RISK MANAGEMENT PROCEDURE

SCOPE

This procedure provides information for all personnel who are responsible for risk management. 

PURPOSE

The objectives of this risk-based system of internal control are to assist PlayerLync in achieving its strategic objectives for the benefit of the community by: 

• Protecting our people, the community, and commonwealth assets (financial, property, and information)  
• Facilitating optimal use of resources and provide a system for setting priorities when there are competing demands on limited resources  
• Assisting us to realize opportunities   
• Providing stakeholders and the PlayerLync Community with grounds for confidence in the Organization
• Supporting innovative decision making through recognition of threats and opportunities  
• Improving service delivery, reporting systems, outcomes and accountability 

DEFINITIONS

BARRIER

An existing control. includes systems and procedures already in place to mitigate risks. 

CONSEQUENCE

Collective sum of all impacts to the capabilities of an organization(s) including long term and indirect effects such as combined health, economic, and psychological impacts. 

ENVIRONMENT

Conditions or influences comprising built, physical and social elements, which surround or interact with stakeholders and communities. 

ESCALATION FACTORS

Conditions that lead to increased risk due to improvement or diminution of barriers or controls, Eg. Maintenance, foreign currency conditions, failure to audit or inspection treatments or controls. 

HAZARD

Something which has the potential to adversely impact (ie. cause harm) to an asset if not controlled or if deliberately released or applied. Eg. explosives, bio-hazards, flammable liquids, firearms, trojan, virus et cetera. 

LIKELIHOOD

The qualitative of semi-quantitative assessment or estimation of whether an event will occur, Used as a qualitative description of probability and frequency. 

IMPACT

The immediate downstream result of a risk manifesting. Multiple direct or indirect impacts, when aggregated, form the collective consequence(s) of the risk event. 

RISK

The effect of uncertainty on objectives. 

RISK LEVEL

The relative measure of risk as defined by the combination of likelihood and consequence. 

RISK MANAGEMENT

The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. The coordinated activities to direct and control an organization with regard to risk. 

RISK TREATMENT

Measures that modify the characteristics of organizations, sources of risks, communities and environments to reduce risk, 

SOURCE (OF RISK)

A real or perceived event, situation or condition with a real or perceived potential to cause harm or loss to stakeholders, communities or environment. 

THREAT

An indication of something impending that could attack the system. includes strategic threats such as a regional conflict or tactical threats such as impending physical attack. threats are usually measured in terms of intent and capability. the term includes known (stated or assessed intention or determination to inflict pain, loss or punishment on someone or something) or unknown (undeclared, hidden or potential) threats. Malicious threats such as system hacks, data destruction, data modification, theft of iP, bomb threats, sabotage, fraud, can be categorized within a range going from rational (obtaining something of value) to irrational (attack against of assets without benefit). 

TREATMENT

Controls that are proposed (i.e. not yet existing) to reduce or mitigate the likelihood or consequence of an event occurring, that is to reduce the residual risk. 

VULNERABILITY

The susceptibility of stakeholders, communities and environment to consequences of events. 

RESPONSIBILITIES

Risk management is a core management requirement and integral part of day-to-day operations. As individuals we all play our part in managing risk and staff at all levels are responsible for understanding and implementing PlayerLync risk management principles and practices in their work areas. Division Heads, Line Managers, and Team Leaders are responsible for applying agreed risk management policy and strategies in their area of responsibility and are expected to: 

• Ensure that risk management is fully integrated with corporate planning processes and considered in the normal course of activities at all levels   
• Identify and evaluate the significant risks that may influence the achievement of business objectives  
• Assign accountability for managing risks within agreed boundaries  
• Ensure that a risk based approach is communicated to our people and embedded in business processes  
• Comply with PlayerLync and Government standards which relate to particular types of risk  
• Define acceptable levels for risk taking and apply fit for purpose mitigation measures where necessary 
• Design, resource, operate, and monitor internal risk management systems  
• Monitor the effectiveness of the system of risk management and internal control   
• Report identified weaknesses or incidents to executive management in timely fashion  

The Chief Information Officer and DPO are responsible for the development, coordination, and promulgation of the PlayerLync Risk Management Framework including monitoring and reporting systems capable of identifying and reporting new and evolving risks.  The Branch will coordinate training and assistance regarding implementation of the risk management framework, and ensure adequate information is available to all staff. The CEO is responsible for managing risk across the organization.  

PROCEDURE

ISO31000 was developed with the objectives of providing a generic framework for identification, analysis, assessment, treatment and monitoring of risk.  The PlayerLync Risk Management process follows the ISO31000 methodology (illustrated below).  

Figure 1: ISO 31000 Risk Management Process The process of managing risk at PlayerLync involves: 

• Establishing the context associated with the program goals and activities;  
• Identifying the risks (including identifying the likelihood and consequences associated with each risk);  
• Analyzing the risks;  
• Assessing and prioritizing the risks;  
• Treating the risks (including a cost/benefit analysis of the treatment options); and  
• Continually monitoring and reviewing the risks and treatments 

RISK MANAGEMENT PROCESS FLOW AT PLAYERLYNC 

ESTABLISH THE CONTEXT

Define the stakeholders and review the levels of acceptable risk using tools such as consultative groups, and develop risk evaluation criteria. Successful RM requires the effective engagement of stakeholders and subject matter experts.  Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved.  RM goes far beyond being a technical or political process - it is also a communications process. 

INDENTIFY RISKS

Identify and describe the sources of risk, stakeholders, communities and environments.  Scope the vulnerabilities and describe the risks.  There may be great diversity of opinion on the actual risks and their various sources, given different perceptions, knowledge and experience. 

ANALYZE RISKS

Analyze the risk associated with the problem by determining the likelihood and consequence of the identified risks. 

EVALUATE RISKS

Compare risks against risk evaluation criteria, prioritize the risks and decide on risk acceptability. Treat risks. Identify and evaluate the treatments. Respond to the level of risk by deciding which source of risk, stakeholders, communities or environment can be addressed, either by increasing resilience or robustness, to reduce risk. Model changes to obtain the new level of risk. Select treatments, plan and implement. 

COMMUNICATION AND CONSULTATION

Where stakeholders and communities contribute to the decision making process there is a much larger pool of information and expertise to enable appropriate solutions to be developed. For catastrophic events communication and consultation is considered extremely important. Communication and consultation develop resilience amongst stakeholders and communities and will be invaluable in terms of regaining control of business activities. 

MONITOR AND REVIEW

Systems that monitor and review risk, and its management, must be established and maintained. Latent and residual risk are ever-present.  RM must be on going to ensure that change and uncertainty can be accommodated.