UPDATED: 13 October 2020

Risk Description Current controls

Risk Information
See Ref 2 See Ref 3
Outcome
# State the relevant DHHS outcome the risk
relates to. Risk Event
Risk Tier Risk Type See Ref 1 for options to select from Using action-oriented risk articulation for Cause Consequence Controls
Impacted Current controls
Type 1 or Type COVID or Non- Source(s) Risk Category greater impact and accountability that Identify the root causes of the risk event What is the impact if the event materialised? effectiveness
branch(es) See Ref 3
2 COVID describes the event only. e.g. Failure to maintain client service management system e.g. Results in poor service level to core clients See Ref 4
e.g. High levels of workforce absenteeism

Links to
references (if Ref 1 – Determine your key objectives and identify known uncertainties
Ref 2 – Risk
thatdescription
may impact the achievement of these key objective. Ref 3 – Current mitigations Ref 4 – Mitigation effectiveness
applicable)

OFFICIAL
#
 Current Risk Rating Future Risk Rating
Future risk treatments Key risk indicators
See Ref 5 and 6 See Ref 5 and 6
Please outline any available indicators which could be
used to track the progression of the risk itself and where
this information can be sourced from
Consequence Risk Rating Likelihood rating Consequence Risk Rating e.g. waitlist data from an existing dataset held by a
Likelihood rating
rating Risk rating (like Future treatments Future treatment How frequently is rating Risk rating particular area
How likely is this Risk Owner
How severe is the hood and See Ref 8 status this likely to How severe is the (likelihood and
to occur?
effect consequence) occur? effect consequence)

Ref 5 – Likelihood
Ref
rating
6 – Consequence
Risk
rating
rating Ref 7 – Future mitigations Ref 5 – Likelihood
Ref
rating
6 – Consequence
Risk
rating
rating

OFFICIAL
#
Risk management guidance
Risk management involves the identification, evaluation, treatment and ongoing monitoring and review of a broad range of risk events

Ref 1 – Determine your key objectives and identify known uncertainties that may impact the achievement of these key objective.
Identify the key objectives or outcomes that you are seeking to achieve.
According to the Australian risk management standard, AS ISO 31000: 2018 Risk management – Guidelines, risk is defined as the “effe

Ref 2 – Risk description

Something might occur which {Cause(s)} the {Event} that leads to an {Impact/Consequence(s)}. We are asking that you split this betwe
Example of possible controllable risk events for a hospital:
•                     Wrong medication provided to a patient
•                     Wrong surgery conducted on a patient
•                     Instruments left in patients during surgery
•                     Assault of emergency staff.
Example of a possible consequence ‘Results in poor service level to customers
Example of a possible cause is ‘Failure to maintain client service management system’

Ref 3 – Current controls

At the time of the risk assessment, identify what controls are currently in place that are reducing the likelihood and/or consequences o

Ref 4 – Mitigation effectiveness

Rate the effectiveness of your existing controls in terms of what are you doing is reasonable under the circumstances to minimise the
Level Descriptor
E Excellent
A Adequate
Expectation Example
Controls detail
fully description
in place and
More than what a reasonable require only ongoing
person would maintenance and monitoring.
Protection systems are being
be expected to do in the continuously reviewed and
circumstances. procedures are regularly
tested.
Being addressed reasonably.
Only what a reasonable Protection systems are in
person would be expected to place and procedures exist for
do in the circumstances. given circumstances. Periodic
review.

Little to no action being taken.

Less than what a reasonable No protection systems exist,
I Inadequate person would be expected to or they have not been
do in the circumstances. reviewed for some time. No
formalised procedures.

Ref 5 – Likelihood rating

For each of your identified risk event, determine how likely it is that the risk event may occur, as shown in the table below.
Level Descriptor Example detail description Frequency

The event may occur only in

1 Rare exceptional circumstances Once in 10 years

2 Unlikely The event could occur at At least once in 5 years

some time

3 Possible The event should occur at At least once in 3 years

some time

OFFICIAL
#
 The event will probably occur
4 Likely in most circumstances At least once per year

The event is expected to occur

5 Almost certain in most circumstances More than once per year

Ref 6 – Consequence rating

After rating the likelihood of the risk event occurring, evaluate the consequence of that risk event if it does occur using the consequen

Level Negligible - 1 Minor - 2 Moderate - 3

Up to 2% KPI variation Up to 5% KPI variation Up to 15% KPI variation

Stakeholder outcomes
Some customer delays. Some
Little or no impact on Inconvenient customer delays. under-achievement of
customer outcomes performance.

Health and safety of

customers and Minor injury Injury to a customer or Injuries to multiple customers
employees employee or employees

Financial loss of Financial loss of up to Financial loss of up to

<$50,000 $100,000 $250,000
Finance and financial
sustainability
Up to 0.025% variation Up to 0.15% variation of Up to 2% variation of budget
of budget budget

Non-headline Non-headline exposure. Clear

Repeated non-headline
Public confidence and exposure. Not at fault. fault. Settled quickly by exposure. Slow resolution.
trust Settled quickly. No organisational response.
impact. Negligible impact. Qualified Accreditation.

Short-term temporary
No material disruption suspension of services.
to services. Backlog cleared in day. No
public impact.
Medium-term temporary
suspension of services.
Backlog requires extended
work, overtime or additional
resources to clear.
Manageable impact.

Minor damage of the asset,

Negligible damage to Moderate damage of the
the asset monitoring required to ensure asset, repairs required
it does not worsen
Operational efficiency
and service delivery

OFFICIAL
#
Operational efficiency
and service delivery

Innocent procedural Breach, objection/ complaint Negligent breach. Lack of

breach. Evidence of good faith evident.
good faith by degree lodged. Minor harm with Performance review initiated.
investigation. Evidence of
of care/diligence. Little good faith arguable. Material harm caused.
impact. Misconduct established.

Up to 1% variation to Up to 5% variation to project Up to 10% variation to project

project deliverables deliverables deliverables

Project management Up to 1% over project Up to 5% over project budget Up to 10% over project
budget budget

Up to 5% delay to Up to 10% delay to project Up to 25% delay to project

project timelines timelines timelines

Ref 7 – Risk rating

To determine risk rating, multiply the Consequence and Likelihood values to gain the risk rating or level of risk, as shown in the table b
You will need to make three risk ratings:
§  Current rating – the rating when the risk is first identified, taking into account existing controls.
§  Target rating – the rating that we are targeting once proposed controls have been fully implemented.

Consequence
Likelihood 1 2
Negligible Minor
5 Almost Certain 5 10
4 Likely 4 8
3 Possible 3 6
2 Unlikely 2 4
1 Rare 1 2

Low (1 – 4) Medium (5 – 9) High (10 – 16) Critical (20, 25)

Ultimately, the process gets you to a point of deciding whether the risk is acceptable or requires further action.
Risks will always occur in any business environment. This process is not about removing or avoiding risks, rather we aim to manage the

Ref 8 – Future treatments

Risk assessment involves identifying a range of options to reduce the consequences and/or likelihood of a risk, or improve the control
The proposed controls could involve:
•                     Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
•                     Taking or increasing risk in order to pursue an opportunity;
•                     Removing the risk source;
•                     Changing the likelihood;

OFFICIAL
#
 •                     Changing the consequences;
•                     Sharing the risk with another party or parties [including contracts and risk financing; and
•                     Retaining the risk by informed decision.

Who is responsible
Level of risk Criteria of risk management (i.e. The person with
authority to accept the risk)

1 to 3 Acceptable With ‘Adequate’ controls Manager

4 to 5 Monitor With ‘Adequate’ controls Manager

6 to 9 Management control With ‘Adequate’ controls Director

required

10 to 19 Urgent management Only acceptable with Managing Director

attention ‘Excellent’ controls

Only acceptable with

20, 25 Unacceptable ‘Excellent’ controls CEO / Board

#OFFICIAL
 review of a broad range of risk events associated with all strategic, operational and project activities. Risks will always occur in any business environ

chievement of these key objective.

Guidelines, risk is defined as the “effect of uncertainty on objectives”. Risk is, therefore, known uncertainties or uncertain events that may impact th

We are asking that you split this between the event itself, the cause of the risk, and the consequence of the risk.

the likelihood and/or consequences of the risk event. Controls include a process, policy, device, practice, or other actions which modify risk.

er the circumstances to minimise the risk, i.e. ‘Excellent’, ‘Adequate’, or ‘Inadequate’, as shown in the table below.

shown in the table below.

OFFICIAL
#
t if it does occur using the consequence table below.

Major - 4 Extreme - 5

Up to 30% KPI variation More than 30% KPI variation

Material customer delays. Significant customer delays.

Material under-achievement Significant under-achievement
of performance. of performance.

Death or disabling injury of

Death or disabling injury of a multiple customers or
customer or employee employees

Financial loss of up to
$5,000,000 Financial loss of >$5,000,000

Up to 6% variation of budget More than 6% variation of

budget

Headline profile. Repeated

exposure. At fault or
unresolved complexities
impacting public or key
groups. High priority
recommendation to preserve
accreditation.
Maximum multiple high-level
exposure. Direct intervention.
Loss of credibility and public /
key stakeholder support.
Accreditation withdrawn.

Prolonged suspension of
services. Additional resources,
budget and/or management
assistance required.
Performance criteria
compromised.
Indeterminate prolonged
suspension of services. Impact
not manageable. Other
providers appointed.

Total and permanent loss or

Major damage of the asset,
significant repairs required damage, replacement
required

OFFICIAL
#
 Deliberate breach or gross
negligence. Significant harm.
Formal investigation.
Disciplinary action. Ministerial
involvement. Serious
misconduct.
Serious and wilful breach.
Criminal negligence or act.
Litigation or prosecution with
significant penalty. Dismissal.
Ministerial censure. Criminal
misconduct.

Up to 20% variation to project More than 20% variation to

deliverables project deliverables

Up to 20% over project More than 20% over project

budget budget

Up to 100% delay to project More than 100% delay to

timelines project timelines

r level of risk, as shown in the table below. NB: If there are multiple consequences identified use the highest rating to calculate risk rating.

existing controls.
een fully implemented.

Consequence
3 4 5
Moderate Major Extreme
15 20 25
12 16 20
9 12 15
6 8 10
3 4 5

further action.
ng risks, rather we aim to manage the risk to an acceptable level.

hood of a risk, or improve the control effectiveness rating, as shown in the table below. These treatment actions must already be planned, approved

he activity that gives rise to the risk;

OFFICIAL
#
ntracts and risk financing; and

OFFICIAL
#
always occur in any business environment. This process is not about removing risks. Rather we aim to manage the risk to an acceptable level.

uncertain events that may impact the achievement of the organisation’s outcomes.

her actions which modify risk.

OFFICIAL
#
ating to calculate risk rating.

s must already be planned, approved, and adequately funded / resourced.

OFFICIAL
#
risk to an acceptable level.

OFFICIAL
#