Document uncontrolled when

printed

Procedure ID no: 07/4385

RISK MANAGEMENT FRAMEWORK

DOCUMENT CONTROL
Managed by: Responsible position: Version: 1.1
Prudential Management and Internal Director Prudential Management
Audit and Internal Audit
Contact person: Approved by: File number: 07/4385
Mohua Mukherjee Corporate Executive Team

Contact position: Date approved: Status:

Manager Strategic Risk and Audit 1.2.2011

Contact number: Next review date: Security classification:

8226 1997 January 2012 Unclassified

Name of document Time and Date

Page 1-18

© Department of Education and Children’s Services 2009

CONTENTS
1. TITLE..............................................................................................................................3

2. PURPOSE ......................................................................................................................3

3. SCOPE AND APPROACH.............................................................................................6

4. PROCEDURE DETAIL..................................................................................................10

5. RISK MONITORING AND REPORTING .....................................................................14

6. RISK MANAGEMENT GOVERNANCE.........................................................................16

7. ASSOCIATED DOCUMENTS........................................................................................17

8. CONTACT DETAILS…………........................................................................................17

9. APPENDIX 1- RISK CHAMPIONS’ ROLE STATEMENT…………...............................18

REVISION RECORD

Date Version Revision description

February 2008 1.0

January 2011 1.1 Updated to reflect changes in Risk Management Policy and clarify Risk
Management Cycle and Risk Champions’ Role Statement

Name of document Time and Date

Page 2-18

© Department of Education and Children’s Services 2009

1. TITLE: DECS RISK MANAGEMENT FRAMEWORK

2. PURPOSE
The purpose of this document is to provide details of the structures and
processes supporting the DECS Risk Management Policy.

3. INTRODUCTION
The DECS Risk Management Policy is supported by the DECS Risk
Management Framework. Other policies and procedures related to risk
management, such as Duty of Care Procedures, OHS&W, Security and
Procurement support the management of risk within the department.

These documents are applicable to all parts of the organisation and to all
employees/contractors/business partners and volunteers working for DECS or
any affiliated entity, program or initiative.

The risk management framework and methodology is based on and complies

with the International Risk Management Standard ISO 31000 (which replaces
AS/NZ 4360:2004) and the Whole of Government directions for risk management.
The focus of risk management in DECS is to ensure effective integration over
time into organisation processes so that risk management not only protects value,
but creates value.

Risk management includes the following steps and processes::

Establish the
Context

Risk Assessment
Communicate & Consult

Monitor & Review

Identify risks

Analyse risks

Evaluate Risks

Treat Risks

The DECS Risk Management Framework consists of:

• The DECS Risk Management Policy

Name of document
Time and Date
Page 3-18

© Department of Education and Children’s Services 2009

 • Tools and Methodology:
- The DECS Risk Assessment Criteria Matrix
- The Risk Assessment Template
- Risk Management Software (CURA) implemented in DECS Corporate
- Advisory service provided by the Risk Management Unit
• Risk Champions’ Network
• Risk Management Governance which consists of:
- Risk Management Cycle and its alignment to and support of the DECS
Planning, reporting and performance processes
- Monitoring and Reporting

The DECS Risk Management Policy

The DECS Risk Management Policy is available on the DECS website
(http://www.decs.sa.gov.au/docs/documents/1/DecsRiskManagementPolicy.pdf)
and the PMIA website.

This document establishes the context of risk management in DECS and

establishes the commitment and mandate in DECS for Enterprise-wide Risk
Management (ERM). The DECS Risk Management Policy operates under the
mandate provided by the SA Government Risk Management Policy, 2009.

The Importance of Culture and Senior Management

Support
ISO 31000 emphasises the importance of risk management as a value adding
processes and has identified 11 Principles that underpin an effective risk
management system:
It recognises that risk management:
• is about value creation and protection
• is embedded into organisational processes and supports decision making
• is focussed on improvement
• is forward looking and includes the identification and assessment of
uncertainties
• is an iterative process and that risks change over time
• effectiveness is dependent on information quality
• effectiveness depends on organisational culture and transparency
• processes are systematic and one size does not fit all
The standard also defines the characteristics that a robust risk management
framework should consider. The importance of the following are highlighted:
• organisational culture, internal/external operating environment, and applicable
laws,

Name of document
Time and Date
Page 4-18

© Department of Education and Children’s Services 2009

 • establishing and maintaining accountability and embedding risk management
into departmental processes.
• availability of sufficient and competent resources to support effective
organisation-wide risk management,.

The actual process for risk assessment described by the new standard is the
same as that previously identified in AS:NZ 4360 (now repealed).

Thus the significant points of difference between the old standard and the new
global standard ISO 31000 is the focus of the latter beyond the actual process of
risk assessment by considering in depth what makes for an effective risk
management system in an organisation. This expanded view identified elements
that provide an effective foundation for risk management (including a focus on
culture, senior management mandate and support and integration of risk
management into organisational processes). ISO 31000 also emphasises that
risk management frameworks and processes should be tailored to best fit the
organisation and its needs rather than a one size fits all approach.

The SA Government Risk Management Policy, 2009 considers these criteria and
has committed government agencies in South Australia to following ISO 31000.

The DECS Risk Management Framework and Policy are aligned to ISO 31000.

Name of document
Time and Date
Page 5-18

© Department of Education and Children’s Services 2009

3. SCOPE AND APPROACH
Risk Management Services from Prudential Management and Internal
Audit

Within DECS, the Risk Management Unit is charged with co-ordinating and
reporting on the Enterprise-wide Risk Management (ERM) Program. Specialised
risk management areas such as OHS&W, security, and emergency management,
are co-ordinated and managed by the relevant groups within DECS on a day to
day basis. The ERM program brings all these different elements together under
one holistic approach.

DECS Risk Management Unit provides a framework, tools and services that
assist DECS management to fulfil their obligations regarding risk management.
The unit is the custodian of risk management information for the DECS corporate
entity. This role is fulfilled by the risk management unit through:

- provision of risk advisory and workshop facilitation services where

required
- training and support to the Risk Champions
- monitoring of compliance with the DECS Risk Management Cycle
- analysis and reporting on corporate and strategic risks to the DECS Audit
and Risk Committee (ARC) and the Corporate Executive Team (CET)
twice per year.

Our services and when you should use them

• Risk assessments and risk advisory:

- When any strategy is developed for units/programs or for the organisation
as a whole
- When key decisions need to be made
- When strategic planning and scenario analysis is done
- Prior to corporate strategic and operational planning at whole of DECS,
portfolio, directorate or major project/program level
- At the commencement of and at key milestones for important projects and
programs
- At corporate and major project/program plan performance review dates
- When processes cut across multiple areas
- When improvements are made or new processes are designed

• Risk mitigation and controls advice after a risk assessment exercise,

after an audit or as required during any major project, when designing
processes or during an improvement exercise

Name of document
Time and Date
Page 6-18

© Department of Education and Children’s Services 2009

 How we deliver our services
• Risk Management Policy, Framework and Tools
• Risk Management website
• Administration and maintenance of the Risk Management Software
• Training and awareness raising sessions
• Risk Champion’s Network
• Facilitated risk assessment workshops and assistance with developing risk
management plan
• Assistance with using risk assessment tools to simplify client experience and
provide value
• Individual consultations and assistance as required
• Work jointly on key projects as required
• Work with management to develop risk mitigation strategies, controls and
determine monitoring strategies and plans, and to develop risk management
material for key publications/documents/policies
• Monitor and report progress
• Analyse key organisational risks and provide updates on status of key risks to
various levels in the organisation and the ARC.

Training and Guidance Material:

Training and guidance on risk management and conducting risk assessments are
available on the DECS Risk Management Website. The Risk Management Unit
may be contacted for special assistance or if training is required by any work unit
or site

Risk Management in DECS occurs at:

• DECS Corporate (including Regions); and

• DECS Sites.

DECS CORPORATE:

Tools for Corporate Risk Assessment:

• The DECS Risk Assessment Criteria Matrix:

Name of document
Time and Date
Page 7-18

© Department of Education and Children’s Services 2009

 This document provides the major Risk Categories, Consequence and
Likelihood ratings and Risk Ratings (Consequence x Likelihood) that DECS
will use for its risk assessments. It also provides interpretative guidance on
categorisation of consequences and likelihood to foster organisational
uniformity in classifying, rating and prioritising risks. The Risk Assessment
Criteria Matrix sets the “Risk Appetite” for the department, i.e., these
indicators were agreed and approved by DECS executives and the ARC.

It is important that risk ratings are assessed using this tool as it provides
consistency for prioritisation, monitoring and reporting across the organisation.

• DECS Risk Assessment Template:

This is the standard template to be used in DECS to carry out risk

assessments at the Corporate and Program level. The risk assessment
template contains guidance comments. Further guidance and assistance for
using the risk assessment template may be sought from the Risk
Management Unit.
These tools and methodologies are based on leading practice and enable the
effective identification, documentation and analysis of risks.
If used as recommended, they also provide an evidence base to prove that
due process and prudential management practices were followed, in the
event of any claim, FOI, other potential inquiry or adverse event. It also
provides confidence and assurance on the strength of practices being
followed.
Tools and formats for carrying out the risk assessments are available on the
Risk Management Website located at:
http://www.decs.sa.gov.au/pmia/pages/main/riskmanagement

• Risk Management Software

DECS is implementing Risk Management Software (CURA). This software

will be accessed by State Office and DECS Regional Offices and will enable
better quality information to be captured and maintained, facilitate systemic
analysis, enable regular reporting and monitoring of risks. The software is
administered by the DECS Risk Management Unit.

RISK MANAGEMENT AT SITES:

Due to the different environment and foci in sites (schools, pre-schools and other
sites), sites carry out risk management using a variety of tools and methods
which include using the DECS Improvement and Accountability Framework
(DIAF), through following duty of care requirements and OHS&W structures and
systems which includes the use of the Business Manager system. The
responsibility for managing risks at sites is jointly shared by the site leader and
the Governing Council. Regional Offices provide support and guidance to sites.

Principals, Pre-school Directors and Site Leaders are responsible for ensuring
that risk management is effectively carried out at sites, except where there is a
joint obligation between the Principal/ Pre-school Director /Site Leader and the
Governing Council. Schools, Pre-schools and other DECS sites should carry out

Name of document
Time and Date
Page 8-18

© Department of Education and Children’s Services 2009

 their risk assessment keeping their own particular context in mind. The factors
determining the context may include:
• Type of Schools/Pre-school or site
• Location and demographics
• Community engagement and expectations
• History
• Outcomes for students and children
• Duty of care and child protection
• Applicability of laws, regulations and policies
• Existing or planned future contractual arrangements with third parties
• Financial considerations
• Any other relevant matter

Every school, preschool or other DECS site should carry out a risk assessment in
the following instances:
• Where required by any acts, regulations, policies and guidelines
• When a new program is introduced that may have major impact for the
school/ preschool/ site and/or community;
• Whenever there is an event on or off the school grounds that involve
students/staff/parents/volunteers/contractors (e.g. fairs, games, etc.);
• When any planning, procuring or contracting for facilities, IT or any other
major activities that may have significant impact ;
• Any other activities that may have duty of care, OSHW, liability implications.
• At the time self review and annual planning is carried out.
The above list is inclusive and not exhaustive.
Sites are encouraged to contact the Risk Management Unit (for any assistance or
clarification they may require, including requests for training sessions and
facilitated workshops for carrying out risk assessments. Contact details are
available on the PMIA website:
http://www.decs.sa.gov.au/pmia/pages/main/riskmanagement

4. PROCEDURE DETAIL

The Corporate Risk Management Cycle

Risk Management is an ongoing activity and should be carried out as a part of
day-to-day business. However, reporting to the DECS Executive Groups and to
ARC, as approved by the CE, must occur on a regular basis to ensure that risk

Name of document
Time and Date
Page 9-18

© Department of Education and Children’s Services 2009

 management is embedded into decision making and senior management
discussions in a consistent and structured manner.

The risks identified by different portfolios, offices, units and programs must be
reassessed at specific points of time; assessments must be carried out to
determine whether there are new or emerging risks in light of any current or
anticipated changes; and the status of treatment plans monitored to ensure that
the risk is being mitigated as planned. Risk Champions play a very important role
throughout the risk management lifecycle.

Units many self assess the effectiveness of existing controls and new treatment
plans. Additionally these may periodically be audited by Internal Audit to provide
management assurance on the effectiveness of risk management.

As risk management is a significant decision support tool and is closely aligned

with strategy and planning, the risk management cycle is aligned with the
departments strategic planning cycle. The strategic, corporate risk and program
risk assessments will be refreshed and reported on at least twice per year. Risk
profiles should be kept up to date. All major current and emerging risks should be
identified and included in the risk profile;

Executives are responsible and accountable for ensuring that:

- risk management policies, framework and processes are complied with;

- the risk profiles for areas under their control are refreshed and updated on a
timely basis to enable the collation, analysis and reporting of risks to the
Executive Group and to ARC; and

- explanations are provided to the Executive Group and ARC for any major
gaps in their risk profiles and any significant delays in planned treatments for
high risk and high priority matters.

The Risk Management Unit will coordinate this activity with the assistance of Risk
Champions.

Risk management information may also be required by Project Steering Groups

and Governance Boards/Committees to ensure that key risks for major projects
are being effectively managed. DECS Corporate Executive and/or ARC may
require more frequent or detailed reporting on significant initiatives.

The Risk Management Unit analyses risk profiles to identify common themes,
risks that link together and may have a cause and effect relationship and
systematic risks that when summed up assume a greater significance than the
individual risks themselves,. The Risk Management Unit may provide
commentary on other trends and themes which it considers important but are not
reflected in any of the risk profiles in its reporting to the Executive Directors
Group and ARC.

Name of document
Time and Date
Page 10-18

© Department of Education and Children’s Services 2009

 Strategic Risk Assessment:

The Strategic Risk Assessment for DECS will be revisited at least once every 18
months. This strategic risk assessment is undertaken by the Chief Executive and
the corporate executive team and provides a risk framework for the strategic
planning processes.

The strategic risk assessment must be refreshed whenever there is a significant

contextual change for the department.

Corporate Risk Assessment:

Every Office/Unit/Regional Office must complete/update a risk assessment:

• At least once every 12 months; and/or
• Whenever there is a major change; and/or
• Whenever an important activity is proposed to be undertaken.
Please note that the initial cycle may take more than 12 months to complete.
The Risk Assessments should be documented and updated in the software. If the
software is not used for particular assessments, the Risk Management Unit must
be forwarded a soft copy of the latest version for its records and review every
time it is updated..

Project/Program Risk Assessment:

All major projects/programs that fulfil the following criteria must have a formal and
documented risk profile. A risk assessment must be carried out at the inception of
the project and kept updated through the lifecycle of the project. The risk profiles
of these projects and programs must be reviewed at least twice a year or at major
milestones, whichever is more frequent, or at a frequency required by the Project
Board/Steering Committee or the ARC. Where the Program/Project Director/Risk
Champion is unclear about whether a particular project/program meets the
criteria specified below, the Risk Management Unit should be consulted to clarify
the matter.

Risk profiles for these projects will be included in the consolidated twice annual
reporting to the Executive Group and ARC. Program Directors/ Managers must
contact the risk management unit to ensure the most appropriate method for risk
assessment is discussed and agreed. It is preferable that the risk profiles for such
projects/programs are maintained in the risk management software.

Projects meeting one or more of the following criteria must have formal risk
assessments:

• Project has funding/ cost impact of greater than 1 million dollars (this may
include project funding or value of operations/staff etc affected by the project);
and/or

• Project/program lifespan is greater than one year; and/or

• Program consists of a portfolio of three or more projects; and/or

Name of document
Time and Date
Page 11-18

© Department of Education and Children’s Services 2009

 • Project/ program is part of strategy to deliver on any one or combination of
the following:
- COAG commitment
- SASP targets
- DECS Strategic Plan Priorities and/or Ministers’ Priorities; and/or

• Project spans over multiple business areas and directorates; and/or

• Projects involves multiple external stakeholders who:

- may be responsible for joint delivery (eg joint program with DECS and
another department)
- may be affected or
- may be able to influence the project and/or its outcomes; and/or

• Projects with a high public interest or deemed to be sensitive due to potential

reputation risk

It is strongly recommended that the Risk Management Unit is involved in

providing expert assistance to support and carry out a peer quality review on
these particular risk assessments.

Name of document
Time and Date
Page 12-18

© Department of Education and Children’s Services 2009

5. Risk Monitoring and Reporting
The Risk Management Monitoring and Reporting Cycle is illustrated
below:

Activities:
Annual corporate, program and strategic risk assessment, monitoring and reporting

• Quarterly/Half yearly follow-up on

extreme/high risks on corporate and
ED Reporting/ program risks
Follow-up • Accountability comment from EDs
Risk Management Unit coordinates, facilitates, reports

• Meet with risk champions to identify

changes/new issues etc
• Half yearly follow-up on moderate/low
risks

Quarterly Risk Champions Meetings

• Summary of ED follow-ups
• Top risks status
ED – Group • New risks
• Themes
Reporting • Strategic risks
• Comment from Ex-D Group

• Half yearly report on key

ARC corporate and strategic risks
Reporting • Comment from ARC

Aligned with planning and reporting cycle

With the assistance of Risk Champions and cooperation of Executives, the

Strategic Risk Management team will monitor and report on risks. PMIA will
analyse and formally report on risk management to DECS senior management
and ARC twice per year

Name of document
Time and Date
Page 13-18

© Department of Education and Children’s Services 2009

 The risk reporting will follow the requirements defined in the Risk Management
policy, framework and guidelines and will focus on:
• Reporting the identified risks based on priority, including the effectiveness of
management of these risks. High priority risks and those that are judged to:
- have a potentially large impact and/or
- are pervasive through the organisation.
• Reporting on common themes and patterns, i.e., risks that cut across different
areas in DECS;
• Reporting on risks/ treatment plans without owners;
• Reporting on risks where treatment plans have not progressed as planned;
• Reporting on key risk movement trends.
Monitoring will occur through updates to be provided to the Strategic Risk
Management team by the Business Units, Programs/Projects and where relevant,
sites. Risk Champions will assist with coordination activities for monitoring and
reporting.
Internal audit will also provide a support and feedback mechanism for monitoring
risks through risk based internal audits.

Priority Based Monitoring and Reporting

• “Extreme” and “High” rated risks will require immediate management
attention and will be monitored and reported on at least a quarterly basis.
• “Moderate” and “Low” rated risks may be monitored bi-annually or
annually, as judged relevant.
• All identified risks will be monitored at least annually.

Name of document
Time and Date
Page 14-18

© Department of Education and Children’s Services 2009

6. RISK MANAGEMENT GOVERNANCE
• The Audit & Risk Committee (ARC): The Audit & Risk Committee provides
oversight in DECS for matters related to risk management, governance and
accountability and advises the Chief Executive on matters that it deems to be
important and/or requiring action or attention.
The Audit & Risk Committee’s charter is endorsed by the Chief Executive and
is available on the DECS governance web site
(http://www.decs.edu.au/governance).

• The Risk Management Unit located in the Prudential Management and

Internal Audit (PMIA) Directorate; (contact details provided at the end of this
document).

• Corporate “Risk Champions” Network: Trained Risk champions are

nominated individuals who play a key role in facilitating and coordinating risk
management activities in their areas. They are the main point of contact
between their portfolio/ group and the risk management unit.

Risk Champions are generally senior individuals who have a good overview
of the area they represent and access to responsible executives within that
portfolio/group. They play a key role in coordinating the monitoring and
reporting of risks for the DECS Corporate Risk Management Cycle.

The Risk Champions Network has been established to aid information sharing
and a collaborative approach to identifying and managing risk across different
areas, as a peer network for sharing learning, good practice and providing
access to additional expertise. The Risk Champions Network is established in
the State Office and will be rolled out to Regional Offices. The Risk
Management Unit coordinates quarterly meetings of the Risk Champions
Group and provides necessary training and updates.

The Risk Champions’ Role Statement is attached as Appendix 1 to this

document.

Planned addition to current structure:

• The Risk Reference Group which will comprise of key individuals within
DECS who have responsibility for aspects of specialised risk management
such as:
- OHS&W,
- Legal,
- Security,
- Facilities,
- School Care,
- IT Security,
- Emergency Management, and

Name of document
Time and Date
Page 15-18

© Department of Education and Children’s Services 2009

 - Other nominated parties.
This group will meet twice a year and will discuss, analyse key risks, and
report on trends and statistics from specialised areas. The focus of this is to
arrive at Enterprise wide Risk Management that covers not only business and
program risks, but also provides a good overview to Corporate Executive and
ARC of the key trends from specialised areas within DECS. This will also
support effective evaluation of controls and treatments.
The important risks will be evaluated, recorded and reported through the
integrated risk reporting on a periodic basis to ARC and Corporate Executive.
This group is yet to be formed..

7. ASSOCIATED DOCUMENTS
- Risk Management Policy
- Risk Champions’ Role Statement- Appendix 1
- Glossary of Risk Management Terms available on PMIA website

8. OUR CONTACT DETAILS

Our People:

Mohua Mukherjee, Manager Strategic Risk and Audit

mohua.mukherjee@sa.gov.au
8226 1997

Our Website:

http://www.decs.sa.gov.au/pmia/pages/home/

Name of document
Time and Date
Page 16-18

© Department of Education and Children’s Services 2009

APPENDIX 1: CORPORATE RISK CHAMPIONS’ ROLE STATEMENT

Risk Champions are responsible for the following:

• Acting as a key contact / reference point for staff within the

Directorate/Office/Business Unit for ad-hoc risk management advice /
guidance and a key contact for the Risk Management Unit to source risk
information. This includes:
− Contributing to the promotion of risk management awareness and
culture within their directorates and workgroups.
− Assistance with facilitating risk assessments.
− Risk Profile Maintenance for their Directorate/Office/Business Unit.
This involves coordination and facilitation within the group to ensure
that the risk assessments are completed and kept up to date on an
ongoing basis.
− Regular reporting (as required by the risk management cycle) to the
Risk management Unit on the status of the
Directorate/Office/Business Units risks, including any new or emerging
risks to support reporting by the Risk Management Unit to CET and
the Audit and Risk Committee.
− Liaising with the Risk Management Unit to raise any key
issues/concerns on a timely basis.
• Participating in structured risk management training facilitated by the Risk
Management Unit.

• Attending regular meetings with other Risk Champions within DECS

organised by the Risk Management Unit

Name of document
Time and Date
Page 17-18

© Department of Education and Children’s Services 2009

i Procedure ID No: DECS file number
ii Title: Descriptive title of the procedure.
iii Scope: What, when, where and to whom (personnel, groups) the procedure
applies. Should include any exclusions to application of the procedure.
iv Procedure Detail: The formal steps that need to be taken to reach a desired
outcome.
v Roles and Responsibilities: The position(s) responsible for approving,
implementing, complying with, monitoring evaluating and reviewing; and providing
advice on, the procedure.
vi Associated documents: Any associated internal or external policies, standards,
guidelines or procedures including whole of government documents.
vii References: Any documents relevant to the development of the procedure.

Name of document
Time and Date
Page 18-18

© Department of Education and Children’s Services 2009