Professional Documents
Culture Documents
Risk Management Framework: Document Uncontrolled When Printed
Risk Management Framework: Document Uncontrolled When Printed
printed
DOCUMENT CONTROL
Managed by: Responsible position: Version: 1.1
Prudential Management and Internal Director Prudential Management
Audit and Internal Audit
Contact person: Approved by: File number: 07/4385
Mohua Mukherjee Corporate Executive Team
2. PURPOSE ......................................................................................................................3
4. PROCEDURE DETAIL..................................................................................................10
7. ASSOCIATED DOCUMENTS........................................................................................17
8. CONTACT DETAILS…………........................................................................................17
REVISION RECORD
January 2011 1.1 Updated to reflect changes in Risk Management Policy and clarify Risk
Management Cycle and Risk Champions’ Role Statement
2. PURPOSE
The purpose of this document is to provide details of the structures and
processes supporting the DECS Risk Management Policy.
3. INTRODUCTION
The DECS Risk Management Policy is supported by the DECS Risk
Management Framework. Other policies and procedures related to risk
management, such as Duty of Care Procedures, OHS&W, Security and
Procurement support the management of risk within the department.
These documents are applicable to all parts of the organisation and to all
employees/contractors/business partners and volunteers working for DECS or
any affiliated entity, program or initiative.
Establish the
Context
Risk Assessment
Communicate & Consult
Identify risks
Analyse risks
Evaluate Risks
Treat Risks
Name of document
Time and Date
Page 3-18
Name of document
Time and Date
Page 4-18
The actual process for risk assessment described by the new standard is the
same as that previously identified in AS:NZ 4360 (now repealed).
Thus the significant points of difference between the old standard and the new
global standard ISO 31000 is the focus of the latter beyond the actual process of
risk assessment by considering in depth what makes for an effective risk
management system in an organisation. This expanded view identified elements
that provide an effective foundation for risk management (including a focus on
culture, senior management mandate and support and integration of risk
management into organisational processes). ISO 31000 also emphasises that
risk management frameworks and processes should be tailored to best fit the
organisation and its needs rather than a one size fits all approach.
The SA Government Risk Management Policy, 2009 considers these criteria and
has committed government agencies in South Australia to following ISO 31000.
The DECS Risk Management Framework and Policy are aligned to ISO 31000.
Name of document
Time and Date
Page 5-18
Within DECS, the Risk Management Unit is charged with co-ordinating and
reporting on the Enterprise-wide Risk Management (ERM) Program. Specialised
risk management areas such as OHS&W, security, and emergency management,
are co-ordinated and managed by the relevant groups within DECS on a day to
day basis. The ERM program brings all these different elements together under
one holistic approach.
DECS Risk Management Unit provides a framework, tools and services that
assist DECS management to fulfil their obligations regarding risk management.
The unit is the custodian of risk management information for the DECS corporate
entity. This role is fulfilled by the risk management unit through:
Name of document
Time and Date
Page 6-18
Training and guidance on risk management and conducting risk assessments are
available on the DECS Risk Management Website. The Risk Management Unit
may be contacted for special assistance or if training is required by any work unit
or site
DECS CORPORATE:
Name of document
Time and Date
Page 7-18
It is important that risk ratings are assessed using this tool as it provides
consistency for prioritisation, monitoring and reporting across the organisation.
Due to the different environment and foci in sites (schools, pre-schools and other
sites), sites carry out risk management using a variety of tools and methods
which include using the DECS Improvement and Accountability Framework
(DIAF), through following duty of care requirements and OHS&W structures and
systems which includes the use of the Business Manager system. The
responsibility for managing risks at sites is jointly shared by the site leader and
the Governing Council. Regional Offices provide support and guidance to sites.
Principals, Pre-school Directors and Site Leaders are responsible for ensuring
that risk management is effectively carried out at sites, except where there is a
joint obligation between the Principal/ Pre-school Director /Site Leader and the
Governing Council. Schools, Pre-schools and other DECS sites should carry out
Name of document
Time and Date
Page 8-18
Every school, preschool or other DECS site should carry out a risk assessment in
the following instances:
• Where required by any acts, regulations, policies and guidelines
• When a new program is introduced that may have major impact for the
school/ preschool/ site and/or community;
• Whenever there is an event on or off the school grounds that involve
students/staff/parents/volunteers/contractors (e.g. fairs, games, etc.);
• When any planning, procuring or contracting for facilities, IT or any other
major activities that may have significant impact ;
• Any other activities that may have duty of care, OSHW, liability implications.
• At the time self review and annual planning is carried out.
The above list is inclusive and not exhaustive.
Sites are encouraged to contact the Risk Management Unit (for any assistance or
clarification they may require, including requests for training sessions and
facilitated workshops for carrying out risk assessments. Contact details are
available on the PMIA website:
http://www.decs.sa.gov.au/pmia/pages/main/riskmanagement
4. PROCEDURE DETAIL
Name of document
Time and Date
Page 9-18
The risks identified by different portfolios, offices, units and programs must be
reassessed at specific points of time; assessments must be carried out to
determine whether there are new or emerging risks in light of any current or
anticipated changes; and the status of treatment plans monitored to ensure that
the risk is being mitigated as planned. Risk Champions play a very important role
throughout the risk management lifecycle.
Units many self assess the effectiveness of existing controls and new treatment
plans. Additionally these may periodically be audited by Internal Audit to provide
management assurance on the effectiveness of risk management.
- the risk profiles for areas under their control are refreshed and updated on a
timely basis to enable the collation, analysis and reporting of risks to the
Executive Group and to ARC; and
- explanations are provided to the Executive Group and ARC for any major
gaps in their risk profiles and any significant delays in planned treatments for
high risk and high priority matters.
The Risk Management Unit will coordinate this activity with the assistance of Risk
Champions.
The Risk Management Unit analyses risk profiles to identify common themes,
risks that link together and may have a cause and effect relationship and
systematic risks that when summed up assume a greater significance than the
individual risks themselves,. The Risk Management Unit may provide
commentary on other trends and themes which it considers important but are not
reflected in any of the risk profiles in its reporting to the Executive Directors
Group and ARC.
Name of document
Time and Date
Page 10-18
The Strategic Risk Assessment for DECS will be revisited at least once every 18
months. This strategic risk assessment is undertaken by the Chief Executive and
the corporate executive team and provides a risk framework for the strategic
planning processes.
All major projects/programs that fulfil the following criteria must have a formal and
documented risk profile. A risk assessment must be carried out at the inception of
the project and kept updated through the lifecycle of the project. The risk profiles
of these projects and programs must be reviewed at least twice a year or at major
milestones, whichever is more frequent, or at a frequency required by the Project
Board/Steering Committee or the ARC. Where the Program/Project Director/Risk
Champion is unclear about whether a particular project/program meets the
criteria specified below, the Risk Management Unit should be consulted to clarify
the matter.
Risk profiles for these projects will be included in the consolidated twice annual
reporting to the Executive Group and ARC. Program Directors/ Managers must
contact the risk management unit to ensure the most appropriate method for risk
assessment is discussed and agreed. It is preferable that the risk profiles for such
projects/programs are maintained in the risk management software.
Projects meeting one or more of the following criteria must have formal risk
assessments:
• Project has funding/ cost impact of greater than 1 million dollars (this may
include project funding or value of operations/staff etc affected by the project);
and/or
Name of document
Time and Date
Page 11-18
Name of document
Time and Date
Page 12-18
Activities:
Annual corporate, program and strategic risk assessment, monitoring and reporting
Name of document
Time and Date
Page 13-18
Name of document
Time and Date
Page 14-18
Risk Champions are generally senior individuals who have a good overview
of the area they represent and access to responsible executives within that
portfolio/group. They play a key role in coordinating the monitoring and
reporting of risks for the DECS Corporate Risk Management Cycle.
The Risk Champions Network has been established to aid information sharing
and a collaborative approach to identifying and managing risk across different
areas, as a peer network for sharing learning, good practice and providing
access to additional expertise. The Risk Champions Network is established in
the State Office and will be rolled out to Regional Offices. The Risk
Management Unit coordinates quarterly meetings of the Risk Champions
Group and provides necessary training and updates.
• The Risk Reference Group which will comprise of key individuals within
DECS who have responsibility for aspects of specialised risk management
such as:
- OHS&W,
- Legal,
- Security,
- Facilities,
- School Care,
- IT Security,
- Emergency Management, and
Name of document
Time and Date
Page 15-18
7. ASSOCIATED DOCUMENTS
- Risk Management Policy
- Risk Champions’ Role Statement- Appendix 1
- Glossary of Risk Management Terms available on PMIA website
Our People:
Our Website:
http://www.decs.sa.gov.au/pmia/pages/home/
Name of document
Time and Date
Page 16-18
Name of document
Time and Date
Page 17-18
Name of document
Time and Date
Page 18-18