Risk Management Plan - DOC

Document Sample
Risk Management Plan - DOC Powered By Docstoc
					infrastructure technology group




                            Risk Management



                   Risk Management Plan




www.infratechgrp.com.au                                                              ABN 56 087 369 506
                               Infrastructure Technology Group Pty Ltd
sales@infratechgrp.com.au                                                T 0431 548 717 ::: F 02 8456 5728
                                                                                     Risk Management
infrastructure technology group                                                  Risk Management Plan



Document Change Control
Please note significant document changes with a version increment of 1.0. Minor
administrative changes, where the meaning or intention of the document is not altered
should increase by an increment of 0.1.

  Version                Date                    Author(s)               Summary of Changes
 1.0               June 10           Infrastructure Technology Group   Release




Document Sign-Off
Document in accordance with requirements and strategic architecture
 Name (Position)                                     Signature                          Date

 Primary Person
 IT Risk Manager

 Secondary Person
 Secondary IT Manager

 Designated Signatory
 Designated Signatory Position



Document Nomenclature
To modify this document to suit your requirements, the following designations should be
replaced with your preferred name.


                     Document Name                                       Replacement

Acme Inc.                                               Your Company Name.
ACME INC.                                               Abbreviated Company Reference




    Copyright ACME INC.                       Confidential                                     Page 2
                                                                                                                                        Risk Management
infrastructure technology group                                                                                               Risk Management Plan


TABLE OF CONTENTS
1. INTRODUCTION................................................................................................................................................4
   1.1 KEY DEFINITIONS .............................................................................................................................................4
2. ACME INC. RISK MANAGEMENT STRUCTURE .................................................................................6
   2.1 ROLES AND RESPONSIBILITIES........................................................................................................................6
     2.2 Risk Management Objectives, Strategies and Actions ........................................................................7
   2.3 RISK MANAGEMENT PERFORMANCE INDICATORS ........................................................................................8
3. ACME INC. RISK MANAGEMENT PROCESS ......................................................................................11
   3.1 ESTABLISH THE CONTEXT..............................................................................................................................11
   3.2 IDENTIFY RISKS...............................................................................................................................................12
   3.3 ANALYSE RISKS ...............................................................................................................................................13
   3.4 EVALUATE RISKS ............................................................................................................................................16
   3.5 TREAT RISKS....................................................................................................................................................16
     Risk Treatment Plans .....................................................................................................................................17
     Business Impact Statements .........................................................................................................................17
   3.6 CONTINUALLY MONITOR AND REVIEW ........................................................................................................17
     Issues Register ..................................................................................................................................................17
   2.7 RECORDS ..........................................................................................................................................................18
APPENDIX 1: CORPORATE RISKS ALIGNMENT TO OPERATIONS AND BUSINESS
PROJECT RISKS ..................................................................................................................................................19
APPENDIX 2: ACME INC. RISK REVIEW CALENDAR ........................................................................22
APPENDIX 3: ACME INC. RISK MANAGEMENT TOOLS ...................................................................23
       Risk Treatment Plan .......................................................................................................................................25
       Risk Business Impact Statement ..................................................................................................................26
       Appendix 4: Risk Management Staff Training Plan ................................................................................27
GLOSSARY ..............................................................................................................................................................28




      Copyright ACME INC.                                               Confidential                                                                           Page 3
                                                                                                 Risk Management
infrastructure technology group                                                           Risk Management Plan



1. Introduction
Acme Inc. (ACME INC.) is committed to establishing and maintaining an effective
enterprise risk management process to provide the foundations and organisational
arrangement for designing, implementing, monitoring, reviewing and continually improving
risk management for all business events.

ACME INC. adopts a risk management framework that is consistent with the current risk
standard AS/NZS 31000:2009. The ACME INC. risk management framework is set out in
this document.

Diagram 1: Overview of the AS/NZS ISO 31000:2009 Risk Management Process. 1




1.1 Key Definitions1
The definition of risk as defined in the Standard is the effect of uncertainty on objectives.

Note 1 - An effect is a deviation from the expected – positive and /or negative.
Note 2 - Objectives have different aspects (such as financial, health and safety, and
environmental goals) and can apply to different levels (such as strategic, organisation wide,
project, product and process).
Note 3 - Risk is often characterised by reference to potential events and consequences, or a
combination of these.
Note 4 - Risk is often expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of occurrence.
Note 5 - Uncertainty is the state, even partial, of deficiency of information related to,
understanding or knowledge of an event and its consequences or likelihood.


1   Standards Australia ‘Australia/New Zealand Risk Management –Principles and Guidelines: AS/NZS 31000:2009 Figure 1.


       Copyright ACME INC.                           Confidential                                               Page 4
                                                                         Risk Management
infrastructure technology group                                     Risk Management Plan


Risk Framework is a set of components that provide the foundations and organisational
arrangements for designing, implementing, monitoring, reviewing and continually
improving risk management throughout the organisation.

Note 1 - The foundations include the policy, objectives, mandate and commitment to
manage risk.

The organisational arrangements include plans, relationships, accountabilities, resources,
processes and activities. Note 2 - The risk management framework is embedded within the
organisations overall strategic and operational policies and practices.




    Copyright ACME INC.               Confidential                                   Page 5
                                                                             Risk Management
infrastructure technology group                                         Risk Management Plan



2. ACME INC. Risk Management Structure
Risk Management is performed at three levels within the ACME INC.:

Corporate - the risks associated with Acme Inc. as a whole carrying out its business
objectives articulated in the 2XXX-2XXX Corporate Plan and relevant legislation. These
risks are high level and organised into strategic categories which relate to the survival of
the organisation, and / or impact on partners / customers as a whole.

Operational – the risks associated with the management of Acme Inc. business units or
branches of Acme Inc. and relate to the performance measures outlined in the Acme Inc.
2XXX – 2XXX Corporate Plan. These risks are identified, documented and managed in the
Acme Inc. „Normal Operating Environment‟ Risk Register.

Project - Project - the risks associated with Acme Inc. events. These risks are identified,
documented and managed using individual project risk registers through the Programme
Management Office.


2.1 Roles and Responsibilities
The Acme Inc. CEO is responsible and accountable for ensuring that the Acme Inc. Risk
Management Policy is implemented and reviewed regularly, for approving the Risk
Management Plan and for reviewing the recommendations of the Audit and Risk
Committee.

The Acme Inc. Director of Finance and Administration is responsible for defining and
documenting the Acme Inc. approach to risk with the CEO, for obtaining active, ongoing
support from Acme Inc. Senior Management to implement the Risk Management Policy and
Plan and reporting to the Audit and Risk Committee.

The Management Committee and the Programme Board are responsible for regularly
reviewing high priority risks and issues, reviewing the approach to managing significant
risks and ensuring risk management is implemented into business units and projects. The
Programme Board also provides direction to Project Owners and Project Managers for
issues and risks they have escalated.

Business Unit Managers develop risk profiles and identify, document and mitigate branch
risks and report high level risks to the Management Committee.

Project Managers develop risk profiles, identify, document and mitigate project risks and
report high level risks to the Project Owner and the Programme Management Office.

All staff are responsible for applying risk plans in the areas of their responsibility by
identifying, communicating and responding to expected or emerging risks.

The Audit and Risk Committee reviews significant risks and the approach for managing
significant risks, the appropriateness of the risk management process and the effectiveness
of the process for developing strategic risk management plans. The Audit and Risk
Committee provides independent assurance to the CEO that Acme Inc. has in place
compliant polices, plans and framework.


    Copyright ACME INC.                  Confidential                                      Page 6
                                                                                      Risk Management
infrastructure technology group                                               Risk Management Plan


2.2 Risk Management Objectives, Strategies and Actions
The management of risk within ACME INC. has a number of objectives and related
strategies and performance measures.

When implementing the risk framework, ACME INC. aims to ensure the continuation of
our services in the event of a disruption, to implement a risk methodology consistent with
the Australian standard, to ensure that staffs are accountable with regular reporting and
review procedures in place, and to create a workplace which communicates and supports
risk management with tools and training.

These objectives and their accompanying strategies and actions are summarised in the
table below:


Table 1: ACME INC. Risk Management Objectives, Strategies and Actions

 RISK MGT
                      RISK STRATEGIES                        RISK MANAGEMENT ACTIONS
OBJECTIVES
Business         Contingency and recovery                 Risk treatment (contingency) plans in place
Continuity       planning at corporate, operational       for high level corporate, operations (branch)
                 and project levels.                      and project risks.
                 Regular monitoring of internal           Record of meeting minutes for project, branch
                 and external environment to              and Management Committee meetings to note
                 assess potential impact on               changes and decision process for risk
                 organisational and project risk          priorities due to changes to internal or
                 priorities.                              external context.
Correct Risk     Tools, techniques and other              Risk Management Policy and Plan approved
Methodology      resources available to support the       and endorsed by the CEO.
                 application of risk management.          Risk management registers in use for
                                                          corporate, operational and project levels.
                                                          Learning tools available.
                                                          Risk management resource available to assist
                                                          with implementation and training.
                 Risk methodology is consistent           Regular internal audits of operations and
                 with AS/NZ 31000: 2009 and               projects to include compliance with the ACME
                 compliant with relevant                  INC. Risk Management Policy and Plan.
                 legislation and applicable policies.
                 Governance - risk management             Risk Policy signed off by CEO
                 strategies and top risks are             Compliance checklist for organisational goals
                 aligned with organisational goals.       and alignment with corporate risks contained
                 Management commitment to risk            in Risk Management Plan.
                 management is demonstrated and
                 communicated.




    Copyright ACME INC.                   Confidential                                            Page 7
                                                                                     Risk Management
infrastructure technology group                                                Risk Management Plan


Accountability    Systematic reporting and review          Evidence of further analysis of high level risks
                  mechanisms in place.                     by Project Managers and Directors in the form
                                                           of Business Impact Statements and Risk
                                                           Treatment Plans as per procedure.
                                                           Quarterly reports to the Audit and Risk
                                                           Committee detailing high rating operations
                                                           and business event risks and contingency
                                                           plans in place.
                                                           Management Committee meeting minutes of
                                                           risk register review and update annually for
                                                           corporate risks, quarterly for operational
                                                           (branch) risks.
                                                           Programme Board meeting minutes
                                                           demonstrating review of high level risks
                                                           Minutes of the Audit and Risk Committee
                                                           meetings to review high level risks and
                                                           determine that appropriate contingencies
                                                           exist.
                                                           Internal and external audit reports.
                  Communication and consultation           Communication outcomes documented for
                  processes in place for internal and      consultations with affected stakeholders risk
                  external stakeholders.                   strategies.
                  Risk management accountabilities         Annual email to all staff reminding of risk
                  and responsibilities communicated        obligation.
                  throughout the organisation.             Statement for inclusion in position
                                                           descriptions for permanent staff and business
                                                           staff.
                                                           Policy and plan available on staff intranet.
Education and     Staff training sessions and              Project based information sessions on
Training          learning tools.                          managing risk.
                                                           Training plan documented and regularly
                                                           reviewed.




2.3 Risk Management Performance Indicators
In relation to the success of the management of the risk process at the ACME INC., the
following four key performance indicators are in place:

RM1: ACME INC. Results Indicator and Key Results Area service measures are achieved in
the case of an identified risk event;

RM2: All major risks to the ACME INC. have been identified and have an associated risk
mitigation strategy in place;

RM3: External audit results contain no non-conformances to the risk management process
outlined in this document; and




     Copyright ACME INC.                   Confidential                                            Page 8
                                                                            Risk Management
infrastructure technology group                                       Risk Management Plan


RM4: All staff are informed of their obligations and responsibilities with regard to risk in
the organisation.

In a management strategy, the success of risk management, including risk treatments, is
also defined with regard to the achievement of specific project objectives.

The table overleaf outlines the five strategic risk categories for the ACME INC., corporate
risks and their alignment with the objectives and performance measures listed in the
ACME INC. 20xx Corporate Plan.




    Copyright ACME INC.                 Confidential                                    Page 9
                                            
				
DOCUMENT INFO
Description: The Risk Management Plan provides the information required to establish, promote, train and implement a tried and tested Risk Managament process within a company or government department. The plan is based around standard: AS/NZS 31000:2009
BUY THIS DOCUMENT NOW PRICE: $20 100% MONEY BACK GUARANTEED
PARTNER Michael Baldwin