basis.

High

Moderate

Minor

► Risks should be managed within the Executive Oficer‟s capability and business operations.

► Risk treatment options should be identified and risk owners assigned.

► Risks should be monitoring on an ongoing basis.

Insignificant ► Accept risk/ monitor and review through standard management processes.

During the implementation of the Kidsafe NSW Risk Management Framework, the Executive Officer may determine that it is necessary to escalate medium and insignificant rated risks to the Council or Governance Committee. The decision to do so remains at the discretion of the Executive Officer.

The level of the organisation to which the risk should be escalated should be documented in the Kidsafe NSW Risk Register.

Target Risk Rating

The target risk is a desired level of risk that is achieved through implementation of risk treatments to reduce unacceptable risk levels (e.g. high and extreme risks) to an acceptable level.

The target risk rating is achieved once treatment plans have been fully developed and implemented (refer to Section 2.2.6 for further detail). This may require further action if the initial controls, once fully developed and implemented, do not achieve the desired outcome or target risk rating.

The target risk rating taking into consideration the impact of risk treatment plans should be recorded in the Kidsafe NSW Risk Register.



2.2.6 Risk Treatment

Risk treatment involves selecting one or more options for addressing and modifying risk, and implementing those options. Risk treatment involves a cyclical process of:

► Assessing a risk treatment.

► Deciding whether residual risk levels are tolerable.

► If not tolerable, generating a new risk treatment.

► Assessing the effectiveness of that treatment.

Risk treatment options are not mutually exclusive or appropriate in all circumstances. A number of treatment options can be considered and applied either individually, or in combination. Treatment options can include:

► Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.

► Taking or increasing the risk in order to pursue an opportunity.

► Removing the risk source.

► Changing the likelihood.

► Changing the consequences.

► Sharing the risk with another party or parties (including contracts and risk financing).

► Retaining the risk by informed decision.

Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived. When selecting risk treatment options, Kidsafe NSW should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others.

Risk treatment plans should be developed for all risks with a residual risk rating of medium to extreme. However, treatment plans for extreme and high risks should include:

► Details of the treatment plan selected including expected benefits to be gained, the resource requirements and performance measures and constraints.

► The treatment owner responsible and accountable for implementing the treatment plan.

► The target resolution date for monitoring and reporting requirements.

► Status update and progress of actions undertaken against the treatment plan.

The above detail should be recorded in the Kidsafe NSW Risk Register.



2.2.7 Monitoring and Review

Both monitoring and review should be a planned part of the risk management process, and should involve regular checking and surveillance. Kidsafe NSW‟s monitoring and review process should encompass all aspects of the risk management process for the purpose of:

► Ensuring that controls are effective and efficient in both design and operation.

► Obtaining further information to improve the risk assessment process across the organisation.

► Analysing and learning lessons from events (including near-misses), changes, trends, successes and failures.

► Detecting changes in the external and internal context, including changes to the risk criteria and the risk itself which can require revision of risk treatments and priorities.

► Identifying new and emerging risks.

Kidsafe NSW‟s monitoring and review requirements are outlined in the table below.

Activity Requirements Frequency

The Council Risk Register

Review

► On a six-monthly basis the Council should review the content of the Kidsafe Risk Register to ensure that it accurately reflects the organisation‟s Risk Profile.

► On a monthly basis all additions to the Risk Register should be reviewed by The Council. This review should include the appropriateness of the assigned risk rating and the risk treatment plan.

Six-Monthly/ Monthly

Governance Committee

Risk Register Review

► On a six-monthly basis each Governance Committee member should review the content of the Risk Register to ensure that it accurately reflects the Risk Register.

Six-Monthly

Executive Officer Review

► A report will be prepared for the Council and Governance Committee on a quarterly basis which details:

► Sumary of new and emerging risks identified subsequent to the previous meeting.

► All Catastrophic, Major and Moderate rated risks identified across the organisation.

► All movements in the rating of Catastrophic, Major and Moderate rated risks across theorganisation

► All risk events with consequence ratings of Catastrophic, Major and Moderate.

Quarterly



2.2.8 Escalation

Risk Event Escalation

An event is referred to an occurrence or changes of a particular set of circumstances. An event without consequences can also be referred to as a near miss, near hit or close call.

When an event occurs, the following escalation process should be followed.

► It is the responsibility of all employees to escalate events to the Excutive Officer.

► Upon receiving the relevant information from the employee, the Executive Officer will assign a consequence rating to the event, using the Kidsafe NSW Risk Matrix.

► The Executive Officer will escalate the event to the Governance Committee and / or The Council.

► All events will be reported to the Governance Committee and / or The Council.

► Where the consequence of the event is „Catastrophic, Major and Moderate‟ (in accordance with the Kidsafe NSW Risk Consequence Criteria) the event will be reported to the Governance Committee and / or The Council.

► Upon reviewing the event, the Executive Officer will escalate events with a Catastrophic, Major and Moderate‟ consequence to the Governance Committee and The Council

Events should be captured in the Kidsafe NSW Event Register contained in Appendix C of this Procedure.

New and Emerging Risks

Emerging risks are newly developing or changing risks which are often difficult to quantify and may have a substantial impact on the business. New and emerging risks that are considered Catastrophic, Major and Moderate‟ will be escalated through the standard risk escalation process detailed in Section 2.2.5. Ongoing monitoring of new and emerging risks should be reported in accordance to the requirements set out in Section 2.2.7.

Details of new and emerging risks that are required to be escalated and/ or reported should be documented in the Kidsafe NSW New and Emerging Risk Register detailed in Appendix D.



3. Continual Improvement of the Risk Framework

Kidsafe NSW is committed to an annual review of its risk management framework to ensure that risk management is effective and continues to support organisational performance. The Council and Governance Committee will monitor and evaluate Kidsafe NSW‟s performance in relation to risk management. This will be informed by the following periodic reviews:

► Evaluation of the effectiveness and alignment of the Kidsafe NSW Risk Management Plan (e.g. against better practices).

► Engagement with key stakeholder to confirm that risk management and reporting is relevant and meet informational requirements.

► Assessment of the awareness of management and staff in relation to their risk management responsibilities (e.g. through Performance Planning and Development).

► Review of training and development needs of managers and staff in relation to their risk management responsibilities.

► Review of the completeness and currency of risk registers across all categories of risk.

The results of reviews will be used to inform decisions relating to how the Risk Management Plan can be improved to support the management of risk and an improved risk management culture across Kidsafe NSW.



4. Review and Approval

This Risk Management Plan will be reviewed annually, or more frequently as required, in accordance with The Council and Governance Committee‟s review and approval.



Appendix A – Risk Rating Criteria

Likelihood Rating: Use the table below to determine the likelihood of the risk occurring.

Likelihood Description Probability

Rare Only occurs in exceptional circumstances < 5%

Unlikely May occur at some time 5% - 40%

Possible Should occur at some time 40% - 70%

Likely Will probably occur 70% - 95%

Almost certain Expected to occur in most circumstances or occurs regularly > 95%

Control Effectiveness: Rank the effectiveness of the current controls to prevent, detect and mitigate the risk.

Control

Effectiveness Description

IneffectiveThe control design does not meet the control objective/ and or the control is not

applied or is applied incorrectly.

Partially effectiveThe control design meets the control objective and the control is normally

operational but occasionally is not applied w hen it should be, or not as intended.

EffectiveThe control design meets the control objective and the control is operating the

majority of the time



Consequence Table: Rank the risk based on the consequence if the risk were to occur.

Impact Catastrophic Major Moderate Minor Insignificant

Strategic Non-achievement of strategic objectives

Limited achievement of strategic objectives

Reasonable achievement of the strategic objectives

Achievement of most of the strategic objectives

Achievement of almost all of the strategic objectives

Legal & compliance Non-compliance with majority of the legislations and standards. Deregistering Kidsafe NSW as a business entity and charity organisation

Non-compliance with significant legislations and standards. Fines and penalties levied against Kidsafe NSW

Non-compliance with some of the legislations and standards. Fines and penalties levied against Kidsafe NSW

Compliance with most of the legislations and standards

Compliance with almost all the legislations and standards

Financial Zero funding and reserved funds do not cover provisions for debts and operating costs. Actual deficit > $ 500,000

Zero funding and reserved funds do not cover provisions for debts and operating costs. Actual deficit > $ 250,000

Reduced funding and reserved funds do not cover provisions for debts and operating costs. Actual deficit > $ 100,000

Reduced funding and reserved funds reasonably covers provisions for debts and operating costs. Actual deficit < $ 90,000

Funding and reserved funds cover provisions for debts and operating costs. Actual deficit < $ 10,000

Reputation Continuous negative national media attention affecting Kidsafe brand reputation

Negative national media attention affecting Kidsafe brand reputation

Some negative national / state media attention affecting Kidsafe brand reputation

Localised negative media attention affecting Kidsafe brand reputation

Localised negative attention because of poor service delivery

Business Continuity Complete loss of operational capacity and facilities

Significant loss of operational capacity and facilities

Some loss of operational capacity and facilities

Minimal loss of operational capacity and facilities

Insignificant loss of operational capacity and facilities



Impact Catastrophic Major Moderate Minor Insignificant

Safety Death / significant injury of staff, visitor, volunteer or client at Kidsafe activities and onsite

Serious injury of staff, visitor, volunteer or client at Kidsafe activities and onsite resulting in hospitalisation and permanent incapacitation

Serious injury of staff, visitor, volunteer or client at Kidsafe activities and onsite requiring hospitalisation and long term rehabilitation

Injury of staff, visitor, volunteer or client at Kidsafe activities and onsite requiring first aid or medical attention

Minor injury of staff, visitor, volunteer or client at Kidsafe activities and onsite requiring basic first aid

Operational Inability to deliver all of the contractual obligations and Kidsafe services within the agreed timeframes

Inability to deliver majority of the contractual obligations and Kidsafe services within the agreed timeframes

Inability to deliver some of the contractual obligations and Kidsafe services within the agreed timeframes

Inability to deliver minor components of the contractual obligations and Kidsafe services within the agreed timeframes

Minimal impact on contractual obligations and Kidsafe services

People Significant loss of key staff and Council with no contingency/ succession plan in place affecting capacity to deliver strategic KPIs

Loss of key staff and Council members with no contingency/ succession plan in place affecting capacity to deliver strategic KPI's

Inadequate contingency / succession plan in place to deliver strategic KPI's

Adequate contingency / succession plan in place to deliver strategic KPI's

Minimal impact on service delivery and achievement of strategic KPIs



Risk Rating: Combining the Likelihood and Consequence will provide a risk rating in accordance with Kidsafe NSW Risk Matrix detailed below.

Legend

Risk Rating

High A - E

Significant: F – K

Medium L – R

Low U - Y

Catastrophic Major Moderate Minor Insignificant

Rare G L O V Y

Unlikely F I N U X

Possible C H M R W

Likely B E K Q T

CONSEQUENCE

LIKELIHOOD

Almost

certain A D J P S



Appendix B – Risk Register Template

Please refer to the Kidsafe NSW Risk Register Template contained in Microsoft Excel for additional details.



Appendix C – Risk Event Register Template

Event ID Risk Category Location Date Event Description Cause Consequence Description Consequence Classification Actions / Status / Timing

E.001

E.002

E.003

E.004

E.005

E.006



Appendix D – New and Emerging Risks Template

Risk Category Date Raised Risk Description Causes Consequences Actions

Kidsafe NSW Risk Management Procedure of 22

Risk Management Procedure

Appendix E – Definitions

Term Definition

Communication and Consultation

Continual and iterative processes that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk.

Consequence Outcome of an event affecting objectives.

Control Measure that seeks to address, modify or mitigate risk.

Establishing the Context

Defining the external and internal parameters to be taken into consideration when managing risk, and setting the scope and risk criteria for effective risk management.

Event Occurrence or change of a particular set of circumstances. An event without consequences can also be referred to as a “near miss”, “near hit” or “close call”.

External context External environment in which the organisation seeks to achieve its objectives.

Internal context Internal environment in which the organisation seeks to achieve its objectives.

Level of Risk Magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood.

Likelihood Chance of something happening.

Monitoring Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected.

Residual risk Risk remaining after risk treatment.

Review Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objective.

Risk Effect of uncertainty on objectives.

Risk Analysis Process to comprehend the nature of risk and to determine the level of risk.

Risk Assessment Overall process of risk identification, risk analysis and risk evaluation.

Risk Criteria Terms of reference against which the significance of a risk is evaluated.

Risk Evaluation Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/ or its magnitude is acceptable or tolerable.

Risk Identification Process of finding, recognising and describing risks.

Risk Management coordinated activities to direct and control an organisation with regard to risk

Risk Management Framework

Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

Risk Management Process

Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.

Risk Profile Description of any set of risks.

Risk Treatment Process to modify or mitigate risk.

Stakeholder Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity.

Kidsafe NSW Risk Management Procedure of 22

Risk Management Procedure

Appendix F – Related Policies and Documents

Issuer Reference Document Name

Kidsafe NSW Risk Register