Risk Management in the S.A. Public Sector

1. Risk Management in the S.A. Public Sector Darryl Bruhn Risk Management Coordinator SAFA (SAICORP) Phone 8226 3429 Bruhn.Darryl2@saugov.sa.gov.au

2. SAFA (SAICORP) • 1/7/1994 South Australian Insurance Corporation (trading as SAICORP)established. • Insurance cover for all agencies of the Crown • Whole of Government catastrophe reinsurance • Provide risk management advice & assistance • 1/7/2006 SAICORP amalgamated with South Australian Financing Authority (SAFA). • Part of Dept. Treasury & Finance

3. Risk Management Advice & Assistance • Coordinating risk management training • Assisting agencies with risk management policy & framework development • Providing funding for specific risk management initiatives • Coordinating networks and forums • Developing manuals & workbooks • Publishing the SAICORP Newsletter • Promoting AS/NZS4360 Risk Management Standard & RMIA

4. Session Outline • Risk & Risk Management Context • Reasons for implementing risk management policy & frameworks. • Developing risk management policy & frameworks – agency considerations.

5. RISK MANAGEMENT STANDARD AS/NZS 4360 • Developed with the objective of providing a guide to establishing a risk management framework using the risk management process. • The standard specifies the elements of the risk management process only. • It is a generic framework and independentof any specific industry or economicsector.

6. Definitions in 4360 Risk is “theCHANCEof something happening that will have anIMPACTon OBJECTIVES” Risk =DEGREE of UNCERTAINTYas to the potential for gain as well as exposure to loss. Risk Management is the “CULTURE, PROCESSES AND STRUCTURESthat are directed towards realising potential opportunities, whilst managing adverse effects.”

7. RISK MANAGEMENT PROCESS • Built-in continuous improvement cycle • Risk Assessment = Identify, Analyse & Evaluate Risks • Define Context first • Opportunities as well

8. RISK ASSESSMENT • Subset of the Risk Management process • Managers involved in this • Define Context and clear focus for risk assessment. • E.g. Strategic, business or project plan • 3 years, 1 year, 6 months • J &PS Outcomes • Objectives – Impacted upon • Degree of Uncertainty

9. RISK ASSESSMENT (continued) • Unexpected Events • Expected Events • Uncertainty = at what rate will it occur • Will it Impact on Objectives? • Staff turnover, absences, workers compensation costs • Consider scenarios

10. Characteristics Extremely hard to quantify Catastrophic in nature Out of our control Always negative outcomes Restorative planning & actions RM Response Business Continuity Emergency Response Disaster Recovery Planning Question of balance. Uncertainty-based Risks

11. Characteristics Insurable type risks Extensive data available SOP’s used to manage Accident rate that is uncertain Treat by reducing likelihood/consequence or both - Preventative Examples OH & S / Workers Comp. Property Financial management Clinical Hazard type risks

12. Characteristics Often non insurable type risks Assessment is qualitative Performance related Treat by avoidance, risk sharing etc. Integrated into business Examples Strategic Business, Project planning Opportunity costs Relationship, reputations Efficiency & effectiveness Opportunity type risks

13. 2. Rationale for Implementing aRisk Management Policy & Framework? 1) Compliance 2) Protection 3) Improve Organisational Performance

14. 2.1 COMPLIANCE ISSUES • S. A. Government : Risk Management Policy – Re-issued November 2003 • CE’s Accountable to their Ministers • Protect & enhance Govt. resources • Protect well being of citizens & environment • SAICORP to provide advice to the Crown • “Premiers Safety Commitment Statement” & DAIS - “Workplace Safety Management in the SA Public Sector 2004 - 2006 – Implementation Plan.” • Annual SAICORP Declarations – to meet our duty of disclosure to our insurers (re-insurers) • Corporate Governance Expectation

15. 2.2 Protection Provided on Two Levels : 1) Reduce likelihood of things going wrong and / or when things do go wrong, the consequences should be less severe. 2) Due diligence defence - will be able to demonstrate that all reasonable efforts have been made using a systematic, consistent approach to identify, rate and treat risks.

16. 2.3 To improve organisational performance • Improve strategic and business planning • Improve information for decision making • Maximise the benefits of opportunities that arise • Improve operating efficiency due to targeting of resources, less time fire-fighting and avoidance of costly mistakes. • Provide an early warning system enabling preventative action to be taken

17. 3.1 Policy & Framework – Agency Considerations • Central coordinating body responsible for Risk Management. • Communication & Consultation on risk management • Risk Management Policy & Framework • Criteria, categories of risks • Likelihood & consequence indicators • Risk Matrix • Annual,Half Yearly, Quarterly, needs based risk assessment • Risk Assessment Tools & reporting requirements • How to assist managers meet their risk management responsibilities

18. LIKELIHOOD OF OCCURRENCE RATING Description Almost Certain 5 This event will almost certainly occur within the next six months Likely 4 It is likely that this event will occur at least once in the next year or it is moderately likely that this event will occur at least once in the next two years Moderate 3 It is moderately likely that this event will occur at least once in the next two years Unlikely 2 It is possible, though unlikely, that this event may occur once in a 2 year period Rare 1 May occur only in very unusual circumstances. Remote possibility of occurring once every 2 to 5 years Likelihood Descriptors

19. AREA OF IMPACT RATING Financial Organisational Impact Reputation & Image Human Resources Insignificant 1 Financial loss up to $50,000 Small delay, internal inconvenience only. One off media coverage only Minor injury. Temporary local poor morale. Minor 2 Financial loss >$50,000 and < $100,000 Easily remedied, some impact on external stakeholders. Business objectives delayed. Temporary negative impact on reputation Lost time injury. Local but lingering poor morale. Skill mix issues Moderate 3 Financial loss >$100,000 and < $500,000 Considerable remedial effort required with widespread disruption to the organization extending for period up to 3 months. Some business objectives will not be achieved. Temporary breakdown in key relationship. Widespread negative reporting in media. Premier or Ministerial involvement. Serious permanent injury. Ongoing widespread morale issues. High staff turnover. Major 4 Financial loss > $500,000 and< $1 million Permanent loss of critical information, substantial disruption to organization or external intervention extending over 3 months or more. Major goals not achieved. Ongoing widespread negative reporting in media. Leads to a high-level independent investigation with adverse findings. Death. Entrenched morale problems. Inability to recruit staff with necessary skills. Catastrophic 5 Financial loss > $1 million Organisation is totally dysfunctional requiring appointment of an administrator. Total loss of confidence within community leading to dismissal of Board. Consequence Descriptors Example Detail Description

20. Level of Risk Matrix

21. 3.2 What does a Risk Management Policy & Frameworkhelp to achieve? • A systematic and consistent approach to considering risk and opportunity integrated into all planning and business activities. • Cultural change– Reactive to Proactive to become embedded into the departmental culture.

22. Risk Assessment Training • Duration (three hours) for all managers and risk assessment facilitators on all aspects of risk assessment including: • defining the risk assessment context; • Identifying, analysing & evaluating risk; • completing risk registers and • developing risk treatment plans. NOTE: Registration fee of $55 (incl. GST)

23. QUESTIONS ???????www.treasury.sa.gov.au