How to implement enterprise-wide risk management
There are many risk management models in the marketplace but the AS/NZS 4360:1999 standard as previously mentioned will be a good starting point and prove to be a very powerful tool. However, it should be noted that whilst this model forms the basis of CPA's framework in Risk Management, other models with different categories and titles are available, or can be developed for individual preference.
The Australian standard takes a generic approach to implementation in which there are essentially seven steps that need to be taken to manage the risks of an organisation at any level. This includes managing risk from a strategic or organisational, divisional, unit or project level viewpoint. These seven steps are:
The ability to identify and develop a uniform and shared understanding of the risks to the organisation is achieved through the systematic rating of each risk. This includes analysing the likelihood of a particular risk occurring and its likely impact should it eventuate, based on criteria agreed to by everyone in the organisation. This means that at the end of the risk management process, as recommended by the AS/NZS 4360:1999 standard, all the risks to an organisation have been profiled and analysed. An overall risk rating is given. Risk ratings may range from very low risk to very high risk and may be described in a number of ways.
There may be times when specialist or expert skills are required but
this is often at the last step of the risk management process: treating the
risks. This is because specialist management tools may be needed to ensure that
risks are optimally managed. The skills of highly technical qualitative or
quantitative managers or consultants may be utilised to ensure risks are
minimised using techniques that have been tested in the market 
place.
Managing the process: The risk management process will be made easier if everyone understands how each stage of the process will be managed across the organisation. The risk management process as outlined in the Australian/New Zealand Standard - AS/NZS 4369:1999 has been recognised as leading edge thinking in the new area of risk management. By adopting this approach, an organisation can be assured that it is managing risk in a coordinated manner.
The risk
management process - AS/NZS 4360:1999
Develop and implement an infrastructure to ensure that management of risk becomes an integral part of the planning and management processes and general culture of the organisation.
The following flowchart is an example of the human resources and planning infrastructure that one organisation in particular developed to incorporate risk management into its broader planning and reporting framework.
Planning is a
vital component to achieving a successful risk management program. It is
imperative that communication and consultation occur throughout the various
stages of the above process. This should take place within the organisation and
externally with all relevant stakeholders. Decisions and actions taken should
accord with the needs of the organisation. The keys to successfully
implementing a risk management program in your organisation can be summarised
as
follows:
1. Develop an awareness of the principles of risk management. The active ongoing support of senior management is of vital importance. In addition, identifying a member of staff in a senior position to 'champion' the introduction of the risk management initiative will be critical to ensure commitment at all levels, and this in turn ensures success. The key roles and responsibilities can be summarised as:
(i) The chief executive officer or head of the organisation
Assumes general oversight of risk management throughout the organisation
(ii) Risk management coordinator (individually or in committee)
Ensure that the risk management program is monitored and updated regularly
Accept responsibility for risk identification and accountability for those that have not been adequately identified or assessed. In a large organisation, the coordinator may choose to delegate this to the heads of business units where appropriate.
Conduct or arrange appropriate training where necessary
Monitor compliance
(iii) Designated staff members
Assist the coordinator to identify and control risks in his/her area of responsibility
Continuously reviews risks and controls of their operations to ensure effective management.
2. Develop a clear statement of risk management policy. Link this policy to your business plan. Define in the policy statement the parties who would be responsible and accountable for managing the different categories of risks. Clearly outline the process and methodology of reporting risk management activities.
3. Develop a risk management implementation program. The program should be developed using the process outlined in Australian standards for risk management - AS/NZS 4360:1999.
4. Provide training and education to staff and other stakeholders on the key exposures and methods of control applying the principles of sound risk management. Training and education programs should be developed after review of the organisation's risk profile. The framework for training should be developed in consultation with key staff and stakeholders and be designed to reduce and eliminate risks.
5. Develop a process of continuous monitoring and review to ensure that changes in the organisation's environment and operating practices are adequately captured and reflected in the risk management plan. Risks are not static and will change as your resources, staff, programs and facilities change.
6. Communication and consultation should occur throughout the risk management process to ensure that all staff and stakeholders are appropriately briefed at all stages of the process.
The primary steps and accountabilities in the process are:
|
No. |
Process |
Accountabilities |
|
Facilitate the conduct of a risk assessment assessing all major categories of risk and rating each risk identified |
Risk management coordinator/committee |
|
|
Sign-off on the risk register and risk management action plan |
Risk management coordinator and organisation head |
|
|
Prepare structure of risk management implementation plan ranking key risk control strategies identified in accordance with the priority established during the risk assessment stage |
Risk management coordinator/committee |
|
|
Approve finalised risk management plan |
Organisation head |
|
|
Monitor performance on actions identified (ie. training programs, new processes or procedures ) through formal reporting to the organisation head (eg. monthly, quarterly) |
Risk management coordinator and relevant designated staff |
Before one begins to consider risk management, it is necessary to identify the strategic and organisational context under which an organisation operates.
Elements of these include the following dimensions of the organisations functions:
The organisation's goals, objectives, values, policies and strategies and how one contributes to these are also important considerations. These considerations help define the criteria by which decisions are made on the acceptability or otherwise of risks, form and basis of controls and management options available.
Some further areas that should be closely looked at in context to planning include the following:
In setting the risk management context:
To achieve an effective risk management program, it is essential to develop a clear policy statement which should:
This policy then sets the framework for the development of the risk management strategy. Then, once the context and policy framework is clearly established, it makes the process of developing a risk management strategy a lot easier. The policy will apply to all areas and entities within the organisation and the implementation of this policy is primarily the responsibility of all managers and staff.
Why develop a risk management strategy? Risk management is an integral part of good management. The application of sound risk management allows for continual improvement in decision making and processes. It encourages:
The maximum benefit to an organisation is achieved if the risk management exercise is carried out at the start of the life of an activity, function, project, product or asset.
The person charged with a coordinating role cannot, in most cases, be in a position to also manage individual areas of risk. Responsibility of managing risks rests with the party that has responsibility for that area of activity, function, project, product or asset.
An effective risk management strategy involves the systematic application of management policies, procedures and practices and these should include a clear understanding of roles and responsibilities.
As mentioned, everyone is responsible for the effective management of risks. The risk management process should be integrated with other planning and management activities.
All managers and staff are responsible for:
The managers and staff are responsible for assisting in identifying potential risk exposures and for developing and implementing risk mitigation plans for all unacceptable exposures which may include:
Other stakeholders may be invited to assist identify potential risks and suggest any proposed mitigation.
The corporate level has overall responsibility for risk management. The corporate level will approve the risk management program and its implementation.
It is also responsible for reporting all other risk exposures in the i.e. corporate, financial, commercial, IT and program delivery risks. The CEO has full risk management responsibility for reporting of risk management to stakeholders and any entity external to the organisation.
All risk management plans should be formally reported as follows:
As well as identifying the strategic context, organisations tend to be more successful in their attempts to introduce a risk management philosophy when they have given adequate thought to how ready their organisation is to undertake a risk management exercise.
Listed are four readiness-check tools which are not intended to be complete diagnostics but rather a guide to some of the more important issues that must be considered and resolved when introducing risk management approaches to the organisation. These tools will be useful when assessing the readiness of the operating environment.
The four
readiness areas of process & planning, structure, organisational culture
and people, do not operate in isolation from each other, but are mutually
interdependent. An organisation must have a minimum platform in each of these
areas if it is to effectively implement the risk management process.
Organisations have an obligation to identify risks and ensure that all the appropriate people in the organisation are made aware of them. Once identified, preventive measures can be taken and put in place to control the risks. What are the risks in your organisation? In determining this consider:
How do you identify risk? There are many methods of risk identification. Whatever the method, ensure that it enables a comprehensive identification of risks, as unidentified risks cannot be planned for and treated. 'Brainstorm' potential risk exposures. In considering approaches to identifying risks, consider using:
It is critical in the identification of risk, that two key elements of actual or potential exposure are identified, namely:
The most commonly used method of identification is an effective inspection program. An effective inspection program should detect most emerging risk issues.
An inspection program should be flexible. There are no hard and fast rules about this. It should be a combination of routine and non-routine inspection and includes:
Routine inspections should be carried out on a regular basis. The regularity depends on the nature of the risks and the circumstances affecting it. It could be monthly or quarterly. It should be more regular if circumstances warrant it. For example, if there is a high risk of injury through slips and falls, it is necessary to carry out more regular and diligent inspections to identify the causes of these slips and falls.
All risks that are reported even if you consider the source to be dubious should be treated seriously and inspected. Only then can you be confident about discounting them as possible risks.
Make a list of all possible areas of risk including physical and non physical risks. There may be records of previous incidents and accidents logged in a database somewhere. Injury and incident reports are also valuable sources of information.
The following example relates to the inspection of physical risks:
Everyone involved in the inspection process can then use this checklist to identify areas of risks that they are responsible for.
There are many sources of risk. The major challenge when analysing the risks to an organisation is finding a meaningful way to categorise them.
However, there is no definitive way to do this. Different people find some methods for categorising the sources of risk more useful or accessible than others. This may be related to experience, the industry that they operate in or it may be an organisational culture issue.
Standards Australia has developed a simple and effective tool (database) to support the AS/NZS4360:1999 risk management process. Based on the framework of this Standard, the database helps you identify, prioritise and capture treatment options for your organisation's risks. The database is an automated tool that culminates in the production of reports to support your risk planning process.
You can download the Standards Australia database free of charge at www.riskmanagement.com.au
Here are some selected examples of the sources of risk, or risk categories, to provide direction on how terminology can be different without losing the conceptual understanding of how broad enterprise-wide risk management can be.
The Australian Standard AS/NZS 4360:1999 Risk Management, identifies eight generic sources of risk:
In addition, Australian Standards has provided a list of 13 categories, some of which may be sub-sets of the generic eight mentioned above, to give a more detailed example of risks that may apply to enterprise-wide risk in an organisation. These are:
|
No. |
Category |
Example |
|
Diseases |
Affecting humans, animals and plants |
|
|
Economic |
Currency fluctuations, interests rates, share market |
|
|
Environmental |
Noise, contamination, pollution |
|
|
Financial |
Contractual risks, misappropriation of funds, fraud, fines |
|
|
Human |
Riots, strikes, sabotage, error |
|
|
Natural hazards |
Climatic conditions, earthquakes, bushfires, vermin, volcanic activity |
|
|
Occupational health and safety |
Inadequate safety measures, poor safety management |
|
|
Product liability |
Design error, substandard quality control, inadequate testing |
|
|
Professional liability |
Wrong advice, negligence, design error |
|
|
Property damage |
Fire, water damage, earthquakes, contamination, human error |
|
|
Public liability |
Public access, egress and safety |
|
|
Security |
Cash arrangements, vandalism, theft, misappropriation of information, illegal entry |
|
|
Technological |
Innovation, obsolescence, explosions and dependability |
The Department of Natural Resources & Environment, Victoria, uses the following 10 categories:
Arthur Andersen uses the three broad categories of environment, process and information for decision making risk with the following sub-categories:
|
Environment risk |
|
|
|
|
Process risk |
|
|
|
|
Information for decision making risk |
|
|
|
There are many other models in the marketplace. A simple approach is to divide the sources of risks in one of the following terms and then identify sub-categories that pertain to their organisation:
Each organisation may adopt different categories to suit their needs. However, a good check would be to compare your organisation's list against the Australian Standard to ensure the range of potential risks is addressed.
The table below is an illustration of how you can match or align an organisation's individual or specific risk type against the categories presented in the Australian Standard. To illustrate, CPA Australia has taken the Department of Natural Resources and Environment (DNRE) specific risk types and have adapted them to the Australian Standard.
|
DNRE risk type |
Australian Standard risk categories and sub-sets |
|
Asset management |
Management or maintenance of physical assets, building or equipment including:
|
|
Change management |
Processes or consequences of organisational change including change in response to:
|
|
Compliance |
Non-compliance with legislation and regulation or internal policies or procedures, including:
|
|
Environment |
Management and integrity of the built or natural environment. |
|
Financial |
Financial management or transactions including:
|
|
General management |
Operation of normal management policies or procedures including:
|
|
Liability |
Provision of services, products or information that could result in legal action against the organisation or its officers including:
|
|
Personnel |
Safety, occupational health or well-being of staff |
|
Service and product delivery |
Failure in the provisions of services or products including:
|
|
Technology |
Security, function or management of technological systems and processes including:
|
Categorising the sources of risk is one of the first steps to successfully completing a risk management exercise. The important thing is that whatever method is used, it should match the risk situation of your organisation and be agreed to by the organisation as meaningful and manageable.
The data collected from the identification phase has to be analysed so that decisions can be made about evaluating, prioritising and treating the risks. It helps separate the minor and major risks as well as those risks that fall in between.
Organisations would have some systems already in place to manage and control risks. These systems will have to be identified and should form the basis of risk analysis.
Risk analysis is a study of likelihood and consequences.
The level of risk created by the incident is determined by analysing the combined impact of likelihood and consequences.
To properly analyse levels of risks the best available information about these risks will be required. It can be obtained from:
The techniques used to gather this information can include:
In theory the three types of risk analysis are qualitative, semi-quantitative and quantitative. The use of any one of these, or a combination of all three types, will depend on the data available and also the degree of precision and sophistication one is looking for. In practice, qualitative analysis is generally used to obtain an indication of risk levels. It is only when more specific and precise indicators are required that quantitative analysis is applied.
Word forms and descriptive scales are used to analyse the likelihood of an event occurring and its consequences. These can be used to analyse different risks in different circumstances by simply varying, adapting and adjusting them to suit.
Qualitative analysis would be used in a majority of cases. This type of analysis is used:
|
Rating |
Expression |
Attributes |
|
A |
Extremely likely |
The incident will most probably occur under most circumstances |
|
B |
Likely |
The incident will probably occur under most circumstances |
|
C |
Possible |
The incident may occur under certain circumstances |
|
D |
Unlikely |
The incident is unlikely to occur |
|
E |
Rare |
The incident will only occur under the most exceptional circumstances |
Similarly, consequence arising from an incident occurring may be qualitatively measured. An example of a consequence measure is provided below:
|
Rating |
Expression |
Attributes |
|
Disastrous |
Fatality, very serious injury (amputation, loss of an eye and the like) with huge potential for financial loss (say above $100 000) |
|
|
Significant |
Major injuries with significant potential for financial loss (say up to $100 000) |
|
|
Moderate |
Medical treatment required, average cost (say up to $25 000) |
|
|
Minor |
Minor injury (first aid required), minor cost (up to $5000) |
|
|
Negligible |
Very minor injury, very small or no cost. |
When likelihood and consequence are combined, an example of the analysis matrix is as follows:
Legend
L = low risk, manage by routine procedures
M = moderate risk, management responsibility must be specified
S = significant risk, senior management attention needed
H = high risk, immediate action needed
Risk analyses are generally directed at the negative consequence of risks. The consequence measure therefore reflects the losses or undesired outcome that might arise. However, risk management is increasingly being applied to identify and prioritise opportunities as the risk associated with not exploiting an opportunity or embarking on a particular business strategy could be considerable. In many cases, the 'upside risks' are potentially more serious than the risk that bad events will occur (ie. the 'downside risk').
When considering opportunities, the likelihood measure need not change, as it will describe the chance that a benefit will arise. The consequence measure must, however, be adjusted.
An example is as follows:
|
Rating |
Expression |
Attributes |
|
Insignificant |
Small benefit, low financial gain |
|
|
Minor |
Minor improvements to image, some financial gain |
|
|
Moderate |
Some enhancement to reputation, high financial gain |
|
|
Minor |
Enhanced reputation, major financial gain |
|
|
Outstanding |
Significantly enhance reputation, huge financial gain |
When risks and opportunities are being considered together, a two directional measure of consequence may be appropriate.
Legend
(for opportunities)
L = low opportunity, manage by routine procedures
M = moderate opportunity, management responsibility must be specified
S = significant opportunity, senior management attention needed
H = high opportunity, detailed planning required at senior levels to prepare
for and capture opportunity.
This is qualitative analysis with a weighting index. The number allocated for each qualitative scale does not bear any real relationship to the actual magnitude of likelihood or consequence. It only provides an order of magnitude for analytical purposes. It allows risks to be prioritised in a more detailed manner than what is achieved by pure qualitative analysis. It does not provide real values, as would be the case in a quantitative analysis.
The weighting index should be developed with care to properly reflect the relativity of risks so that the levels of risks developed through such analysis produce consistent outcomes.
Data from a variety of sources is used to undertake quantitative analysis. The quality of this type of analysis is dependent on the accuracy of the numerical values used.
Likelihood is usually expressed in terms of probability, exposure or a combination of exposure1 and probability2. For example the result of an inspection of doors shows that 20 of the 50 doors in a facility are equipped with faulty door closers that have potential of causing injury, especially to minors. There is therefore a 40% exposure to injury. The probability that a minor may be injured will depend on the likelihood of the person coming into contact with a faulty door and jamming fingers or hands in the door. This information can be obtained from past trends whether at the facility itself or from statistics available from other sources.
Consequence is the resulting outcome being a loss, injury, disadvantage or gain. This can be measured or expressed.
A more accurate profile can be established if data over a few years are available. Organisations should try and develop such a database of information whenever possible.
Having analysed the risks, evaluating and prioritising these risks would be fairly straightforward. The results of the analysis are evaluated. This evaluation will generate a list of risks into categories of low, medium and high risks. This list will create an order of priority so that an occupier can make decisions about how best to treat these risks.
Risk profile is a commonly used term in risk management although it is not a term that is defined in the Australian standard. A risk profile, or risk prioritisation/evaluation, is a representation or outline of how risk varies across an organisation at different levels. Risk profiling is the process involved in identifying, assessing and prioritising all of the categories of risks that face an organisation. An organisation's risk profile can be visually depicted in the form of a chart or a graph.
Management and staff would be in the best position to determine and evaluate the risk profile of an organisation, operation, program, project or individual. Before implementing a risk management strategy, it is a useful exercise to spend a moment determining what you believe your risk profile to be.
The profile that you have established at this stage of the process will be under constant review throughout the risk management process. At the completion of the first risk management cycle, you should be able to compare your findings with the initial risk profile that you created.
Risk profiling can be conducted at different levels within the organisation. Typically, in a larger organisation risk profiling would be conducted at strategic, operational (divisional, unit) and project levels. The categories of risks would be applicable similarly to each of these levels. At the strategic level, the risks that are captured would be the high level risks that the organisation as a whole is exposed to. At this level you are concerned with establishing a top-level risk profile that will form part of the organisation's risk management framework. This then becomes the framework for the rest of the organisation.
The ALARP
Principle (As low as reasonably practicable) 
A further illustration of evaluation is available. View an example (Acrobat 9k)
At the operational and project levels, the risk profile would be narrower in its focus on lower level risks that affect a particular division, unit or project.
When developing the risk profile, it is important to adopt a methodology that is capable of identifying both tangible and intangible risks. Risks that occur within and between organisational silos should also be identified. In addition, it is important to consider the impact of outside factors on the organisation, operation or project. These factors may include supply chain, outsourced functions, contractual arrangements and so on.
The profile that you have established at this stage of the process will be under constant review throughout the risk management process. At the completion of the first risk management cycle, you should be able to compare your findings with the initial risk profile that you created.
Low or acceptable risks are risks that require minimal or no treatment. There is no need to devote too much time to these risks but it is important to periodically review them to ensure that they remain low or acceptable risks. Medium or high risks will have to be treated. Unacceptable risks should be given the highest priority.
Monitor and review
Risk management is ongoing. Risks change in a changing environment. Good risk management places emphasis on monitoring and reviewing all current organisational plans, strategies systems and controls.
Monitoring ensures that as risks change, new measures are introduced to control these risks. How often risks are monitored and reviewed will depend on the prevailing circumstances.
The Department of Natural Resources & Environment suggest that 'to support the risk management system at the business unit and organisational level, it is necessary to have a process of monitoring and review in place at the risk management and risk treatment plan levels.
This ensures that the summarised information presented to senior personnel is accurate, complete and based on the latest available data.
Ongoing review is required to ensure that management and treatment plans remain relevant. Factors impacting upon risk assessments and control practices can also change and therefore the risk management cycle should be repeated at regular intervals to ensure continued effective risk management.
There are methods for monitoring and reviewing procedures and these should be determined as part of the management plan.
As part of the monitoring process, Australian/NZS 4360:1999 suggest that 'ideally, the risk management monitoring and review process should be aligned to the objectives and values of the organisation. This will ensure the relevance of the risk management program for delivering solutions that relate to critical organisational performance. For example:
The review process should also integrate with the key performance indicators of the organisation. The risk management plan should link to personal performance and key drivers and make sure they are measurable at all levels of the organisation. The monitoring and review process should ensure that effective risk management programs are those that deliver cost effective risk outcomes and reflect the strategic and operational goals and objectives of the organisation.
At each stage of the process, the risk manager should communicate and consult with all stakeholders, both internal and external. All decisions should be made through a consultative process and, once made, these decisions should be effectively communicated to all stakeholders.
The Department of Natural Resources and Environment has produced a comprehensive internal Communications Strategy booklet which is separate from the main risk management framework document. 'This Strategy sets aims and objectives for the communication of risk management, defines the target audiences and key messages relevant to those audiences.' The document is designed to also support risk management implementation across all business units and the outcomes are to include increased staff awareness of the importance of risk management, recognition and understanding of the risk management approach and a positive risk-aware culture at all levels.
The broad aim of the communication strategy is to inform and educate staff and other stakeholders about the risk management framework, its requirement in the workplace and how these can be applied to achieve a safe workplace environment.
xx% staff
awareness of the risk management project
xx% staff awareness of the processes for implementation and participation
xx% understanding of the expectations and requirements
xx% ownership of risk management among key internal stakeholders (senior
officers of the organisation)
These can be easily identified within the organisation and usually consist of:
Each target audience requires a key message with the emphasis on:
The following are delivery mechanisms for communicating the risk management message:
Why should the risk management process be formally documented and communicated? What is the benefit?
The primary reasons for documentation are:
As a compliance issue, ensure that individual work areas report the progress of individual risk management programs to management through the risk management and/or occupational health and safety committee.
A range of issues will have to be considered when making decisions on the treatment of risks. Consideration will have to be given to all risks and their priority level in comparison to each other. The ability to treat risks will depend to a large extent on the resources available. The most important of these is financial. It is for this very reason that a detailed evaluation of treatment options is important. Ultimately the goal is to treat as many risks as possible with the limited resources available.
Risk treatment involves:
For example, the risk of children playing cricket on a hard concrete surface that is likely to cause injury. To prevent injury, this activity can be avoided by instructing the children to play on an oval instead. If the children are not in your control, the instruction may be in the form of appropriate signage. While this may not reduce the risk of injury to the children, it reduces your legal liability risks.
Regardless of the risks, some activities will have to proceed. It is therefore a matter of carefully formulating a plan of action that will ensure a reduction or elimination of the risks associated with these activities.
In trying to avoid a particular risk altogether the following should be seriously considered:
Some risks are worth taking. It is important, however, to determine if the organisation is in a position either legally or financially to carry the risks. This helps establish the threshold of what the organisation would deem an unacceptable exposure.
The organisation must have a good risk management strategy to manage all possible risks and have in place a sound management plan, which includes a financial plan to cater for risks that it chooses to retain.
Actions that can be taken to reduce or control risks include:
Can the risk be transferred to another party and/or appropriately covered by an insurance facility? The choice of an option should be evaluated on a risk versus benefit basis. The cost of implementing an option should be balanced with the benefit that the option derives.
The figure below gives an indication of how the choice of options can be evaluated.
A plan of action should look at all risks rather than a single risk in isolation. It should detail:
The implementation of the treatment should be carried out by those best able to assess the risk and therefore best suited to minimise or eliminate the risk. If the job requires an expert, it is prudent to engage such an expert. Do not attempt to manage or control risk that you are not skilled to handle
The Australian National Audit Office (ANAO), as part of its overall mission, is committed to promoting a best practice approach to organisation-wide risk management in government.
As part of its role to assist the Auditor-General to provide an independent review of the performance and financial management of public sector agencies and bodies, the ANAO produces an integrated range of best practice guides. These guides deal extensively with the topic of risk management in a number of public sector contexts. It has recently published information about applying best practice to the risk management discipline of business continuity management, entitled Business Continuity Management - Keeping the Wheels in Motion. A summary of this document can be found on ANAO website www.anao.gov.au
This vast body of publications has been instrumental in establishing the Australian National Audit Office as a world leader in the development and application of best practice risk management. The Better Practice Guides are indispensable reading for individuals involved in the application of best practice risk management in the public sector or otherwise and can also be found on the ANAO website.
Comcover is the Commonwealth Government's Insurable Risk Managed Fund. As well as taking a role in risk management of the Commonwealth 'Agencies' insurable risks, it has taken a proactive stance to ensure better risk management in all areas of uninsurable risk across the 180 agencies that it manages.
Comcover has published a range of risk management guides and kits for the Commonwealth. This body of work is leading edge and reflects best practice.
Each State Government has an equivalent to Comcover. All of these Government Insurable Funds actively cooperate and meet bi-annually.
Comcover regularly publishes a public sector newsletter which can be accessed at https://www.comcover.gov.au/newsletter.html
Standards Australia has developed a number of world-first guides to help you implement the procedures and processes that you need to implement and maintain an effective risk management strategy in your organisation.
AS/NZS 4360:1999 Risk Management is the world's first and leading risk management standard. It provides a generic framework to establish a risk management process in an organisation. The standard outlines procedures that you can implement to help establish the context and then identify, assess, analyse, treat, monitor and communicate with regard to risk. CPA members can purchase the risk management standard in hard copy at the Australian Standards website.
Based on AS/NZS 4360:1999, Standards Australia has also developed a number of guides to help you apply risk management in your specific organisational setting including:
For further information on any of these publications visit the Standards Australia websites www.riskmanagement.com.au and www.standards.com.au
The Financial and Management Accounting Committee (FMAC) of the International Federation of Accountants (IFAC) has extensively researched the area of risk management from an international accounting perspective. This has led to the article, 'Enhancing Shareholder Wealth by Better Managing Business Risk' to be produced on behalf of FMAC.
The article shows that risk management should be approached from a conformance, performance and organisation-wide viewpoint. In other words, risk management should involve the management of all those 'bad' things that could occur and adversely affect the organisation but also the very real risk that opportunities are never translated into tangible value creating activities for the organisation.
The article gives the reader insight into best practice and current thought leadership in the area of risk management.
'At What Risk', makes reference to 'Enhancing Shareholder Wealth by Better Managing Business Risk'.
The full study can be purchased from the IFAC Bookstore through www.ifac.org
|
