Get documents about "CEO Instructions Risk management
Document Sample
COMCARE
PUTTING YOU FIRST
RISK MANAGEMENT
CEO Instructions
CEO Instructions are procedural in nature. They explain significant policies and procedures that are to be
complied with by all Comcare staff and contractors. The CEO Instructions may be supported by policy
frameworks, process manuals and templates.
TABLE OF CONTENTS
SCOPE 1
WHAT IS RISK? 2
RISK MANAGEMENT FRAMEWORK OBJECTIVES 2
COMCARE’S RISK ATTITUDE 2
FRAMEWORK 2
MANAGEMENT OF COMCARE’S CORPORATE RISKS 3
MANAGEMENT OF COMCARE’S GROUP RISKS 4
RISK INDICATORS 4
MANAGEMENT OF PROJECT RISKS 4
RESPONSIBILITIES 5
RISK MANAGEMENT TOOLKIT 6
FURTHER INFORMATION 6
SCOPE
1. The management of risk, in conjunction with other Comcare and government directions, is integral
to achieving Comcare’s Outcomes and corporate objectives identified in the Strategic Plan 2010-
2015. All employees need to recognise the importance of successful risk management.
2. Comcare’s managers and staff can conduct effective risk management if they understand the nature
of the risks in their work areas and systematically identify, analyse, evaluate, treat, and monitor
those risks.
3. This Instruction details the responsibilities of employees in the management of Comcare’s risks.
1
CEO INSTRUCTION—RISK MANAGEMENT
WHAT IS RISK?
4. Risk is the effect of uncertainty on the achievement of Comcare’s objectives and is measured in
terms of likelihood, consequence, and impacts.
RISK MANAGEMENT FRAMEWORK OBJECTIVES
5. Comcare’s primary objectives for effective risk management are to improve its ability to deliver
against its Outcomes and corporate objectives in an efficient and effective manner through:
> developing and sustaining an effective risk management culture throughout the whole
organisation
> creating an environment where all Comcare employees assume responsibility for managing risk
> demonstrating transparent and responsible risk management processes aligned with accepted
best practice standards and methods.
6. Comcare will manage risk in accordance with the Australian/New Zealand Standard AS/NZS ISO
31000:2009—Risk Management.
COMCARE’S RISK ATTITUDE
7. Comcare recognises that adverse risks are inherent to undertaking its activities, and expects that
they will be mitigated to acceptable levels. For this purpose Comcare has articulated a framework for
assessing the likelihood and consequences of risks in order to define the action required for their
reporting and mitigation to tolerable levels. This framework is detailed in the Comcare Risk
Management Toolkit, as is to be applied to the management of all risks within the agency.
FRAMEWORK
8. Comcare applies risk management at three levels and incorporates it into the management of the
agency as follows:
Corporate risks High level risks that, should they occur, would impact on Comcare as
an entity, or on a broad range of Comcare’s service delivery and
regulatory activities.
Management of these risks typically requires a whole of Comcare
response, although this action may be coordinated by a single Group
or team.
Risks associated with the delivery and effective management of
specific Comcare services, or regulatory activities undertaken in
Group risks
accordance with its obligations and organisational objectives.
Typically these risks may be managed effectively at the Group level.
Risks associated with the definition, design, execution and
implementation of specific projects undertaken by Comcare.
Project risks
Typically these risks may be managed effectively at the project team
or project sponsor level.
2
CEO INSTRUCTION—RISK MANAGEMENT
MANAGEMENT OF COMCARE’S CORPORATE RISKS
9. The identification and management of Comcare’s corporate risks is fundamental to the effective
governance of Comcare as an entity. To support this, a Comcare Corporate Risk Register is to be
developed with input from:
> the Safety, Rehabilitation and Compensation Commission strategic risk assessment
> the Seafarers’ Safety, Rehabilitation and Compensation Authority strategic risk assessment
> Comcare’s Executive.
10. The Comcare Corporate Risk Register is to be subject to quarterly review in conjunction with
Comcare’s business planning process so that identified actions required to mitigate corporate risks
can be effectively accommodated in Group business plans.
3
CEO INSTRUCTION—RISK MANAGEMENT
MANAGEMENT OF COMCARE’S GROUP RISKS
11. Comcare undertakes an annual business planning process to define, prioritise and resource the
activities it intends to undertake in order to support its strategies and objectives. A key outcome of
that planning process is a schedule of activities to be undertaken as detailed in Groups’ approved
business plan.
12. Risks inherent to those activities are to be identified and managed in accordance with Comcare’s
Risk Management Framework. To support this, Group input to the Comcare Group Risk Register and
an associated risk management plan are to be developed in conjunction with Group Business Plans,
and endorsed by General Managers.
13. The currency and completeness of Group components of the Comcare Group Risk Register and risk
management plans are to be maintained though their regular quarterly review and update.
14. Progress in the mitigation of risks rated as “high” or “medium” is to be reported quarterly in the
context of Comcare’s Business Plan Reporting process.
RISK INDICATORS
15. The ongoing currency and completeness of Corporate and Group Risk Registers is dependent on
them fully reflecting the risks to Comcare and Group objectives, as well as the nature and status of
treatments implemented for their management. To assist in this, both registers are to be subject to
comprehensive review following any indication that there has been substantial changes in Comcare’s
activities and environment that may significantly change Comcare’s risk profile.
MANAGEMENT OF PROJECT RISKS
16. In addition to ongoing or recurrent business as usual activities, Comcare undertakes numerous
projects to support its objectives. Projects can be distinguished from business as usual activities in
that they:
> have a defined or definable commencement and completion date
> are typically short term in duration
> have a distinct management cycle and process
> play a supporting or enabling role in the achievement of Comcare’s business objectives.
17. Projects encompass a wide range of activities such as:
> the design, development and implementation of business systems
> the procurement of goods and/or services to be used in the delivery of Comcare’s services
> staff training programs undertaken to support a one-off event or activity.
18. The application of sound risk management practices is central to the effective management of
projects. To support this, risk registers and risk mitigation plans are to be developed, maintained
and communicated to assist in the management of:
> projects expected to cost more than $400,000 in direct staff and contractor costs
> procurements of goods and/or services valued at $400,000 or more.
4
CEO INSTRUCTION—RISK MANAGEMENT
RESPONSIBILITIES
19. Employees are to be familiar with, and competent in, the application of Comcare’s Risk Management
Framework, and are accountable for the delivery of the Framework within their areas of
responsibility. In specific terms this means that the responsibility for the management of risk can be
described as follows:
> The Comcare and Seacare Authority Audit Committee provides independent assurance and
assistance to the Chief Executive on the agency’s risk management policies, practices and
frameworks
> The Risk Monitoring Forum is responsible for monitoring progress with risk management,
compliance and assurance processes for the SRCC, Comcare and the Seacare Authority. It will
examine, in greater detail than the Audit Committee, the application of these processes to
Comcare operations, and the implementation of the 2015 strategy. The Risk Monitoring Forum
will provide advice to the Chief Executive Officer on strategies to respond to risks based on
value at risk, monitor progress of treatments recorded in risk registers and escalate serious
matters to the Executive for consideration. It will report to the Comcare and Seacare Audit
Committee on proposed changes to the risk management framework and the status of risks
> Director, Governance, Audit and Risk, Corporate Services Group, is responsible for the
implementation of the Risk Management Framework throughout Comcare. This includes
arranging appropriate training and support as required
> General Managers are to ensure the Comcare Risk Management Framework is applied in the
management of their Group. Specific to this is overseeing the development, approval and
reporting of Group components of the Comcare Risk Register and associated risk management
plans
> Delegates for covered procurements (those valued at over $400,000 in accordance with
guidance contained in the Commonwealth Procurement Guidelines) are responsible for ensuring
a risk assessment and risk management plan are developed for the procurement, and for their
approval
> Project managers for all projects valued at more than $400,000 are responsible for the ensuring
a risk assessment and risk management plan are developed for the project, and are maintained
and updated as required to assist in the effective management of the project
> Governance, Audit and Risk Team (GAR), Corporate Services Group, is responsible for the
overall provision of advice and guidance on risk management matters, including:
– facilitating and coordinating periodic reporting on Comcare’s key risks, risk management
practices, and risk profile as required to meet the needs of Comcare’s Executive and the
Audit Committee. This will include the maintenance of a consolidated whole of Comcare
strategic and enterprise risk register
– development of an annual agency risk management plan detailing action to be taken to
address Comcare’s significant risks and mechanisms implemented to monitor their
implementation
– disseminating information on identified better risk management practices throughout
Comcare
– maintenance of a framework to monitor, assess and report on the implementation and
ongoing effectiveness of Comcare’s risk management framework
> Managers, at all levels, are required to create an environment where managing risk is accepted
as the personal responsibility of each member of Comcare.
5
CEO INSTRUCTION—RISK MANAGEMENT
RISK MANAGEMENT TOOLKIT
20. A key component of the Comcare risk management framework is the Risk Management Toolkit. The
toolkit has been developed to assist managers and employees to assess risks and develop risk
assessment plans. It contains step by step instructions on how to perform a risk assessment.
21. Included in the Risk Management Toolkit are risk matrixes used to analyse the likelihood and
consequences of a risk, and define the actions required to mitigate the risk consistent with
Comcare’s risk appetite. These matrixes are to be used in the management of all risks within
Comcare, unless an alternative framework is used in order to comply with externally mandated
requirements in relation to a specific area of risk. The use of any such alternative framework should
be discussed with the Director, Governance, Audit and Risk.
22. Also included in the Risk Management Toolkit are indicators that provide guidance as to when the
Corporate and Risk Registers should be subject to comprehensive review to ensure they remain
current following significant changes to Comcare’s activities or environment.
FURTHER INFORMATION
23. Further information is available from the Director, Governance, Audit and Risk.
Paul O’Connor
Chief Executive Officer
September 2012
Attachments:
> Risk Management Toolkit
> Risk Register Template
6
CEO INSTRUCTION—RISK MANAGEMENT
