SECTION 7 SCOUTSAFE 7.11 ENTERPRISE RISK ......SECTION 7 SCOUTSAFE: CHAPTER 7.11 ENTERPRISE RISK MANAGEMENT FRAMEWORK (Version 1) Page 5 of 18 Chief Commissioner and Executive Manager

Queensland Branch Scouting Instructions (QBSI) SECTION 7 SCOUTSAFE: CHAPTER 7.11 ENTERPRISE RISK MANAGEMENT FRAMEWORK (Version 1) Page 1 of 18

SECTION 7 SCOUTSAFE 7.11 ENTERPRISE RISK MANAGEMENT FRAMEWORK

7.11.1. EXECUTIVE SUMMARY

Risk is inherent in everything the Queensland Branch does on a day-to-day basis. The Branch Executive, its volunteer Leaders and professional staff recognise this as fact and have over many years taken steps to identify and control the risks encountered in its day-to-day operations. The emphasis on the identification of risk has accelerated in recent years and steps have been put in place to formally and systematically identify and record such risks. Risk Registers have been created for specific purposes, some legislative, and to comply with the ever changing Australian Standards and other published guidelines. Risk need to be reviewed annually with additional risks identified and existing risks re-evaluated as the operational environment changed and/or additional control measures have been developed and put in place. In 2012 the emphasis once again changed and the Risk Management “bar” has been raised to incorporate the principles of Enterprise Risk Management (ERM) into the fabric of the Branch. Our aim is to inculcate into the organisation high standards in controlling the risks to which it is exposed. The renewed emphasis on managing risk through the adoption of the ERM model will enhance and widen existing processes, however the ultimate objectives will only be achieved by vigilance and tenacity in our approach to identifying our priority exposures, incorporating appropriate Risk Management strategies, risk improvements and contingency planning into our activity and business pursuits and, most importantly, monitoring and reviewing ongoing risk to identify changes in our operations and to enable us to make well-informed decisions on risk mitigation. The preferred approach to the management of risk is to raise the ERM profile within the Branch via risk training and through the provision of professional advice. In doing so the appropriate tools and practices for the effective management of risk will be in place and our volunteer Leaders and professional staff will become risk aware and incorporate ERM into their everyday work ethic. Our challenge is to ensure that ERM is incorporated into our culture and our everyday business operations, with special emphasis on ensuring it is embedded in our policies, strategies and budgetary processes. It is also highly desirable that steps are taken to ensure that Risk Management is an integral part of the business processes employed by contractors to, and business partners of, the Branch. Finally, it is imperative that it be recognised that risk also presents opportunity and that risk can be used to the betterment of the organisation, however, this must be tempered with a clear knowledge and appreciation of the risks involved supported by astute planning to control such risks. The year 2009 saw the introduction of the new International Risk Management Standard AS/NZS ISO 31000:2009. This Standard has been formally accepted by Standards Australia and replaces the former Australia/New Zealand Standard AS/NZS4360. This document reflects AS/NZS ISO 31000:2009.


7.11.2. INTRODUCTION

7.11.2.1. PURPOSE OF THIS FRAMEWORK

The purpose of this Framework is to assist in maintaining the direction and impetus currently in place, thereby ensuring that ERM is considered and included in the business and operations of the Branch.

7.11.2.2. AIMS OF ENTERPRISE RISK MANAGEMENT

The aims associated with embracing ERM in the Branch are as follows:

(a) to provide an assurance that the organisation has identified its highest risk; exposures and has taken steps to properly manage these risks;

(b) to ensure that the Branch’s planning processes include a focus on areas where ERM is needed;

(c) to maintain a process across the Branch which will formally identify risks and provide a platform by which such risks and their respective control measures are monitored and improved according to need;

(d) allow the realisation of opportunity through the proper management of risk.

7.11.2.3. FRAMEWORK ADHERENCE

This Framework adheres to the principles as defined in:

(a) AS/NZS ISO 31000:2009. Risk Management – Principles and Guidelines (b) Queensland Branch Enterprise Risk Management Policy (c) National Executive Committee Risk Management Policy.

7.11.3. CONTEXT AND BACKGROUND

7.11.3.1. WHAT IS ENTERPRISE RISK MANAGEMENT?

What is Enterprise Risk Management?

(a) ERM is the management of risk not only in conventional hazard categories such as workplace health and safety, IT and finance, but in the full spectrum of strategic and operational risk.

(b) ERM is the structured approach of aligning strategy, processes, people, technology and knowledge with the purpose of evaluating and managing risk. Enterprise wide means the removal of traditional functional, divisional, departmental or cultural barriers.

(c) ERM is a top down approach, rather than the traditional bottom up approach used in departmental silos, based on and supportive of organisational strategy that is focused on new ways to manage risks of highest priority.

(d) The moving away from a fragmented approach to Risk Management to the adoption of ERM involves a paradigm shift in thinking about risk as something always adverse, involving loss, to an occurrence that may present opportunities that could have both positive and negative consequences.

(e) To be successful the principles of ERM must be embedded in the very culture of the organisation by an integrated approach in the methodology employed and the acceptance of ownership of risk by all.

Traditional Risk Management vs Enterprise Risk Management

The proponents of ERM will argue that Risk Management and ERM are not synonymous. It is claimed that traditional Risk Management is usually the process of managing risk in isolated departments or ‘silos’ such as workplace health and safety, information technology, finance and human resources. However, this was never the basis of a solid Risk Management program. Any system incorporating a number of people using different processes, controls, language and frameworks to manage risk in isolated departments is destined to deliver limited success.


The Branch’s existing program, like ERM, has openly advocated the breaking down of silos and shares risk information across the organisation. The Queensland Branch has developed a single process, controls, language and framework to identify, assess and manage its risks. Notwithstanding this, success in all respects has not be achieved as there is still a resistance to an across the board acceptance of responsibility for the organisational risks. This Framework highlights and reinforces the necessity to breakdown the remnants of these barriers and encourage the wholehearted adoption of a holistic view of risk and the management thereof. ERM looks to the Branch itself and management at all levels to consider the ‘big risk categories’ and the process flows from these categories down. The more significant risk categories under the ERM banner may well be:

(a) people; (b) business processes and services; (c) economic and financial; (d) environmental natural hazards; (e) assets and property; (f) leadership and Innovation; (g) security; (h) technology data and knowledge; (i) reputation risk; (j) loss of Scouting traditions.

ERM must be seen as a business tool and an integral part of good “corporate governance” and fundamental planning processes. It sits within an overarching governance program. This is a three tier approach that provides a systematic and documented management process.

(a) Governance establishes the accountability and responsibility of the Branch. (b) Risk Management is the tool or process used to ensure governance principles are

applied in a manner that supports achievement of organisational objectives. (c) Business continuity is the process in place, if a significant risk event occurs that

results in a disruption to normal business, to ensure that service delivery continues and returns to normal within a short period of time.

The three processes are interlinked with each requiring effective management to ensure the most effective delivery of the governance principles. Risk is defined as “the effect of uncertainty on objectives”. It is measured in terms of consequences and likelihood (AS/NZS ISO 31000:2009). Risk is usually construed to be negative (i.e. adverse), but it can provide opportunities for an organisation as well. Risk is inherent in the functions and activities of the Branch and its service providers. As the consequences of an adverse event may include an inability to stakeholder requirements, financial loss, organisational or political embarrassment, operational disruption, legal problems, and so forth, it is important that management policies, procedures and practices are in place to minimise the Branch’s exposure to risk. ERM involves adopting and applying a systematic process to identify, analyse, evaluate, treat and monitor risk so that it is reduced and maintained within acceptable levels. It is said that “Management” may be defined as the process of planning, organising, leading and controlling the resources and activities of an organisation in order to fulfil its objectives most cost-effectively, whereas “Risk Management” is the process of making and carrying out decisions that will minimise the adverse effects of accidental losses upon an organisation and/or maximise opportunities. The process follows that of the Australian/New Zealand Risk Management Standard (AS/NZS


ISO 31000:2009). Its elements are:

(a) establish the organisational context which includes the organisational Risk Attitude and the criteria against which each risk is to be rated;

(b) identify the various risks; (c) analyse the risks in terms of consequence and likelihood together with the existing

controls in place to manage those risks; (d) evaluate the risks against the organisational criteria and determine what risks will

be treated or accepted; (e) treat the risks through acceptance and ongoing surveillance or developing and

implementing additional control measures and action plans to treat the risk; (f) monitor and review the risks and the system in which they are managed; (g) ensure communication and consultation with stakeholders occurs throughout the

ongoing process. The process is clearly discernable in the following diagram extracted from AS/NZS ISO 31000:2009.

7.11.3.2. OWNERSHIP AND RESPONSIBILITIES FOR IMPLEMENTATION OF EFFECTIVE ENTERPRISE RISK MANAGEMENT

The elements necessary to ensure effective ERM are: Branch Executive Committee

(a) Education on the principles of Risk Management. (b) Involvement in the establishment of Risk Attitude and Strategy. (c) “Ownership” of the Risk Management process and on-going oversight for the

program and ensuring its success. (d) Regular reviewing of risk reports on the Strategic and Operational risks of the

Branch.


Chief Commissioner and Executive Manager

(a) Create a high-level risk strategy (policy) aligned with strategic business objectives. (b) Create a Risk Management organisational structure and ensure clear reporting

lines. (c) Develop and assign responsibilities for Risk Management. (d) Communicate the Branch’s vision, strategy, policy responsibilities and reporting

lines to all Members and professional staff. (e) Include Risk Management activities/responsibilities in job descriptions. (f) Meaningful Risk Management objectives and accountabilities built into

performance appraisals. (g) Maintenance and reporting of a Risk Management Committee, including receiving

quarterly reports on the Risk Management preparedness and activities of the Branch.

(h) Review the organisation’s Strategic and Operational Risk Registers at least annually. (i) Identify and treat operational, activity and project based risks within their

respective areas of responsibility. (j) Assume overall “Ownership” of such risks and clearly allocate operational

ownership of risk to subordinate leadership according to specific need. (k) Ensure that all volunteer Leaders and professional staff are adequately trained in

the principles of Risk Management and receive the necessary encouragement, empowerment and resources to manage risks within their area of responsibility and within defined risk boundaries.

Branch Commissioners, Region Commissioners, District Commissioners, Group Leaders, Region Chairman, District Chairman and Group Chairman

(a) Identify and treat operational, activity and project based risks within their respective areas of responsibility.

(b) Assume overall “ownership” of such risks and clearly allocate operational ownership of risk to subordinates according to specific need.

(c) Ensure that subordinate leadership, both uniform and non-uniform, are adequately trained in the principles of Risk Management and receive the necessary encouragement, empowerment and resources to manage risks within their area of responsibility and within defined risk boundaries.

(d) Review their respective Risk Registers at least annually. Branch Risk Management Committee

(a) Maintenance of a common Risk Culture via the use of common risk language and framework, in the Branch’s context and the use of AS/NZS ISO 31000:2009.

(b) Communicate about risk using appropriate channels and technology. (c) Deliver training programs in ERM techniques and systems across the organisation. (d) Identify and train Region and District ScoutSafe Officers to work closely with

volunteer Leaders. (e) Maintain a knowledge-sharing system via the use of newsletters, posters and the

organisation’s internet facilities. (f) Maintain, store and ensure regular revision of Branch’s formal Strategic,

Operational and Activity Risk Registers and Risk Management Plans. (g) Conduct periodic audits/reviews of Risk Management procedures and practices

across all Formations within the Branch to ensure compliance with the ERM Framework.

(h) Report on Risk Management strategies to the Branch Executive Committee, the Chief Commissioner and Executive Manager.

(i) Provide Risk Management consultancy services to all areas of the Branch. (j) Maintaining corporate risk and risk control information. (k) Provide statistical analysis and reporting on the branch risk exposure and incident

reporting. (l) Ensuring appropriate linkages to the Branch’s business and planning processes and

budgetary processes. (m) In consultation with Branch Executive Committee, the Chief Commissioner and


Executive Manager, set risk reduction targets across all areas within the Branch. (n) Providing advice on contemporary and emerging risk issues. (o) Providing assistance and advice on the conducting of complex risk assessments and

in identifying and implementing risk control measures. (p) Providing assistance to the Chief Commissioner and Executive Manager in

identifying and managing risk emanating from the services of external providers and contractors.

(q) Provide assistance/advice on managing the Branch’s insurance portfolio and claims made against the Branch.

(r) Represent the Branch at Scout and industry forums, conferences and workshops. Branch Compliance Committee

(a) Monitoring of the Branch’s Risk Management strategies, policies and procedures. (b) Maintenance of a risk based auditing system of the Branch’s systems and processes

to ensure the adequacy and effectiveness of the system of internal controls and reporting procedures.

(c) Investigation of fraudulent activities and breaches of the relevant Codes of Conduct. (d) Promoting accountability. (e) The improvement and effectiveness of risk management, legal compliance, internal

control and Governance systems. (f) Receive and consider reports on the Strategic Risks and other Risk Management

initiatives from the Risk Management Committee on an annual basis. Strategic Risk Management Committee The Strategic Risk Management Committee shall meet half yearly and consist of selected members of the Branch Executive, the Chief Commissioner, the Executive Manager, the Chairman of the Risk Management Committee and other leadership/managerial personnel seconded according to specific need. The Strategic Risk Management Committee is responsible for the duties and responsibilities defined in the Committee’s Charter defined below. Strategic Risk Management Committee Charter Introduction This is the Strategic Risk Management Committee (Committee) charter for Queensland Branch. This charter governs the purpose, composition, responsibilities and processes of the Committee. Strategic Risk Management Committee Purpose The purpose of the Strategic Risk Management Committee is to establish, monitor and review the organisation’s Enterprise Risk Management Framework and its application in the management of the Branch’s risks. Composition The Committee will comprise the following standing members:

(a) Two members of the Branch Executive Committee selected by them for this purpose.

(b) Chief Commissioner. (c) Executive Manager. (d) Chairman of the Branch Risk Management Committee.

The composition of the Committee will be expanded at the invitation of the Committee to include relevant line managers as required. Such invitations will be extended according to need and agenda considerations and for such timeframes as necessary.


Meetings Frequency The Committee will meet at least half yearly with the option of additional meetings if required. The frequency of meetings shall be reviewed annually. Presiding Officer The presiding officer of the Committee shall be known as the chairperson. The chairperson shall be appointed by the Branch Executive Committee to serve in this capacity for no longer than a twelve (12) month period, however there is no limit to the number of times any one person can be reappointed to serve in this capacity. The term of office shall coincide with the Associations Financial Reporting Year. Secretary The secretary shall be responsible for ensuring that all administrative requirements necessary for the proper functioning of the Committee are in place. This includes the preparation of agendas, business papers and minutes. Calling Meetings and Notices A notice of each meeting confirming the date, time, venue and agenda must be forwarded to each member of the Committee five (5) working days before the date of the meeting. The notice for members will include relevant supporting papers for the agenda items to be discussed. (Note that date claimers for meetings should be put in place well in advance). Report to Branch Executive Committee and Compliance Committee The Committee chairperson, or delegate, shall provide a semi-annual report to the Branch Executive Committee and an annual report to the Branch Compliance Committee on the status of the Strategic Risk Register and any specific risk issues identified in the Register. Minutes Minutes of proceedings and resolutions of the Committee will be kept by the secretary. Minutes will be distributed to all Committee members and the chairperson of the Committee, after the Committee chairperson has given the preliminary approval. Minutes, agenda and supporting papers will be distributed to other personnel according to need and as agreed to by the Committee. Quorum and Voting A quorum will comprise four (4) members. In the absence of the Committee chairperson or appointed delegate, the members will elect one of their number as chairperson for that meeting. Ideally the recommendation of the Committee should be arrived at by consensus, however where consensus cannot be reached, each member will have one vote and the Committee chairperson will have a second or casting vote. In instances where a majority recommendation of the Committee differs to that expressed by the Chief Commissioner as expressed by him/her as a Committee member, the issue will then be presented to the Chairman of the Branch Executive for further consideration and final determination by the Branch Executive Committee. Closed Meetings The meetings of the Committee will not be open to the Public. Duties and Responsibilities The Strategic Risk Management Committee is responsible for:

(a) developing and promoting risk management as a core activity of the Branch; (b) ensuring the necessary resources to ensure risk management is properly


implemented across the Branch; (c) reviewing the Enterprise Risk Management Policy, Framework, Risk Assessment

Handbook and any supplementary material for the identifying, monitoring and managing of the Branch’s risks;

(d) the oversight and monitoring of the Branch’s overall risk management program including the development of and execution of the Risk Management Committee’s annual risk management action plan;

(e) receiving and reviewing audit reports on risk mitigation strategies as prepared by the Risk Management Committee;

(f) coordinating risk initiatives to ensure that jurisdictional boundaries do not impede the successful implementation of Enterprise Risk Management;

(g) considering budget initiatives designed to foster risk management; (h) identifying and monitoring all forms of contemporary and emerging risks likely to be

faced by The Branch, e.g. Strategic, Operational, Activity and Project; (i) identifying and ensuring the training needs of the Committee members and other

relevant personnel are met; (j) keeping the Branch Compliance Committee informed of progress in the

implementation of risk management across the organisation including reporting on and receiving feedback on the Branch’s strategic risks and their mitigation initiatives.

Review The Committee will conduct an annual review of this Charter to ensure that it remains relevant and appropriate. Risk Management subcommittee The Risk Management subcommittee is appointed annually by the Branch Executive Committee to work with the Strategic Risk Management Committee. This subcommittee will meet monthly to prepare the operational documents required by the Strategic Risk Management Committee. Composition The subcommittee will comprise the following members:

(a) Chairman; (b) ScoutSafe and Insurance Officer; (c) Secretary; (d) Two member or the Branch Executive Committee; (e) Other members co-opted as required (including the Chief Commissioner).

All stakeholders accept Risk Accountability/Responsibility

(a) All stakeholders accept and diligently apply the principles of ERM into their daily activities.

(b) Identify and treat risks within their respective areas of responsibility. (c) Collectively work with all other areas of the Branch to ensure that risks are

identified and that the Branch-wide risk mitigation initiatives are supported and benefits realised.

7.11.3.3. WHAT WILL ENTERPRISE RISK MANAGEMENT PROVIDE?

Ensuring the realisation of Corporate Objectives Corporate Objectives will be achieved by:

(a) integrating the various risk control measures that the Branch currently uses into one holistic view of what the Branch is doing to minimise its risk exposures. This single view will show priorities and any gaps that need to be addressed;

(b) implementing a visible, formalised and consistent process for managing the Branch’s exposures to risk, thereby supporting continuous improvement in the Branch’s programs and providing an assurance of more effective outcomes;


(c) incorporating identified Risk Management solutions into planning and administrative processes resulting in more structured, accountable and effective business planning and project management;

(d) building on existing Risk Mitigation Management strategies such as administrative, engineering, contractual, safety and quality management controls; and

(e) requiring all stakeholders [management in particular] to think about risk in their own day-to-day work programs, as well as contractor and project management, and in forward planning activities.

Providing Financial Safeguards Presenting to Insurers a professional approach to risk and less claims all of which results in a saving in uninsured losses and insurance premiums. Risk Mitigation Strategies The Branch’s main risk mitigation strategies will continue to have included therein administrative, contractual, technical, safety and management controls as a part of business and program activities. These will include but not be limited to:

(a) policy and procedure manuals and guidelines; (b) clearly defined management accountabilities including specific Key Performance

Indicators (KPI’s) and appraisals; (c) financial and personnel delegations and authorisations; (d) reconciliations of data; (e) detailed tender specifications, evaluations and selection of tenderers; (f) supply chain risk evaluation and implementation of appropriate control measures (g) detailed standards, engineering checks, tests, maintenance check lists and quality

assurance generally; (h) high level reporting, review and analysis, including Risk Management Committee

scrutiny; (i) oversight and supervision of contractors to the Branch and Lessees of the Branch

owned property and facilities; (j) training and development; (k) safety for all members, employees, contractors and the public; (l) physical controls, such as security systems and fire protection measures; (m) contractual arrangements which include indemnities, insurances and the like (n) detailed budget papers (with special emphasis on the rationale behind maintenance

budgets); (o) maintenance of Individual Asset Management Plans; (p) inclusion of a detailed mandatory Risk Management disclosure in all submissions to

the Branch and other documentation requiring management authorisation. This will include a Risk Management evaluation and a detailed Risk Register for items such as but not limited to new projects above a value to be periodically determined in the organisational Risk Context;

(q) identification and compliance with standards either mandatorily imposed by or voluntarily accepted from Federal or State Governments or other Standards/Specialist organisations;

(r) mandatory consideration of risk management issues for all submissions to the Branch Executive Committee and other management appropriate to the level of risk involved in the subject matter;

(s) business continuity planning; (t) contingency planning; (u) succession planning; (v) internal auditing; (w) fraud prevention and control programs; (x) Risk Management Committee audits of currently imposed control measures.

Corporate Governance To ensure the benefits of ERM are fully available to the Branch it is imperative that ERM continues to be applied to all the Branch’s activities, including those delivered on the


Branch’s behalf by external service providers and project contractors. This will help to:

(a) ensure that the quality and reliability of services and other program outputs are of a very high standard;

(b) ensure services meet requirements and are delivered within cost and on schedule (c) protect employees, property, information and all other assets; and (d) comply with all legal requirements relative to areas of risk.

7.11.3.4. CORPORATE RISK ATTITUDE

Realising Opportunity Throughout this Framework reference is made to the acceptance of risk where the acceptance thereof is necessary to realise opportunities considered beneficial to the organisation. To be risk adverse can stifle progress and stagnation can result, on the other hand, to recklessly take on avoidable risk can result in irreparable harm to the organisation. When realising opportunity involves the need for the voluntary assumption of significant levels of risk the following principles needs to be considered:

(a) the potential benefits must clearly outweigh the assumption of the risks involved; (b) a balance needs to be established and all the risks freely accepted need to be

identified and treated to minimise the likelihood of harm to the organisation; (c) irrespective of the perceived benefits, the integrity of the Branch’s ERM Risk

Management context must not be compromised; (d) the principles contained in the Branch’s Risk Attitude Statement are to be carefully

considered and applied in all instances. Risk Attitude Statement – General Acceptance Criteria Principles The following Risk Attitude Statement is not designed to be a definitive list and/or totally descriptive in its definitions. It is intended to provide a broad outline upon which managers can base risk acceptance decisions, i.e. what is justifiable, what is not and what is integral to the organisational risk ethic. Risk Attitude Statement When considering opportunities that may involve the assumption of risk considered to be out of normal bounds, the following should be considered before making the decision to proceed otherwise.

Class Acceptance/Non-Acceptance

Financial

There will be no acceptance of decisions that have a significant negative impact on Branch’s long term financial sustainability.

Financial viability over the short, medium and long term must be highly certain.

Legal and Regulatory

There will be no acceptance of any non-compliance with legal, professional and regulatory requirements.

People

There will be no acceptance for compromising the safety and welfare of our Members and professional staff.

There will be no acceptance for the preventable loss of valued volunteer leadership and professional staff due to unreasonable management action.

There will be no acceptance for compromising the welfare and safety of members of the public.

Operational

There is considerable acceptance for the improved efficiency of the Branch operations.

In considering opportunities a disciplined approach to the


management of risk must be taken.

There is considerable acceptance for improvements to service delivery.

There will be no acceptance for running the Branch (which includes all its Formations) in a manner that does not meet the reasonable expectations of stakeholders.

Environmental

There will be no acceptance for operational decision making that does not have a sound basis.

There is considerable acceptance for decisions that promote ecologically sustainability.

There will be no acceptance of decisions that cause environmental harm especially those that are likely to result in government intervention.

Strategic

There is acceptance for the Branch Leadership to respond to the changing environment and seize opportunities where necessary.

Ethical

There will be no acceptance of the failure to conduct business honestly and ethically.

Reputation

There will be no acceptance for damage to the reputation of the Branch and Scouting generally.

No “justifiable” adverse media coverage is acceptable.

Leadership The Branch’s (which includes all its Formations) approach to managing its risk should set an example to the rest of the community.

Scouting Traditions and Community Support

There will be considerable acceptance of decisions that promote the maintenance of Scouting traditions and membership satisfaction.

There will be no acceptance of decisions that will have an adverse effect on community and political support and confidence.

7.11.4. ENTERPRISE RISK MANAGEMENT IN THE QUEENSLAND BRANCH

7.11.4.1. END RESULT

The end result of ERM is to provide the Branch leadership with a regular snapshot of the risk profile of the Branch including the individual status of all major risks and risk mitigation measures across the organisation to enable informed decision making within the Branch’s risk attitude.

Reports to:

Branch Executive Committee

Compliance Committee

Operational Risk Management Committee

Risk Management Process as per AS/NZS ISO 31000:2009

Annual Review of Operational Risk Register and Audit findings


Annual Review of

Strategic Risk Register

STRATEGIC

OPERATIONAL

Reports to:

Branch Executive Committee

Compliance Committee

Operational Risk Management Committee


7.11.4.2. RELATIONSHIP BETWEEN THE BRANCH RISK MANAGEMENT COMMITTEE AND THE COMPLIANCE COMMITTEE

There should be a close relationship between the Risk Management Committee and Branch Compliance Committee. The Risk Management Committee will liaise with the Branch Compliance Committee regarding the Branch’s risk profile, its risk management activities, the Risk Framework and its effectiveness.

7.11.4.3. APPROACH

The Queensland Branch will achieve the above requirements by:

(a) using the Risk Management process in (AS/NZS ISO 31000:2009) for assessment of the following functions within the Branch:

i. Strategic (Corporate) ii. Operational (Program)

iii. Policy iv. Activity (Service Unit) v. Project, and

vi. Decision analysis; (b) documentation of risks to form a Risk Register which is open to review and

updating, and provides a record should personnel change. Risk information will be filtered to focus on only those risk exposures that are significant and relevant to providing assurance;

(c) a documented Risk Register and a Risk Management Plan from contractors for service-critical projects;


Report identifies the risks of the policy prior to decision


Project Risk Register and Risk Management Plan


Annual Review of Risk

Register


Informed reporting to The Queensland Branch for decision

Report to:

Chief Commissioner

Executive Manager

Report to:

Chief Commissioner

Executive Manager

Project Manager

Report to:

Chief Commissioner

Executive Manager

Report to decision maker

ACTIVITY

POLICY

PROJECT

DECISION

ANALYSIS


(d) incorporation of Risk Management into all Business Plans and used to support Capital and Operational Budget submissions;

(e) risk management being incorporated into the various performance management instruments both corporate and individual with varying degrees of accountability according to management responsibility;

(f) developing a contract management system that ensures risks are addressed at all stages of the contract processes;

(g) monitoring and reviewing risk in external services and, where appropriate, providing input to contractors’ risk management processes;

(h) incorporating risk management strategies, particularly action plans arising from the Risk Registers, into the Branch’s broader business and planning processes and, if necessary, budget processes;

(i) periodic and mandatory reviewing and updating of the Risk Registers to account for changes in risks and related issues;

(j) providing Risk Management training for our volunteer Leaders and professional staff generally as a corporate training imperative for the Branch;

(k) providing a safe activity/work environment for its members, employees, contractors and members of the public by being active in the pursuit of workplace health and safety initiatives. Resourcing of Workplace Health and Safety will be provided to ensure that the Branch meets its statutory obligations and minimises injuries and incidents;

(l) the Branch will meet its statutory obligations and continue to strive for excellence in its operations to ensure it maintains all its statutory obligations and operational costs and to minimise the ongoing cost to the Branch;

(m) maintaining adequate insurance cover. Where risks are such that they have a potentially high financial impact on the organisation, insurance cover is arranged to transfer some financial risk to the insurer. Insurance is but one control measure available in the risk management process and the Branch will balance insurance with all other preventative measures rather than simply relying on insurance to manage its risks. Insurance is maintained for, including but not limited to, public and products liability, professional indemnity, property, personal accident, fidelity guarantee and motor vehicles. Insurance is sourced from wherever the Branch is able to purchase it and on the best terms available in the market in accordance with the Branch’s procurement guidelines. Professional Insurance brokers are contracted to market the Branch’s insurance to ensure value for money is achieved;

(n) management systems that are seen as a means of managing the Branch’s risks through properly developed and documented methods of performing work. Compliance with these management systems will not only improve quality and consistency of our services, but also reduce the likelihood of inappropriate actions by our volunteer leadership and professional staff. Supporting documents such as policies, guidelines, work instructions and checklists will be used to convey the requirements of our systems to our volunteer Leaders and professional staff;

(o) regular reviews and testing of its Business Continuity Plan (BCP) which will be undertaken to maintain its currency and adequacy. This will involve desktop reviews with the business process owner and scenario testing of the plan. The process for undertaking this exercise will be documented in the BCP;

(p) other supporting activities identified in the diagram above. These are developed and managed by various parts of the organisation. While some do not have a primary risk management focus, they contribute to the Branch’s operations with a net result of improved risk management.

7.11.4.4. ELEMENT 1 – AWARENESS TRAINING

To ensure the successful implementation of ERM throughout the Branch and the Risk Management Committee will provide appropriate training in risk management to our volunteer leadership and professional staff. Training content will encompass the risk management process, application of risk assessment tools and templates, assistance with identification and analysis of the Branch’s risk exposures, risk profile and assurance reporting.


7.11.4.5. ELEMENT 2 – ASSESSMENT FRAMEWORK

Hierarchical Approach Risk assessment comprises a hierarchical process to apply at the levels as illustrated below.

At Corporate Strategic and Operational Level The Queensland Branch will establish a Corporate Risk Register comprising the Strategic and Operational Risk Registers. Strategic Risks will be identified through analysis of the 2020 Plan and what can impede the organisation from its successful delivery. Operational Risks will be identified through analysis of the risks facing middle management in delivering the Operational Plan and any other planning instruments (corporate strategies, audit plans, asset management plans etc.) effectively. These are primarily focused on the achievement of the desired outcomes of the organisation. At Activity Level The Queensland Branch will establish a register of risks that are likely to impact upon the day-to-day operations of the Branch (including the Regions, Districts and Groups business operations. The information will be captured in a formal Risk Register and Risk Management Plan for use by the respective leadership. Activity level risks will be identified and subsequently analysed by reference to business planning and the products and services delivered. These are primarily focused on the achievement of the desired outputs of the organisation. At Policy Level At policy level the Risk Management process will be used to ensure that the full implications of implementing a policy or not implementing a policy are established prior to making a decision on the policy. At Project Level At project level, the risk assessment process is to follow the elements and procedures outlined in the Project Management Framework. The desired deliverables from the Project Risk Management process is a Risk Register and a Risk Management Plan for the project. The Risk Register documents the identification, analysis, and assessment of risks and the Risk Management Plan summarises planned and actual risk controls and measures. At Decision Analysis Level At the decision analysis level the purpose of the risk management process is to ensure that

High-level issues that affect the sustainability of the organisation or its ability to deliver on its corporate objectives

Medium-level issues that affect the viability of the program

management and delivery that have corporate implications

Issues that affect the service unit performance

Issues likely to arise due to implementing or not

implementing a policy

Issues that affect the outcome of a project

Impacts that may arise as a result of the decision

STRATEGIC

OPERATIONAL

ACTIVITY

POLICY

PROJECT

DECISION ANALYSIS


all risks have been investigated as part of the information used in making the decision. This will ensure that a fully informed decision is made and the necessary contingency plans have been developed as part of the decision implementation process. At a Performance Management Level The management of risk is to form part of Position Descriptions with Key Accountabilities specifically designed to for this purpose.

7.11.4.6. ELEMENT 3 – ASSURANCE

Responsibilities and carriage of Enterprise Risk Management All Members and professional staff are responsible for managing risk within their area of responsibility, for promoting the application of risk management by contractors, and assisting with the identification of global or broadly based risks that could impact on the Branch as a whole. Reviews The Risk Registers will be formally reviewed and updated annually as a part of our planning process, although more regular reviews and updates by service unit, contract and program managers are encouraged in accordance with any significant changes to activities or appointments. It is anticipated that these formal reviews will be concurrent with, and part of, business and budget planning processes because of the complementary nature of the two processes. These formal annual reviews will include:

(a) a summary ranking of risks by overall rating level to identify all “extreme” and “high” level risks across the Branch as a whole to ensure that all are accounted for in the Branch’s broader planning and reviewing processes of its services;

(b) extreme and high level risks are reviewed and control measures reassessed in accordance with this Framework and the Risk Assessment Handbook with the view to eliminating or reducing the risk;

(c) a statement of the Branch’s performance over the previous twelve months showing the reduction in the risk profile and the improvements made in risk controls shall be presented to the Branch Executive Committee.

7.11.5. DEVELOPMENT AND IMPLEMENTATION

7.11.5.1. MANDATE AND COMMITMENT TO AS/NZS ISO 31000:2009 AND THIS FRAMEWORK

This Framework is not intended to prescribe a management system, but rather to assist the organisation to integrate risk management into its overall management system. The unwavering commitment of Management is imperative if the application of the risk management principles embodied in AS/NZS ISO 31000:2009 and this Framework are to be embraced by the organisation at large. The Framework, like all risk management initiatives, must be constantly reviewed to remain relevant in changing times. The process is clearly discernable in the following diagram extracted from AS/NZS ISO 31000:2009.


7.11.5.2. ESTABLISHING A RISK MANAGEMENT CULTURE

The risk culture of an organisation is also a “key” factor in establishing the success or failure of any risk management program. The right balance between risk taking and risk aversion needs to be carefully established and clearly communicated. Risk can be detrimental or beneficial. The opportunity to understate risk to move forward is always there, however, this can prove to be a costly way forward. Before any decision is made to accept a risk it needs to be carefully considered and the consequences weighed against the benefits. The creation of a Risk Attitude Statement, aligned with the Branch’s 2020 Plan, has been established to clarify the organisations stance in this respect [Refer to Item 2.4]. The overarching principles of a successful Risk Culture are embodied in the following statement: “A Risk Management culture is not one marked by fear and paranoia. Instead, the ideal risk culture is one that is steeped in a commitment to executing activities according to approved processes while also maintaining a balance that fosters initiative and innovation. It displays a deep seated commitment to the achieving of Organisational Goals and Objectives and the preservation of financial resources, organisational prestige and basic human values.”

7.11.5.3. COMMUNICATION AND CONSULTATION

Communication and consultation with internal and external stakeholders should take place at all stages of the risk management process and therefore the creation and adoption of appropriate methodologies to achieve this is imperative. The inter-relationship between the “process” and “communication” is clearly demonstrated in the following diagram extracted from AS/NZS ISO 31000:2009.


7.11.5.4. RISK ASSESSMENT HANDBOOK - A STEP BY STEP GUIDE

An adjunct to this Framework is the Risk Assessment Handbook. It has been created to more fully explain the risk assessment process and to facilitate the identification and rating of the Branch’s risks. The Corporate Risk Context is highlighted in this Handbook and the Risk Likelihood Table, Risk Consequence Table and the Risk Analysis Matrix are housed therein. The general principles contained in this Framework should be read in conjunction with the Risk Assessment Handbook. This Enterprise Risk Management Framework provides a “Head of Power” for the Risk Assessment Handbook. The Risk Assessment Handbook is a living document and will be updated from time to time to reflect current Risk Management practices and procedures. Changes to the Handbook may be authorised by the Chief Commissioner in consultation with the Branch Executive Committee as and when required.

7.11.5.5. APPROACH

This document presents the concept and key elements for the Branch’s ERM in terms of an overarching framework or guidelines. Risk management commences with an understanding and awareness of risks. Assessment, analysis and treatment of risks ensure a documented approach and methodology. Monitoring and review demonstrates the ongoing management of risk. It is this phase that is fundamental to the ongoing success and implementation of ERM into normal business processes. The Branch has implemented an integrated team approach to the management of risk comprising the Risk Management Committee and the Compliance Committee. This is to ensure that there is a coordinated approach to risk mitigation across the organisation.


Links between the strategic, operational and activity risk registers support the notion of the interdependency of each register upon the other and unites the management of risk across the broad spectrum of the Branch’s activities. An interactive approach is to be maintained between the ERM and budgetary processes. Reference to risk mitigation measures, preferably supported by extracts from the relevant Risk Registers, is to form part of budget submissions especially where maintenance budgets are concerned and where Capital budget submissions involve the introduction of additional risk control measures. The Chief Commissioner and the Executive Manager will remind our Leaders of this at the commencement of both the Capital and Operational budgetary processes. The Risk Management Committee provides training programs, the refinement of risk assessment tools and templates, and the preparation of risk registers and assurance reports. The following documents support this process:

(a) the Branch Enterprise Risk Management Policy; (b) the Branch Risk Assessment Handbook.

7.11.5.6. COST IMPLICATIONS

The costs associated with the management of risk are carried across the organisation, through the salaries and wages budgets of those areas participating in the assessment of risks and actions that result from those assessments. As ERM is an essential element of managing the Branch these costs cannot be separated from costs of running the organisation. As ERM inevitably results in reduced waste of valuable resources and the improved allocation of productive resources, time spent in identifying and reducing or eliminating risk more than recovers the costs associated with its implementation. It is from this perspective that it could be held that a quality ERM program is not only cost neutral to the organisation but ultimately will result in substantial savings.

7.11.5.7. TIMEFRAMES

The timeframe for risk related activities within the Branch is outlined as follows:

Program Completion Date

Reporting: 1. Branch Executive Committee. 2. Branch Compliance Committee.

1. Bi-Annually 2. Annually

Training: 1. Voluntary leadership and professional staff. 2. Advanced risk training workshops.

1. Ongoing - Completed as required. 2. Ongoing - Completed as required.

Review of Strategic, Operational and Activity Risk Registers.

Annually (or more frequently in response to material changes in circumstances)

Assist volunteer Leaders and professional staff complete complex Risk Assessments as required.

Ongoing

Perform an Audit function of Risk Treatments in consultation with the Branch Compliance Committee.

Ongoing

Continual development and implementation of ERM strategies.

Ongoing

Assist with the placement of Insurances. Annually

Assist with the Maintenance of Insurance Program. Ongoing

Track and advise on the handling of Insurance and Third Party claims.

Ongoing

Business Continuity Plan: 1. Maintenance 2. Formal Scenario Testing.

1. Ongoing 2. Annually

Review of ERM Policy, Framework, Guidelines and supporting documentation.

Ongoing with a major review every two (2) years.

Documents

SECTION 7 SCOUTSAFE 7.11 ENTERPRISE RISK ......SECTION 7 SCOUTSAFE: CHAPTER 7.11 ENTERPRISE RISK MANAGEMENT FRAMEWORK (Version 1) Page 5 of 18 Chief Commissioner and Executive Manager