Risk Management in E

Document Sample
Risk Management in E Powered By Docstoc

#       SECTION                        REQUIREMENT        ESSENTIAL                 IN
                                                             (E)/                 PLACE
                                                          ADVANCED               (Yes/No)
1    Communicate     Has the board and executive expressed their             E
     and Consult     support for a risk management programme?
2    Establish the   Have you identified a person who will be                E
     Context         responsible for implementinmg risk management?
3    Establish the   Does the risk manager, or equivalent, have              E
     Context         reasonable access to staff and management across
                     the oganisation?
4    Establish the   Have you defined categories of risk relevant to your    E
     Context         organisation and industry?
5    Establish the   Do your risk categories reflect all operational risk    E
     Context         areas of the business as well as more strategic risk
6    Establish the   Is there a clear organisational strategy (or            A
     Context         objectives) articulated for the organisation?
7    Establish the   Have you defined and agreed a likelihood scale to       E
     Context         assess the potential for the risk to occur throughout
                     the organisation?
8    Establish the   Have you defined and agreed a consequence scale         E
     Context         to help assess risk impacts across the organisation?
9    Establish the   Does the organisation's consequence scale               E
     Context         describe both financial and non-financial impacts?
10   Establish the   Does the risk Mnagement framework consider the          E
     Context         effectiveness of controls or risk treatments?
11   Establish the   Is there an agreed template or format for recording     E
     Context         risks and risk treatment information (a risk
12   Establish the   register)? policy been defined?
                     Has a risk                                              E
13   Establish the   Does the organisation have a documented risk            A
     Context         management strategy?
14   Communicate     Has the risk committee (or equivalent) and the          E
     and Consult     board reviewed and approved the risk policy/
15 Establish the     Do job descriptions of key stakeholders include         E
     Context         responsibilities for risk management?
16 Establish the     Is a formal project management methodology used         A
   Context           to manage projects?
17 Establish the     Is a mechanism in place to identify, asssess, record    A
   Context           and monitor risks on projects?
18 Establish the     Has the organisation agreed what types and levels       E
     Context         of risk are unacceptable?

                                            Page 1 of 8

 #      SECTION                        REQUIREMENT                            ESSENTIAL      IN
                                                                                 (E)/      PLACE
                                                                              ADVANCED    (Yes/No)
 19 Establish the Is there an agreed format/ template for reporting on           (A)
    Context       risk?
 20 Establish the Is there a process and/or template where new risks             E
    Context       can be recorded by the executive and staff?
 21 Communicate      Is risk management or awareness training provided           E
     and Consult     to all staff?
 22 Communicate      Does the risk manager (or equivalent) have access           E
     and Consult     to the CEO, board and Audit/ Risk Committee when
 23 Communicate      Do staff know that they have a right and                    E
     and Consult     responsibility to assist in risk identification and
 24 Communicate      Do staff know who to report/ escalate risks to?             E
     and Consult
 25 Communicate      Do managers or supervisors know that they are               E
     and Consult     responsible for managing risk in their area/s of
 26 Communicate      Have the executive and the board provided                   E
     and Consult     guidance on what information they would like to see
                     in risk reports?
 27 Communicate      Is there agreement on when and how often risk               E
     and Consult     reports will be produced?
 28 Communicate      Have the recipients of risk reports been identified         E
     and Consult     and agreed?
 29 Communicate      Can different risk reports be produced to meet              A
    and Consult      different needs of stakeholder groups?
 30 Communicate      Has responsibility for managing/ treating specific          E
    and consult      risks been assigned and communicated to those
 31 Communicate      Are staff encouraged or incentivised to report risk or      A
    and Consult      suggest risk reduction strategies?
 32 Risk             Has a risk brainstorming workshop (or workshops)            E
    Assessment       been conducted?
 33 Risk             Have you considered the history of events and               A
    Assessment       incidents in your organisation during the risk
                     assessment process?
 34 Risk             Has research been performed to understand                   A
     Assessment      common risks in the industry?

                                             Page 2 of 8

 #     SECTION                      REQUIREMENT                           ESSENTIAL      IN
                                                                             (E)/      PLACE
                                                                          ADVANCED    (Yes/No)
35 Risk           Has the executive and board considered risks               (A)
     Assessment   relating to the achievement of key organisational
                  goals and objectives?
36 Risk           Are risks identified during compliance reviews/            E
   Assessment     audits always added to the risk register?
37 Risk           Have existing controls been identified for risks           E
   Assessment     during the risk assessment process?
38 Risk           Has the perceived effectiveness of controls been           E
   Assessment     assessed by a person who understands the risk and
                  the controls in place?
39 Treat Risks    Does the risk register record the job title of the         E
                  person responsible for overseeing the risk treatment
                  and monitoring process (the 'risk owner' or 'risk
40 Treat Risks    Have you identified possible actions/ treatment            E
                  plans that could help to reduce the risk level?
41 Treat Risks    Have the benefits of a treatment approach been             A
                  compared to the potential cost of the risk to
                  determine the appropriateness of the treatment
42 Treat Risks    Have risk treatment or action plans been                   E
                  documented and approved for important risks?
43 Treat Risks    Have due dates/ completion dates been agreed for           E
                  risk treatment actions and plans?
44 Treat Risks    Is there a clear understanding of who will oversee         E
                  the risk treatment selection and execution process?
45 Treat Risks    Have key risk indicators (KRIs) been defined and           A
                  agreed for key risks/ risk areas?
46 Treat Risks    Are the organisation's physical assets appropriately       E
47 Treat Risks    Is a business continuity plan (BCP) in place for           A
                  critical organisational functions/ processes?
48 Risk           Has the risk register been updated in the last year?       E
49 Risk           Is the risk register updated throughout the year to        A
     Assessment   reflect changes in risk and emerging risks?

50 Monitor and    Does your risk process follow the steps described in       E
     Review       the AS/NZS: 4360 2004 Standard?
51 Monitor and    Does the Internal Audit function or equivalent review      A
     Review       risk management processes?

                                          Page 3 of 8

#     SECTION                      REQUIREMENT                           ESSENTIAL      IN
                                                                            (E)/      PLACE
                                                                         ADVANCED    (Yes/No)
52 Monitor and   Is an Internal Audit function/ process in place?           (A)
53 Monitor and   Do your internal auditors focus their time and effort      A
   Review        on the most critical risks recorded in the risk
54 Monitor and   Does the organisation track changes in risk levels         A
    Review       over time in order to understand trends/ changes in
                 risk levels?
55 Monitor and   Has the risk policy been reviewed and approved in          E
    Review       the last year?
56 Monitor and   Has the board and/or risk management committee             E
    Review       (or equivalent) made an attestation in the annual
                 report in accordance with the Victorian Government
                 Risk Management Framework (if applicable)
57 Monitor and   Is the risk process integrated with other                  A
    Review       organisational planning processes - for example is
                 risk considered during the strategic planning,
                 budgeting and audit planning processes?

                                         Page 4 of 8


              Page 5 of 8


              Page 6 of 8


              Page 7 of 8


              Page 8 of 8

Description: Risk Management in E document sample