Risk Management Policy

This AusAID risk management policy (March 2006) replaces the policy outlined in AusAID Circular No. 29 of 8 November 1999.

PREAMBLE
Risk management is an integral part of the AusAID approach to decision-making and accountability. Risk management comprises the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within AusAIDs operational environment. At any one time AusAID has several billion dollars of programs and activities under management. Australian aid promotes Australias fundamental national interests in regional peace, stability and poverty reduction and is often delivered in high-risk environments. The manner in which AusAID performs this important role can significantly affect Australias international reputation and national interests. Risk is inherent in all AusAIDs functions. All AusAID personnel are responsible for managing the risks that relate to their particular area of work. Risks should be managed in a way that derives the best outcomes for AusAID and its stakeholders. The aim of this policy is not to eliminate risk. It is to assist AusAID personnel to manage the risks involved in all AusAIDs activities to maximise opportunities and minimise adverse consequences. Effective risk management requires: Identifying and taking opportunities to improve performance as well as taking action to avoid or reduce the chances of something going wrong A systematic process that can be used when making decisions to improve the effectiveness and efficiency of performance Forward thinking and active approaches to management Effective communication Accountability in decision making Balance between the cost of managing risk and the anticipated benefits.

BACKGROUND
Risk can be defined as the chance of something happening that may have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood combined to arrive at a risk rating from Low to Very High (see the Risk Assessment Matrix in Annex 1). Risk management is, therefore, defined as the culture, processes and

structures that are directed towards realising potential opportunities whilst managing adverse effects (see Annex 1 for more key definitions). The concept of managing risk is an integral part of the accountability requirements at all levels in AusAID. An effective risk management system will safeguard Commonwealth interests and ensure the best use of its resources. Recognition of risk management as a central element of good corporate governance, and as a tool to assist in strategic and operational planning, has many potential benefits in the context of the changing operating environment of AusAIDs core business. All AusAID personnel have a responsibility to ensure that the risks relating to their particular area of work whether it is in Canberra, an overseas post or a seconded assignment are managed to ensure the best outcome is achieved. The Risk Management Guide included as Annex 1 provides AusAID personnel with practical assistance and tools to use when implementing risk management practices. The Guide also includes examples of the range of risks relevant to AusAID. Personnel should be alert to these types of risk, as well as risks specific to their particular function(s), programs, activities, posts and work areas. The Australian/New Zealand Standard for Risk Management (AS/NZS 4360:2004) was released in 2004 and AusAID has recently upgraded risk management processes, for example, integrating risk management with business planning and developing a Corporate Risk Assessment and Management Plan. The previous Risk Management Policy (November 1999) has been revised to incorporate advancements in the new Australian/New Zealand Standard for Risk Management and AusAID risk management-related procedural developments.

THE POLICY
AusAID aims to manage risk in accordance with the Australian/New Zealand Risk Management Standard. Guidelines for Managing Risk in the Australian and New Zealand Public Sector expands on the Standard to provide guidance for Public Sector agencies. Risk management is an iterative process of continuous improvement that is best embedded into existing practices or business processes. The main elements of the AusAID risk management process are: Communicate and consult: Liaise with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole. Establish the context: Define the basic parameters within which risks must be managed and set the scope for the rest of the risk management process. The context includes AusAIDs external and internal environment and the purpose of the risk management activity. Identify risks: This step seeks to identify the risks to be managed.

Analyse risks: Identify and evaluate existing controls. Determine consequences and likelihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur. Evaluate risks: Compare estimated levels of risk against pre-established criteria (see risk matrix in Risk Management Guide) and consider the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities. Treat risks: Develop and implement specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs. Allocate responsibilities to those best placed to address the risk and agree on target date for action. Document, monitor and review: Each stage of the risk management process must be documented. It is necessary to monitor the effectiveness of the risk management process. This is important for continuous improvement. Risks and the effectiveness of treatment measures need to be monitored to ensure changing circumstances are taken into consideration.

Each step of the risk management process including indications of the relevance to AusAID personnel is discussed in greater detail in Annex 1. Schematically, the risk management process can be depicted as follows:

Establish the context

Document, Monitor and Review

RESPONSIBILITIES
The following responsibilities exist for the implementation of effective agency-wide risk management:

Communicate and Consult

Risk Assessment

Identify risks

Analyse risks

Evaluate risks

Treat risks

The Director General and Senior Executive are responsible for the implementation and maintenance of sound risk management. In carrying out this responsibility, senior managers should review the adequacy of internal controls to ensure that they are operating effectively and are appropriate for achieving corporate goals and objectives. Managers should put in place mechanisms that promote the culture of risk management practices and encourage and empower personnel in the management of risk. The Audit Committee is responsible for oversight and for providing corporate assurance on the adequacy of risk management procedures across AusAID. The Performance Review and Audit (AUDIT) Section assists this through: its riskbased audit approach; monitoring and review of risk management policies and procedures and control structures; identification of fraud risks; and delivery of risk management awareness and guidance materials. Branch Heads should ensure that Business Unit Plans include a discussion of key issues and major risks. Heads of AusAID offices at overseas posts should ensure that annual Post Risk and Fraud Management Plans are completed and forwarded to AUDIT Section. Country Program Managers should complete a risk assessment when developing country program strategies. Activity Managers should ensure risk management plans are completed for all activities in accordance with AusGUIDE requirements and updated by AMCs in annual plans, or more frequently, as necessary. Activity/Contract Managers should ensure that all NGOs and Contractors providing goods and services to AusAID adhere to risk management requirements in AusGUIDE, NGOPI and relevant contracts. Managers at all levels are to create an environment where managing risk forms the basis of all activities.

All AusAID personnel should adopt sound risk management practices within their particular areas of responsibility.

ANNEXES
1 AusAID Risk Management Guide