RISK MANAGEMENT

One of the key components of The Audit Office of New South Wales' Governance Lighthouse is risk management.

Risk is the effect of uncertainty on objectives. Risk Management refers to the architecture (principles, framework and process) for managing risks effectively.

The Audit Office Risk Management Maturity Assessment Toolkit is based on the principles and guidelines of the International Standards on Risk Management AS/NZ ISO 31000 : 2009 Risk Management,
the NSW Treasury Policy Guideline TPP 12-03 : Risk Management Toolkit for the NSW Public Sector, TPP15-03: Internal Audit and Risk Management Policy for the NSW Public Sector and the Committee
of Sponsoring Organisations of the Treadway Commission's (COSO) Enterprise Risk Management Integrated Framework.

Assessment of Risk Management Maturity

Levels of Risk Management Maturity

Maturity Matrix Rating Scale

Maturity Rating Description
There is no or minimal awareness of the importance of risk management and there are no processes in place across the entity. Risk management is usually left
Initial
to the individual and performed on an adhoc basis. Risk management is more reactive than procactive.
There is organisational awareness of the importance of risk management. There are some formal processes in place for a few risks. There is limited
Inconsistent
standardisation of risk management processes and risk management is conducted inconsistently across each risk and across each business unit.
An enterprise risk management framework exists covering all major risks. Standardised risk management principles are defined and documented, basic training
Consistent - Designed conducted. Consistent risk management processes with communication and accountability exist throughout the business but not all processes have been fully
implemented.
Enterprise risk management is fully implemented across the business, consistently applied and used in decision making and day to day management. Risk
Consistent - Implemented management processes are measured, evaluated and fed back into continuous improvement. Principles and policies are implemented and aggregated reports
are prepared and reported to those charged with governance. Risk management is proactive. Key Risk indicators are collected and monitored consistently.

Risk management is fully addressed and embedded into day to day management. Sophisticated and advanced risk management processes are used for all
Optimised major risk types. Risk management is used as a key value driver supporting decision making and pursuit of opportunities. Risks, including emerging risks are
proactively identified and monitored through key risk indicators and predictive risk analytics
Risk Management Maturity Assessment Tool
Strategy and Process Systems & Monitoring and Culture
Assessment
governance Intelligence Review
Criteria

Leading edge, aligned risk Loss Prevention and risk Highly automated and reliable Aligned strategic methodologies Risk profiles linked to corporate
management and mitigation management processes are information sharing capability that emphasise continuous and strategic goals. Governing
strategies in place. standardised and integrated organisation-wide enabling quick improvement exist. Fully Board and Executive
Accountability and organisation-wide. Proactive response, remediation and implemented formal escalation management leading in risk
responsibilities for risk audit and program compliance mitigation of risk incidents/issues. process for all key risks across management consciousness.
management functions clearly enforcement exists. Formal Fully integrated and advanced the organisation on a real time Leading in key risk indicators
defined. Audit and Risk and comprehensive program of enterprise risk management basis is fully implemented and which are related to strategic and
Committees committed to stress testing is conducted (ERM) system. Use of working. Risk appetite corporate goals. There is a clear
Optimised regular assessment of the risk regularly on all key risks. Risk sophisticated tools and data delegations exist for all levels of ownership of all risks and
management function. Three management process is collection to quantify risks. the agency and used as a basis controls. Risk is considered an
lines of defence articulated and auditable. Key Risk Indicators Predictive analytics used for risk acceptance or rejection. opportunity as well as a threat.
implemented. Risk (KRIs) are used extensively extensively across the risk Governing Board and executive Risk management is seen as an
management incorporated in across the organisation. Best management framework. management oversight and enabler. Staff have some
daily operations. Risk appetite practices achieved for risk monitoring visible. component of their personal KPIs
and tolerance levels management. related to risk.
communicated.

Strategic and risk management Risk management processes A single main ERM system. High Targeted and specialised The Governing Board has a
plans and policies drive actions standardised and enforced at quality reporting of risk incidents programs focusing on specific focus on risk
in all levels of the organisation. all levels. Stress testing used and issues available through elimination of root causes of management at all audit and risk
There is organisation buy-in of in risk quantification and enabling technology solutions loss/risk incident implemented. committee meetings. Risk
Scale

Consistent- risk management procedures.

Chief Risk Officer or equivalent
contingency planning. Risk
management practices
depending on the size and needs
of the organisation. Improved
Exception reporting and
predictive analysis improves
incidents are dealt with
consistently. Risk management is
Implemented appointed. deliverables sustained. KRIs controls and compliance resource allocation. an explicit part of business
used as an early warning reporting available for resource planning. Effective education and
system. deployment and decision making. communication strategies
integrated into organisations'
governance and risk programs.

Annual risk management Risk and risk components are Some capacities to track key Formalised risk monitoring and Systematic risk monitoring. The
Maturity

plans created. Risk appetite defined. Risk management milestones and compliance. review methodologies allow ERM framework includes the
statement and risk tolerance processes defined at the coverage of data is not extensive improved analysis and response requirement for all risks and
established. There is a well business unit or division level. and not real time. Some for critical decision making. controls to have an assigned
Consistent- articulated risk management Aggregated KRI reports are availability of risk incidents, Effective system of formal risk owner. Most employees are
methodology together with produced. KRIs include some issues and trend reports. Risk incident reporting and tracking neutral regarding the value of risk
Designed relevant policies. No specific leading indicators. analytics process not fully and data repositories. Formal management as it is not fully
procedures exist. The three implemented across the escalation process for risk understood or practiced. Process
lines of defence are recognised organisation. related matters exist but not fully of including risk related staff KPIs
across the organisation. operational. not fully embedded.

There is a high level risk Risk management processes A range of systems used with Simple tools used inconsistently. The Governing Board discusses
management methodology and control management minimum tailoring capability. No Risk management often some risk matters but there is no
articulated. There is a separate applied inconsistently. Some integration of risk systems. captured on spreadsheet and specific agenda item for risk.
audit function but no separate use of risk management and Reports produced from various risk control strategies reliant on Some risks do not have specific
risk management function. control assessment templates systems in excel and word. “word of mouth” delivery. Some owners. Poorly communicated,
Inconsistent Risk appetite statement is and risk register. Controls Limited analytics on historical areas of the organisation use risk management may be
articulated qualitatively and no testing on an ad hoc basis. data. Compliance and risk incidents and issues to misunderstood and taken as
reporting exists. performance measured manually develop actions but are applied proxy for conservatism and risk
on annual basis. inconsistently. avoidance. Some risk related
KPIs while most are qualitative.

Risk not addressed as a No standard Risk Management Critical information not available. Governing Board and senior No formal risk management and
strategic opportunity. The processes and procedures. No No capacity to track risk management have no; or a very mitigation strategy. There is no
organisation provides little risk definition formalised and management and exposure small level; of involvement in clear ownership of risks and
management direction. communicated to staff. Lack of through incidents and events. No risk related matters. No risk controls. Risk management
operational controls lends to capacity to evaluate operational compliance or performance serves to achieve organisational
uncontrolled risk loss. Risk controls and compliance. monitoring methodology. No compliance. Risk management is
Initial management often ad-hoc and Compliance and performance process for continuous considered a hindrance and an
reactive. No formal KRI measured sporadically. Manual improvement for risk overhead.
process to track current levels reporting with limited data management in the
of risk. integrity. No capability to conduct organisation. Unable to achieve
analytics. predictive analysis.