Risk Management

PURPOSE

Risk Management is an essential element to support good management practice and effective corporate governance, as it informs decision-making, improves outcomes, and enhances accountability. 

The application of risk management will provide the basis for: 

• More informed decision making leading to improved confidence and trust in decision making; 

• Improved identification and exploitation of opportunities and management of threats; 

• Reduction of the likely impact of identified risk; 

• A clear understanding by all staff of their roles, responsibilities in the risk management process; 

• Improved corporate governance; and 

• A more risk aware organisation. 

SCOPE

Risk management will be incorporated into the strategic, program, project, and operational planning processes within HIC (Health Informatics Centre) . 

RESPONSIBILITIES

DEFINITIONS

• Control: A means of managing risk by providing safeguards. This includes policies, procedures, guidelines, other administrative controls, technical controls, or management controls. 

• Risk: The potential for an unwanted event to have a negative impact as a result of exploiting a weakness. It can be seen as a function of the value of the asset, threats, and vulnerabilities.

PROCEDURE

Open

1. Identify

• Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of any HIC activity. Risk identification should happen as early as possible in the activity life cycle and the process should be reiterated throughout the life cycle as the activity progresses. 

2. Assess

• Quantify consequence – Consider that if the risk were to happen how serious the consequence would be. It is helpful at this point to consider whether the consequence is on time, cost, quality, safety, effect on schedule, financial, reputational, number of people affected. Consequence should be scored from 1 to 5 based on severity.  

• Quantify likelihood – Consider how likely the risk is to occur. Likelihood should also be scored on a scale of 1 to 5 from rare to almost certain.  

• Consequence and Likelihood values are defined in Appendix 1. 

3. Risk Appetite 

• The organisation’s risk appetite is shown, using a red line, in Appendix 1.  

• The organisation considers toleration of risks to the lower and left of the defined risk appetite. 

• Where a risk is classified above or to the right of the risk appetite the objective is to migrate this to an acceptable level utilising mitigation measures. 

• Where possible other risks should also be managed to as small a measure as possible although this should balance using cost benefit analysis. 

• Red risks are not tolerated and require to be managed to either amber or preferably green level. 

4. Plan 

• For risks which are above the risk appetite, risk treatment should then be planned. There are several ways to treat risks, and these are listed below in order of desirability:  

  • Remove – Change specification, alternative approach etc…  

  • Transfer – insure against risk occurring, contractual transference  

  • Reduce – put procedures in place to reduce likelihood or impact  

  • Manage – put contingencies in place  

  • Accept –the risk involved is not adequate to warrant the added cost it will take to reduce that risk to below the risk appetite. 

5. Implement 

• Appropriate and cost-efficient actions taken to manage and control risks. 

• Decisions documented and the resulting actions implemented through business-as-usual processes. 

6. Re-evaluate 

• Establish whether likelihood, consequence, controls that are in place, mitigation and control maturity are all still applicable or appropriate and within acceptable risk appetite. 

• Re-evaluation should be held to establish the following:  

  • Identify which risks have occurred and whether contingencies have been successful.  

  • Identify which risks could have occurred but did not.  

  • Monitor effectiveness of mitigation on open risks.  

  • Review risks that might occur in upcoming period and establish whether mitigation strategy remains appropriate.  

  • To go through Risk Management process with any new risks that have been identified.  

  • To update risk records  

7. Report and Improve 

• Reporting on risk where residual risk exceeds the defined risk appetite will occur at the regular ISMS Management Review meetings.

APPENDICES

Open

Appendix 1- Risk Appetite

APPLICABLE REFERENCES

• How To Review a Risk

DOCUMENT CONTROLS