Governance > Risk Management > Risk Management Policy
Authorised by Board of Management
Issue Date: 25 October 2018
Reviewed Date: 28 June 2023
Purpose
The purpose of this policy is to provide guidance and direction as to the management of risk within Kyeema.
This policy and framework outline the requirements and responsibilities for Board and all staff and emphasises that the management of risk and reporting on risk is everyone’s responsibility.
This framework aims to ensure a greater consistency of informed management decision making and the subsequent alignment of management and operational resources.
Scope
This policy applies across all program area within Kyeema including:
•Board
•Board committees
•Employees and contractors
•Volunteers.
This framework considers all organisational risks, including strategic, operational, environmental, sustainability, compliance (including safety), ethical conduct, reputation, technology, service quality, human resource and financial management.
Risk Management Policy
Kyeema is committed to the implementation and maintenance of a formal risk management framework. This includes the integration of risk and risk management strategies throughout the organisation as fundamental to achieving our strategic and operational priorities and objectives. Risk management also contributes to effective financial management, regulatory compliance, resource planning, and stakeholder confidence.
Policy Implementation
This Risk Management Framework was developed in line with the principles and guidelines outlined in the Australian Standard on Risk Management, AS/NZS ISO 31000: 2018 Risk Management - Guidelines. The Framework is integrated into strategic planning and includes risk appetite, assessment, controls and reporting.
Risk Assessment
Risk assessment is the process of identifying, analysing and evaluating risks that have both positive and negative outcomes. Kyeema uses the Risk Management Methodology (Appendix 1) to evaluate risks, with assessment of the consequence of the risk and likelihood of the event happening. This risk methodology applies to all risk assessments undertaken at Kyeema.
Risk Controls
Risk controls include any process, policy, device, practice, or other actions that modify risk. Management is responsible for the design, implementation and maintenance of controls. The Finance Audit and Risk Committee are responsible for reviewing the internal control framework i.e. controls and treatments to manage risks to ensure they are appropriate and effective. Controls require ownership within the Management team of Kyeema, in addition to review and reporting to the Finance Audit and Risk Committee and Board on quarterly basis.
Risk Reporting
Regular risk reporting ensures Kyeema is on track to deliver on strategic priorities as well as ensuring that the organisation is identifying and addressing risks as they emerge and upholding good governance and effective operations. Any risk identified as high or very high should be reported to management for further analysis and, if warranted, development of risk treatments in conjunction with staff.
Roles and Responsibilities
Risk management is integrated into organisational processes and decision making and is everyone’s responsibility.
The Board is responsible for the oversight of the organisation’s approach to risk management. This includes the need for the Board to satisfy itself that:
•Management has a framework in place for managing risk that is suitable for the size, business objectives and overall complexity of Kyeema’s operations.
•The risk appetite has been appropriately set and has been communicated to all levels of management responsible for assessment of material risks.
•The Finance Audit and Risk Committee is responsible for coordinating the Board’s approach to risk management and ensuring risks and controls are monitored and managed by:
•Regular review of financial and risk management processes.
•Engaging management on the extent and format of risk information to be provided to the Finance Audit and Risk Committee and the Board
•Quarterly risk reviews (deep dives) into specific risks.
The CEO has responsibility for leading the implementation of the Risk Management Framework and is accountable to the Board. The CEO is also responsible for actively developing and managing the culture with respect to risk management where risk is part of day to day business and that risks are proactively assessed and reported, and effective risk treatment controls and treatments are implemented.
Staff are responsible for assisting in the identification and management of material risks within their area of activities.
Review
The Finance Audit and Risk Committee is responsible for undertaking a review of the Risk Management Policy and the Risk Management Framework on an annual basis and the risk register on a quarterly basis. The Annual Risk Policy and Framework review will consider:
•The impact of changes to Kyeema’s operating environment.
•The adequacy and effectiveness of the risk framework.
•A review of the risk register against the risk appetite statement
•The adequacy and effectiveness of controls.
•The progress of treatment plans.
Any internal audit of risk controls and/or other risk assurance activities.
Relevant Legislation
Corporations Act 2001 (Corporations Act)
AS 8000—2003 Corporate Governance (Good Governance Principles)
AS 8001—2008 Fraud and Corruption Control
AS/NZS ISO 31000:2018 Risk Management - Principles and Guidelines
Related Policies, Procedures and Documents:
Risk Management Framework & Procedure
Risk Analysis and Hazard Identification Procedure
Risk Assessment Register SF-14
Risk Analysis Matrix SF-08
Home Risk Assessment Form CCF-19
High Risk Activity Assessment CCF-86
Excursion/Activity Checklist CCF-52
Emergency Response Plan SF-62
Business Continuity Plan - General CF-01
Business Continuity Plan - COVID CF-02
Participant Transportation Procedure
Organisational Risk Register: K:\Risk Management - Organisation\Organisational Risk Register