Risk Management Workshop Training Notes by Millaisb

VIEWS: 219 PAGES: 21

More Info
									infrastructure technology group




                            Risk Management



               Workshop Training Notes




www.infratechgrp.com.au                                                              ABN 56 087 369 506
                               Infrastructure Technology Group Pty Ltd
sales@infratechgrp.com.au                                                T 0431 548 717 ::: F 02 8456 5728
                                                                                  Risk Management
infrastructure technology group                                            Workshop Training Notes



Document Change Control
Please note significant document changes with a version increment of 1.0. Minor
administrative changes, where the meaning or intention of the document is not altered
should increase by an increment of 0.1.

  Version                Date                    Author(s)               Summary of Changes
 1.0               June 10           Infrastructure Technology Group   Release




Document Sign-Off
Document in accordance with requirements and strategic architecture
 Name (Position)                                     Signature                         Date

 Primary Person
 IT Risk Manager

 Secondary Person
 Secondary IT Manager

 Designated Signatory
 Designated Signatory Position



Document Nomenclature
To modify this document to suit your requirements, the following designations should be
replaced with your preferred name.


                     Document Name                                       Replacement

Acme Inc.                                               Your Company Name.
ACME INC.                                               Abbreviated Company Reference




    Copyright ACME INC.                       Confidential                                   Page 2
                                                                                                                                        Risk Management
infrastructure technology group                                                                                           Workshop Training Notes


TABLE OF CONTENTS


1. INTRODUCTION................................................................................................................................................4
   1.1 KEY DEFINITIONS ..............................................................................................................................................4
2. ACME INC. RISK MANAGEMENT PROCESS ........................................................................................6
   2.1 ESTABLISH THE CONTEXT ................................................................................................................................6
   2.2 IDENTIFY RISKS.................................................................................................................................................6
   2.3 ANALYSE RISKS .................................................................................................................................................7
   2.4 EVALUATE RISKS ............................................................................................................................................10
   2.5 TREAT RISKS....................................................................................................................................................10
     Risk Treatment Plans .....................................................................................................................................11
     Business Impact Statements .........................................................................................................................11
   2.6 CONTINUALLY MONITOR AND REVIEW ........................................................................................................11
     Issues Register ..................................................................................................................................................11
   2.7 RECORDS ..........................................................................................................................................................12
APPENDIX 1: ACME INC. RISK AND ISSUES REGISTER .................................................................13
APPENDIX 2: RISK TREATMENT PLAN TEMPLATE..........................................................................15
APPENDIX 3: EXAMPLE RISKS ....................................................................................................................17
GLOSSARY ..............................................................................................................................................................20




      Copyright ACME INC.                                               Confidential                                                                           Page 3
                                                                                                 Risk Management
infrastructure technology group                                                        Workshop Training Notes



1. Introduction
Acme Inc. (ACME INC.) is committed to establishing and maintaining an effective
enterprise risk management process to provide the foundations and organisational
arrangement for designing, implementing, monitoring, reviewing and continually improving
risk management for all business events.

The ACME INC. adopts a risk management framework that is consistent with the current
risk standard AS/NZS 31000:2009 (the Standard). The ACME INC. risk management
framework is set out in this document.

Diagram 1: Overview of the AS/NZS ISO 31000:2009 Risk Management Process. 1




1.1 Key definitions
The definition of risk as defined in the StandardError! Bookmark not defined. is the
effect of uncertainty on objectives.

Note 1 - An effect is a deviation from the expected – positive and / or negative
Note 2 - Objectives have different aspects (such as financial, health and safety, and
environmental goals) and can apply to different levels (such as strategic, organisation wide,
project, product and process).
Note 3 - Risk is often characterised by reference to potential events and consequences, or a
combination of these.
Note 4 - Risk is often expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of occurrence.
Note 5 Uncertainty is the state, even partial, of deficiency of information related to,
understanding or knowledge of an event, its consequences or likelihood.



1   Standards Australia ‘Australia/New Zealand Risk Management –Principles and Guidelines: AS/NZS 31000:2009 Figure 1.

       Copyright ACME INC.                           Confidential                                               Page 4
                                                                         Risk Management
infrastructure technology group                                   Workshop Training Notes


Risk Framework is set of components that provide the foundations and organisational
arrangements for designing, implementing, monitoring, reviewing and continually
improving risk management throughout the organisation.

Note 1 - The foundations include the policy, objectives, mandate and commitment to
manage risk.

The organisational arrangements include plans, relationships, accountabilities, resources,
processes and activities.

Note 2 - The risk management framework is embedded within the organisations overall
strategic and operation policies and practices.




    Copyright ACME INC.                Confidential                                  Page 5
                                                                            Risk Management
infrastructure technology group                                     Workshop Training Notes



2. ACME INC. Risk Management Process

2.1 Establish the context
Establishing the context articulates an organisation‟s objectives, defines the external and
internal parameters and sets the scope and risk criteria for the remaining process.

The first step is to define the business objectives or project goals and their related
performance measures. Since the management of risk is performed at various levels, the
final goal might be high level strategic outcomes and program outputs. It may be the reason
an activity or project is undertaken.

The objectives and criteria of a particular project or activity should be considered in the
light of the objectives of the organisation as a whole. Once defined, it can be determined
what risks need to be managed to accomplish those goals.

The external context is the social and cultural, political, legal, regulatory, financial
technological environment and key drivers and trends having an impact on the objectives of
the organisation. In relation to the ACME INC. governing legislation, stakeholder
expectations, media focus of the day, new technology, are examples of issues to be
considered.

The internal context includes governance, policies, objectives, and the strategies that are in
place to achieve them. Other policies that might be relevant include the Disaster Plan, the
Fraud Policy, Guarantee of Service, media protocols and other staffs polices which are
located on the ACME INC. intranet.

The context of the risk management process involves defining the goals and objectives of
risk management activities and defining responsibilities within the risk management
process.

In ACME INC. the Risk Management Policy outlines the risk management objectives and
performance measures and the responsibilities and accountabilities for risk management.



2.2 Identify Risks
Identifying risks involves answering the questions „what can happen‟ and „how can it
happen‟.

The aim is to create a comprehensive list of risks based on those events that might create,
enhance, prevent, degrade, accelerate or delay the achievement of objectives.

The ACME INC. Risk rating tool (or matrix) contains a list of potential exposures or sources
of risk that a project might face.

Appendix 3 in this document contains examples of the types of risks encountered during
business or project activity.


The table below outlines some possible sources or methods for identifying risks.
    Copyright ACME INC.                 Confidential                                     Page 6
                                                                                    Risk Management
infrastructure technology group                                            Workshop Training Notes




                                 METHODS FOR IDENTIFYING RISKS
Business objectives                                Examination of other Businesses‟ experience
Project goals and performance measures             Expert judgement
Social, cultural and political issues              Corporate plan
Legal                                              Past organisational experience
Audits or physical inspections                     Systems analysis
Financial                                          SWOT analysis
Technological                                      Previous Business Risk Registers
Stakeholder consultation                           Satisfaction surveys and complaints register
ACME INC. Policies



2.3 Analyse risks
Risk analysis involves consideration of the causes and sources of risk, their positive and
negative consequences and the likelihood that those consequences can occur. A combination
of the likelihood and consequence of a risk provide a „risk rating‟ or score.

The ACME INC. risk rating system is a process aimed to ensure a consistent standard
across the ACME INC. for rating operational risks. A copy of the ACME INC. risk matrix
appears in Appendix 1.

Before deciding on the likelihood or the consequences of a risk event occurring, review any
current controls or emergency procedures already in place, as these will affect the
consequences and / or likelihood of any event.

For example, the probability of computer hardware failure occurring would be rated lower if
there is already a regular maintenance and upgrade schedule in place. The probability of a
fire being catastrophic would be lower if a sprinkler system is already installed in the
building.

Analysing risks is a three step process:

1. Examine the potential likelihood of the risk event occurring. Risk likelihoods are
   rated in the following way at ACME INC.:

            DESCRIPTOR                                         DESCRIPTION
   Almost certain                       The event is expected to occur in most circumstances i.e.
                                        common occurrence in business operation
   Likely                               The event will probably occur in most circumstances i.e.
                                        known history of occurrence in business operation
   Moderate                             The event could occur at some time i.e. has happened once
                                        before
   Unlikely                             This event is not likely to occur in normal circumstance
   Rare                                 The event may occur only in exceptional circumstances


     Copyright ACME INC.                      Confidential                                         Page 7
                                                                                    Risk Management
infrastructure technology group                                           Workshop Training Notes


2. Estimate the potential consequences of the risk event occurring. Consideration should
   be given to the current risk controls that might be in place for each risk.

The following table is a guide on how to apply risk level consequences to identified risks at
ACME INC.:

Risk Consequence Guide

                 CAPACITY TO MEET           INTEGRITY AND
                                                                    PHYSICAL         HEALTH AND
 DESCRIPTOR          ACME INC.              REPUTATION OF
                                                                    DISAS
								
To top