2. Page 2
• Have a better understanding of AS/NZS ISO 31000:2009
(Risk management – Principles and Guidelines)
• Understanding the link between governance and risk in Victoria
• Knowledge of each activity contained in the risk management process
• An understanding of the linkage between governance, risk and control
• Use of tools and techniques necessary for managing the risks facing
your organisation
• Apply the risk management principles within your area of responsibility
• Conduct a basic risk assessment applying the tools supplied
Learning outcomes and objectives
3. Risk defined
Definition - What is Risk?
“The chance of something happening that will
have an impact on achieving objectives”
-AS/NZS 4360:2004
“Effect of uncertainty on objectives” -
ISO 31000
(Source: ISO31000 Risk Management – Principles and Guidelines on Implementation,
2009)
Module 1 – Introduction to Governance and
Risk Management
4. Risk Management - a comprehensive process
Page 4
• Supported by appropriate strategies and frameworks
• Designed to identify, analyse, evaluate, treat, monitor
and communicate risks that could prevent a department
or agency from achieving its objectives.
• Covers strategic, operational, financial and compliance
risks.
• The term “enterprise-wide risk management” is widely
used both by the Victorian public sector and the private
sector to describe this comprehensive approach.
5. What are the benefits of a Risk Management
framework?
• Enables identification of threats and opportunities for an
agency
• Improves and informs the planning process
• Reduces likelihood of costly “surprises”
• Contributes to improved resource allocation
• Improves efficiency and performance
• Improves accountability
• Encourages continual improvement
6. Governance and risk management in Victoria – why is
risk management important?
Page 6
Legislative obligation
•Victorian Managed Insurance Authority Act (1996) and
•Financial Management Act (1994).
Financial Management Act – requires agencies to develop and
implement a risk management strategy, and keep it under review.
There is a quarterly monitoring process established under the Act.
Victorian Managed Insurance Authority Act - requires participating
bodies to develop and implement a risk management strategy, and
keep it under review.
Board obligation
The Board is required to attest annually that the risk management
framework is in place. The VGRMF imposes the obligation
7. Example of an attestation clause (VGRMF)
I, [Accountable Officer], certify that as at 30th June 20XX the
[Department] has risk management processes in place consistent with
the Australian/New Zealand Risk Management
Standard (or equivalent designated standard) and
an internal control system is in place that enables the executive to
understand, manage and satisfactorily control risk exposures. The
audit committee verifies this assurance and that the risk profile of the
[Department] has been critically reviewed within the last 12 months.
(Source: Victorian Government Risk Management Framework, July 2007, Attachment A, p. 21)
8. Link between Governance and Risk Management
What is Corporate Governance?
•Three basic elements - stewardship, leadership, and control.
•Corporate governance is the framework established by a governing body
to ensure that stakeholders, primarily the Parliament, the Government
and the Victorian community, have assurance that the agency is fulfilling
its responsibilities with due diligence and accountability.
•This stewardship relationship demands that Boards establish processes
to both delegate and limit power to pursue the organisation’s strategy and
direction in a way that enhances the prospects for the organisation’s long-
term success.
Page 8
9. Page 9
Risk management governance structure
CEO
Executive
Team
Management
Team
Manager,
Quality & Risk
Other Sub-
Committees
Service
Quality and
Risk Mgt
Committee
Risk
Management
Advisory
Committee
Quality
Committee
Audit & Risk
Committee
Board of
Directors
Operational
Level
Management
Level
Board Level
Other Board
Committees
Oversight
Oversight
Critique
Monitor & Review
Guide
Identify
Identify
Assesses
Execute
Monitor & Review
Staff/
Volunteers
10. The integration of risk management
Any successful alignment of risk management and governance requires
four key factors:
•an agency focus – where there is an identifiable source of risk management expertise
in the agency and senior managers come together on a regular basis to discuss risk
management issues
•an agency direction – where a clear direction and strategy is established for risk
management, including articulating the agency’s risk appetite and giving a clear mandate for
what constitutes effective risk management
•decision-making structures – where risk management is not a separate process, but
a key consideration at all parts of the decision-making chain: being factored into strategic
and operational planning; included as a common component in all project proposals and
business cases; and incorporated into advice to Ministers; and
Page 10
11. The integration of risk management
• agency capacity and capability – where the agency’s executive management
invests time and resources to build momentum, capacity and capability, including:
ensuring that there is a shared language of risk management; a common understanding of
the principles; training and development to build expertise; and established tools and
processes for risk management.
Integrated risk management requires an ongoing assessment of potential risks
and opportunities for an agency at every level. The results should inform agency
level risks, facilitate priority setting and improve an agency’s decision making.
Clear links should be established between risk management, Government
policies and priorities, agency objectives (vertical integration), and agency policy
and operations (horizontal integration).
Page 11
12. Enterprise wide perspective
Mandate And
Commitment
Design of
Framework
For Managing
Risk
Monitoring &
Review of The
Framework
Implementing
Risk
Management
Continual
Improvement
of The
Framework
Risk
Management
Policy
Risk
Management
Plan(s)
Risk
Register/
Risk Profile
Risk
Reporting
11
Principle
s
Risk
Management
Process(es)
Assurance/
Attestation
Plan
Organisation
al Strategy &
Objectives
(Measures &
Targets)
13. Page 13
Integrated approach
Achievement of
Strategies & Objectives
Corporate governance is the guidance system for achieving planned objectives – it is an objective-focused
concept. It is a process by which organisations are directed, controlled and held to account.
Corporate GovernanceCorporate Governance
RiskRisk
ControlsControls
Risk controls
provides
reasonable
assurance to
Board &
Management
that objectives
will be achieved
within an
acceptable
degree of
residual risk.
RiskRisk
ManagementManagement
Risk
management
develops risk
treatment
plans, risk
controls and
strategies
associated with
achieving
objectives.
Quality &Quality &
ComplianceCompliance
Compliance &
quality ensures
that laws,
regulations,
codes, and
organisational
standards and
requirements
are met.
Monitoring,Monitoring,
Review &Review &
ReportingReporting
Monitor, review
& report against
performance
measures for
each objective.
PerformancePerformance
ManagementManagement
Performance of
individuals are
managed,
motivated &
aligned to
organisational
& personal
objectives
14. Page 14
Seven key questions
A good risk management framework seeks to answer these basic
questions:
• what are we trying to achieve?
• what events or circumstances that could affect the achievement of
our objectives?
• what are the consequences?
• how likely are these events?
• what can we do to manage these outcomes?
• how will we maximise opportunities?
• can the organisation recover if an risk eventuates?
Module 2 – Framework for managing risk
15. Page 15
The trilogy of risk frameworks
• AS/NZS ISO 31000:2009 – Risk management – Principles and guidelines
(20 November 2009) **Replaced AS/NZ 4360
• Standard developed as a Guideline Document
• Unlike other ISO standards, it is NOT for certification
• ISO Guide 73:2009 - Risk management — Vocabulary (15 November 2009)
• Defines important risk management terminology
• IEC/ISO 31010:2009 Risk Management - Risk Assessment Techniques (1
December 2009)
• A supporting standard for ISO 31000:2009 (15 November 2009)
• Provides guidance (Annex A – Informative) on selection and application of
systematic techniques for risk assessment
• Is NOT for certification, regulatory or contractual use
16. Page 16
Related standards, handbooks and frameworks
• HB 158:2010 – Delivering assurance based on ISO 31000:2009
• Help assurance providers to plan and implement their activities using the information
arising from the (ISO 31000:2009) risk management process.
• HB 327:2010 - Communicating and consulting about risk (23 February
2010)
• Provides guidance to individuals and organisations to understand communication and
consultation when managing risk.
• AS/NZS 5050:2010 Business continuity - Managing disruption-related
risk (28 June 2010)
• The Standard describes the application of the principles, framework and process for
risk management, as set out in AS/NZS ISO 31000:2009, to disruption-related risk.
• Victorian Government Risk Management Framework (March 2011)
17. The one we use:
Risk Management Framework - ISO 31000:2009
Communicate
& Consult
Treat Risks
• Establish the Context
Establish the Context
• Identify Risks
Identify Risks
• Analyse Risks
Analyse Risks
Evaluate Risks
Monitor
& Review
18. Page 18
Process for managing risk
(Clause 5)
Overview of AS/NZS/ISO31000 & AS/NZ 4360
Principles for managing risk
(Clause 3)
1) Creates value
2) Integral part of organisational
processes
3) Part of decision making
4) Explicitly addresses
uncertainty
5) Systematic, structured &
timely
6) Based on the best available
information
7) Tailored
8) Takes human & cultural
factors into account
9) Transparent & inclusive
10) Dynamic, iterative &
responsive to change
11) Facilitates continual
improvement & enhancement
of the organisation
Framework for managing risk
(Clause 4)
Attributes of enhanced risk
management
(Annex A - Informative)
Risk Assessment
Establishing the Context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Communication&Consultation
Monitoring&Review
AS4360 – Implicit, to
some extent
AS4360 – Covered partially in
Section 4 “Establishing
effective risk management”
AS4360 – Fully covered in
Section 3 “Risk Management
Process”
AS4360 – Not
covered
Mandate &
commitment
Continual
improvement
of the
framework
Design of
framework
for managing
risk
Monitoring
& review of
the
framework
Implementing
risk
management
19. Page 19
Framework for managing risk
4.2 Mandate and commitment
4.3 Design of framework for managing risk
4.3.1 Understanding the organisation and its environment
4.3.2 Establishing risk management policy
4.3.3 Accountability
4.3.4 Integration into organisational processes
4.3.5 Resources
4.3.6 Establishing external communication & reporting mechanisms
4.3.7 Establishing internal communication & reporting mechanisms
4.4 Implementing risk management
4.4.1 Implementing the framework for managing risk
4.4.2 Implementing the risk management process
4.5 Monitoring and review of the framework
4.6 Continual improvement of the
framework
(Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)
20. Page 20
Risk management should be embedded in all the
organisation's practices and processes in a way that it
is relevant, effective and efficient. The risk
management process should become part of, and not
separate from, those organisational processes. In
particular, risk management should be embedded into
the policy development, business and strategic
planning and review, and change management
processes.
Fit-for-purpose?
(Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)
Module 3 – Embedding risk management
21. Page 21
Integrating risk management
CEO
Corporate
Services
Client
Services
Operations
Governance
Structure
Board
Strategic
Objectives &
Indicators
Operational
Objectives &
Indicators
Strategic
Risk (Risk
Register)
Operational
Risk (Risk
Register)
Strategic & Operational
Planning Process
Risk Management
Process
Aligned &
Cascaded
Down
Cascaded
Down Escalated
Up
Reporting
Process
CEO/ Board
Report
Operational
Reports
Evaluated & Reported
Evaluated & Reported
Consolidated
& Escalated
Up
22. Page 22
No Level Committee Name Frequency Members
Responsibility
(Terms of Reference) Reports To
Map “as-is” committee/ meeting
structure. Rationalise committees/
meetings, where possible
Map “as-is” committee/ meeting
structure. Rationalise committees/
meetings, where possible
Review risk management roles of
each committee/ meeting. Risk
management as standing agenda
item in all meetings
Review risk management roles of
each committee/ meeting. Risk
management as standing agenda
item in all meetings
How to embed risk management-some examples
Map “as-is” organisational/
reporting structure. Rationalise
reports, where possible.
Map “as-is” organisational/
reporting structure. Rationalise
reports, where possible.
23. Embedding risk management
-some more examples
Page 23
• Include responsibility for risk management in all job descriptions• Include responsibility for risk management in all job descriptions
Risk management as standard
reporting item in all reports
Risk management as standard
reporting item in all reports
Also remember:
- introduce a language of risk
- risk environment changes over time
- organisational change means roles and
responsibility for managing risk will change
- clarify strategic and operational objectives and
measures
- articulate and document those objectives and
measures
24. Content of a typical risk management plan
• A statement of the risk management policy
• Details of the scope and objectives of risk management in the agency
• Consistent risk management language and definitions
• Integration with other management practices and procedures
• Risk Assessment criteria (consequence and likelihood ratings)
• Description of the internal and external context in which the agency
operates
• List of analysed risks (detailed in the Risk Register)
• Summary of the risk treatment plan
• Outline of the risk reporting protocol
• Outline of the monitoring and review program
Page 24
Module 4 – Risk management policy and plan
25. Content of a typical risk management policy
• Objectives, scope and coverage of the policy
• Statement of commitment from the Board
• Accountabilities and responsibilities for managing risk
• Alignment with other management policies and procedures
• Escalation and reporting protocols
• Statement of risk appetite and tolerance
• Processes, tools and templates for managing risk
• Reporting and communication protocols
• Statement about assessment, measurement and reporting methodology
• Outline of DRP and BCP and regularity of testing regime
Page 25
26. The Process of Risk Management?
“Culture, process and structures that are
directed towards realising potential
opportunities whilst managing adverse effects”
AS/NZS 4360: 2004
(Source: ISO31000 Risk Management – Principles and Guidelines on
Implementation, 2009)
“...Co-ordinated activities to direct and
control an organisation with regard to
risk” – ISO 31000
ISO 31000
Module 5 – Process for managing risk
27. 5.2
C
O
M
M
U
N
I
C
A
T
I
O
N
&
C
O
N
S
U
L
T
A
T
I
O
N
5.6
M
O
N
I
T
O
R
I
N
G
&
R
E
V
I
E
W
5.3 ESTABLISHING THE CONTEXT
5.4 RISK ASSESSMENT
5.4.3 RISK ANALYSIS
5.3.2 External Context
5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria
5.5 RISK TREATMENT
5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk
treatment plans
5.4.4 RISK EVALUATION
(1) Compare against criteria.
(2) Identify & assess options.
(3) Decide on response.
(4) Establish priorities.
Determine existing controls
Determine
Consequences
Determine
Likelihood
Determine Level of Risk
5.4.2 RISK IDENTIFICATION
What can happen, when, where, how & why
The risk management process described in
more detail
28. Communication and Consultation
Page 28
It is critical to:
•Establish channels of communication with internal and external stakeholders
•Risk management tasks and activities must be allocated with responsibilities,
accountabilities and authorities clearly understood and defined
•Draft a communications plan and a distribution timetable
•Identify what specialist advice might be needed (engineers, actuaries, OHS
specialists, VMIA support)
•Identify the stakeholders –
• Internal (Board, Minister, executive and operational management)
• External (Regulators, customers, the public, key suppliers)
29. Establishing the context
Page 29
Module 6 – Establishing the context
Know and understand:
- the purpose, goals and objectives of the agency;
- where the risk management process is being applied within the agency;
- the cost/benefit of the risk management program and the resource
allocation required;
- the need to maintain documented records of the program;
- the external and internal environment in which the agency operates;
- the sources of risk facing the agency;
- the benchmarks around which risk will be evaluated within the agency;
Risk Appetite and Tolerance
Risk appetite - The amount and type of risk that an organisation is willing
to accept in pursuit of its long term strategic and operational objectives
Risk tolerance - The boundaries of risk taking outside of which the
organisation is not prepared to venture in the pursuit of its long term
objectives.
30. Page 30
Sources of risk
FinancialFinancial
OperationalOperational
ClinicalClinical
Health,
Occupational,
Safety
Health,
Occupational,
Safety
Human
Resource
Human
Resource
GovernanceGovernance
Infra-
structure/
Asset
Infra-
structure/
Asset
StrategicStrategic
Common
Risk
Categories
Common
Risk
Categories
31. Consequence and Likelihood
• A process for evaluating the risk facing the agency using agreed criteria;
• Likelihood means the probability of the identified risk occurring
• Severity means the impact on or cost to the agency if the identified risk
occurred
• The likelihood and severity ratings are multiplied together and plotted on
a heat map which gives a view of the overall risk profile for the agency.
An informed decision can then be taken as to the response strategies,
treatment plan and resource allocation that might be appropriate.
• Responsibilities can then be allocated to a risk owner with the treatment
tasks allocated to a control owner.
• Examples of the tools used to plot severity and likelihood are in the
following slides
Page 31
32. Tools for assessing risk - Risk rating
scales (likelihood)
L
I
K
E
L
I
H
O
O
D
Score Detailed description
5 Frequent The event is very likely to occur within 3 months
4 Likely The event will probably occur within 1 year
3 Occasionally The event could occur between 1-3 years
2 Unlikely The event could occur between 3-10 years
1 Rare The event may possibly occur, but unlikely at a frequency less
than 10 yearly
**A time horizon is selected that best suits the unique profile of the agency
33. Risk rating scales: consequence
Score Description
The categories below are possible categories only
Financial Service
Delivery
Reputation People &
Knowledge
Health
and
Safety
Legal and
Regulatory
5 Catastrophic
/ Extreme
4 Major
3 Moderate
2 Minor
1 Insignificant
35. Risk appetite and risk rating
Large Appetite for Risk
Standard
Plan for All Extreme
Risks
Risk Averse
Increasing Likelihood Increasing Likelihood
Increasing Likelihood Increasing Likelihood
IncreasingImpactIncreasingImpact
Board
CEO
Manager
Staff
IncreasingImpactIncreasingImpact
36. Risk Type of Action Risk/ Audit Committee
oversight
Extreme Immediate action required Direct
High Senior management attention needed Monitors
Moderate Management responsibility must be
specified
Ensures sign offs and is
advised of changes up or
down
Low Manage by routine procedures Ensures sign offs
CEO/
BOARD
GMs
Risk response and escalation
37. Control effectiveness scales
1 Effective Indicates minimal uncontrolled risk, due to excellent risk
management/controls in place, tested and monitored
2 Good Indicates good risk management and control system, but an
opportunity for refinement exists to reduce risk further.
3 Fair/ Partially
Effective
Indicates a need for improvement in controls, increased adherence
to controls or that controls are being developed, but are not fully in
place and tested.
4 Poor Indicates effective risk controls have not yet been developed and a
significant lack of risk control exists – additional risk management or
treatment is a matter of priority
38. The Risk Register
• The risk register is a key document which records the output of the risk
management process
• At a minimum it would contain the following:
oRisk Description
oAssessment of Inherent Risk
oAssessment of Controls
oAssessment of Residual Risk
oTreatment of Risk
o**Remember the distinction between inherent (untreated) and
residual (treated) risk
Module 7 – Risk assessment and treatment
39. Risk Register - Example
Overall Effectively managed.
Areas for Improvement:
Formalised Training calendar to
be introduced
Input controls to be strengthened
over Payroll
Salary benchmark to be performed
Internal Advertising of posts
available to be sent out on monthly
e-mails
All issues to be tracked on
tracking database.
• Human Resources
• Quarterly Reports submitted to
Departmental Management
regarding Performance
Management System and
Succession Planning
• Divisional Management
• Control Self Assessment
performed 2 monthly which
includes questions on PMS and
succession planning
• Internal Audit
• An internal audit on Performance
Management System to be
performed during the 2011/12
year
• External Audit
• Payroll testing to be included in
Annual Audit.
• Competitive remuneration,
strategies and structure
• Defined targets and KPIs
• Divisional and Departmental
operating targets for all key
employees
• Work life balance
• Training and internal growth
opportunity
• Non-remuneration employee
benefit strategies (EAP)
• Identification and grooming of
employees into the succession
role
• Training to ensure success in the
new role
• Documented policies and
procedures/information to retain
knowledge
• Loss of key employees leading
to the loss of primary relationship
contacts, loss of investment in
training and development and
loss of intellectual property. This
may lead to stretched resources
and disrupt the Department’s
capability to continue critical
business operations.
Potential causes include:
• Poaching of employees
• Changes to the organisation
influencing the culture and
leading to instability/insecurity
• Lack of availability of skilled and
competent workers
• Career/lifestyle change
• Retirement, death/mental
inability
Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible)
Are Risks being managed
effectively? (What more
could be done?)
Assurance Provider/ Monitoring
Procedures
Primary Controls / Processes/
Control Strategies
EMPLOYEES
Inherent Risk Description
Overall Effectively managed.
Areas for Improvement:
Formalised Training calendar to
be introduced
Input controls to be strengthened
over Payroll
Salary benchmark to be performed
Internal Advertising of posts
available to be sent out on monthly
e-mails
All issues to be tracked on
tracking database.
• Human Resources
• Quarterly Reports submitted to
Departmental Management
regarding Performance
Management System and
Succession Planning
• Divisional Management
• Control Self Assessment
performed 2 monthly which
includes questions on PMS and
succession planning
• Internal Audit
• An internal audit on Performance
Management System to be
performed during the 20
year
• External Audit
• Payroll testing to be included in
Annual Audit.
• Competitive remuneration,
strategies and structure
• Defined targets and KPIs
• Divisional and Departmental
operating targets for all key
employees
• Work life balance
• Training and internal growth
opportunity
• Non-remuneration employee
benefit strategies (EAP)
• Identification and grooming of
employees into the succession
role
• Training to ensure success in the
new role
• Documented policies and
procedures/information to retain
knowledge
• Loss of key employees leading
to the loss of primary relationship
contacts, loss of investment in
training and development and
loss of intellectual property. This
may lead to stretched resources
and disrupt the Department’s
capability to continue critical
business operations.
Potential causes include:
• Poaching of employees
• Changes to the organisation
influencing the culture and
leading to instability/insecurity
• Lack of availability of skilled and
competent workers
• Career/lifestyle change
• Retirement, death/mental
inability
Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible)
Are Risks being managed
effectively? (What more
could be done?)
Assurance Provider/ Monitoring
Procedures
Primary Controls / Processes/
Control Strategies
EMPLOYEES
Inherent Risk Description
40. Risk Treatment
There are five risk treatment options available as
defined below:
o Avoid the Risk
o Transfer the Risk
o Share the Risk
o Treat the Risk
o Accept the Risk
41. Page 41
Volume of risk information
Board
Executive
Management
Business Units
Operational and strategic
risk information at
Business level
Significant / key operational
and strategic risk
information
Strategic / Critical
risk issues
Op Risk Mgt
Committee
Risk/ Audit
Committee
Exec Risk Mgt
Committee
Reporting – the right things at the right level
Module 8 – Monitoring and review
42. Page 42
Risk register, profiles and reports
Risk
Register
Risk
Register
Risk
Reports
Risk
Reports
Risk
Profile
Risk
Profile
Risk
Treatment
Plans
Risk
Treatment
Plans
Risk Profile – Description of an
organisation’s risk (ISO31000)
Risk Register – Document used for recording risk
management process for identified risks (ISO31000)
It lists all identified risks, including description, likelihood of
occurring, consequences on organisational objectives,
proposed responses/ risk treatments and risk owners.
Risk reporting – Development
of reports including strategic,
operational, financial and
compliance-related risk
information, as a basis for
directing and controlling the
organisation as well as for
external accounting
(ISO31000)
Risk treatment – Development and implementation of
measures to modify risk (ISO31000)
Risk-Based
Internal
Audit Plan
Risk-Based
Internal
Audit Plan
Risk Audit – Systematic, independent and documented
process for obtaining audit evidence and evaluating it
objectively to determine extent to which the risk management
policies and procedures are fulfilled (ISO31000)
Internal audit plan identifies activities to be audited, which
specifies the areas, allotted dates and personnel required to
perform internal audits
Risk
Matrix
Risk
Matrix
Risk matrix – Tool for ranking and
displaying risks by defining risk
categories and defining ranges for
consequences and levels of likelihood
for each category (ISO31000)
Heat Map – Overview of the
organisation’s main risks plotted in its
risk matrix (ISO31000)
Heat Map
Heat Map
Risk treatment plans includes (1) testing of
existing controls or monitoring control
effectiveness over time; or (2) tracking of the
implementation of new controls and/or training
programs.
43. Page 43
1st
Business operations
2nd
Oversight functions:
Finance, HR, IT, Legal and
Risk Management
3rd
Independent assurance:
Internal Audit, External Audit
and other independent
assurance providers
RISK & CONTROL
An established risk and
control environment
Strategic
management, policy
and procedure setting,
functional oversight
Provide independent
challenge and
assurance
RISK & CONTROL
RISK & CONTROL
Board,Executive&AuditCommittee
business
operations
Oversight functions
Internal audit,
external audit and
other assurance
providers
First Line
Second Line
Third Line
Three levels of defence
44. Page 44
In summary
1. AS/NZS ISO 31000:2009 is a principles-based
standard that seeks to customise the risk
management process fit-for-purpose to the
context.
2. Risk management must be integrated/ embedded
into existing organisational processes/practices.
3. Managing risk is about creating value out of
uncertainty and achieving its objectives.
1. AS/NZS ISO 31000:2009 is a principles-based
standard that seeks to customise the risk
management process fit-for-purpose to the
context.
2. Risk management must be integrated/ embedded
into existing organisational processes/practices.
3. Managing risk is about creating value out of
uncertainty and achieving its objectives.
Hinweis der Redaktion
How does the above match with what the participants hope to get out of this course ? 9.30am TIME
Risk management is HOW a business or Government achieve its objectives. The focus should be on how it will add VALUE to what is being undertaken and how best to achieve that. Too often the focus shifts from what is trying to be achieved and whether there is any value in undertaking the activity to focusing on all the things that could go wrong and finding ways to prevent it. This stifles innovation and creativity.
It needs to be a “living document” with consistent and frequent reporting to relevant stakeholders