The purpose of risk management is the creation and protection of value. It improves organisational performance, encourages innovation and supports the achievement of the objectives of DAISI. This policy sets out DAISI’s approach to Risk Management.
Risk Management is the responsibility of all those who participate in the work of DAISI. This includes Board Members, Office Bearers, staff, members and volunteers.
As a condition of organisational partnership, DAISI also expects appropriate risk management is undertaken by those partner organisations who work in partnership with DAISI.
- DAISI is committed to continually developing and maintaining organisational culture and practices that optimise the ability of members, volunteers, staff, management, partner organisations and Board Members to pursue the Mission/Vision and achieve organisational objectives, while ensuring the appropriate identification, assessment, monitoring and management of risk.
- DAISI integrates risk likelihood matrix consideration of risk in planning and decision-making processes by senior management and the Board.
- DAISI’s Risk Management Policy aims to reduce and manage risks faced by the organisation. The principles of the policy are as follows:
- Integrated – risk management is an integral part of all organisational activities at all levels within the organisation, both operational and strategic;
- Structured and comprehensive – the process of risk management is consistent across the organisation to ensure efficiency, consistency and reliability of results;
- Customised – Risk management activities are able to be customised and proportionate to the level of risk faced by the organisation;
- Inclusive – Engaging partners and stakeholders in risk management processes recognises that communication and consultation are key to managing risk;
- Dynamic – Risk management activities need to be iterative and responsive to emerging and changing risks;
- Best available information – to effectively manage risk it is important to understand and consider all available information relevant to an activity and to be aware that there may be limitations on the information.
- Human and cultural factors – risk management needs to recognise the contribution that people and culture have on achieving the organisations objectives
- Continual improvement – Risk management is continually improved through learning and experience
Risk Management Framework
9. The purpose of the risk management framework is to assist with integrating risk management into all activities and functions. Our risk management framework is centred on leadership and commitment. Senior management are accountable for managing risk. DAISI’s Board is accountable for overseeing risk Management and establishes the amount and type of risk that may or may not be taken (risk appetite) (specific roles and responsibilities are articulated further below):
- Integration – As articulated in our policy principles, risk management is part of, and not separate from, all aspects of the organisation;
- Design – Risk management needs to be aligned with the strategy, objectives and culture of the organisation. The internal and external context of the organisation needs to be understood and considered. Communication and consultation arrangements need to be established;
- Implementation – The risk management process defines the appropriate implementation plan including accountability and deadlines as well as identifies where, when and how different types of decisions are made, and by whom;
- Evaluation – As articulated in our policy principles, risk management is an iterative process. As part of this process, we should continually evaluate the effectiveness of existing controls and processes and introduce improvements where necessary;
- Improvement – As articulated in our policy principles, we need to continually monitor and adapt our risk management framework and associated processes to address internal and external changes, and ultimately improve the value of risk management.
Roles and Responsibilities
10. All DAISI directors, office bearers, staff, members & volunteers have a responsibility to be mindful of risk and to ensure appropriate steps and measures are taken to identify, analyse and manage risk in the course of their work.
11. DAISI’s Board must:
- Oversee the Risk Management Policy and Processes ensuring that management is taking appropriate measures to manage risk in the organisation;
- Set the organisational culture and values toward risk management;
- Set the risk appetite of the organisation ensuring it aligns with the strategic objectives and aims;
- Regularly review and provide feedback on the organisational risk assessments and risk register;
12. Senior management including the Board Directors, Office Bearers, General Manager & CEO will:
- Monitor and ensure compliance with this policy and related processes;
- Arrange regular risk management training and development;
- Ensure risk management is integrated into all organisational activities that they are responsible for – it is not a stand-alone process;
- Continually monitor and assess risk in their areas of responsibility;
- In our country office, ensure adequate risk management assessments are undertaken as part of the partner due diligence and capacity assessments;
- In our South-Pacific Island Country Projects, ensure adequate risk management assessments are undertaken for each project and an adequate risk management plan is put in place to mitigate such risks;
- In our South-Pacific Island Country Projects, ensure partner organisations have adequate risk management processes in place and provide training, support and guidance where necessary
13. Partners must:
- Comply with all obligations as defined in their agreements with DAISI including those pertaining to risk management;
- Provide or develop risk management policies and procedures with assistance from DAISI where required;
- Ensure regular training is undertaken with staff for risk management.
14. The Chief Executive Officer (CEO) (with the assistance of the Treasurer and Secretary):
- Is responsible for the interpretation, administration, application and revision of this Policy and processes;
- Is responsible for the consolidated reporting of organisational risk assessments and mitigation strategies to the Audit, Risk and Governance Committee and Board.
Risk is the effect of uncertainty on objectives. Risks includes events that cause damage or are negative in impact as well as events which prevent realising positive opportunities or benefits.
Risk Management Processes are the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, documenting, monitoring and reviewing risk.
Risk Assessment is the process of identifying, analysing, quantifying and documenting risk.
Risk Register refers to the document that records risks and assigns responsibility for their controls and treatments.
Inherent Risk Rating is the risk rating before the impact of any control or treatment.
Residual Risk Rating is the risk rating after the impact of any control or treatment.
Risk Control Current Processes are the procedures, actions or other measures that are taken to reduce the likelihood of a risk occurring or minimise the impact if the risk were to occur. A control is something that is currently in use, as opposed to a treatment, which is a control not yet implemented.
Likelihood is the chance of a risk happening
Consequence is the outcome or impact of a risk happening. The risk can affect DAISI’s reputation and objectives, its stakeholders or the wider community.
Risk Rating is the rating (or level) of a risk derived from the combination of consequences and their likelihood.
Risk Matrix is the criteria against which the level of risk is evaluated, taking account of likelihood and consequence. DAISI has a specific risk matrix for rating risks.
Risk Treatment is strategy or the process or procedure that aims to reduce the likelihood, share or mitigate the impact of risk. A risk treatment is something being proposed or planned.
Risk Appetite is the amount and type of risk that an organisation is willing to bear to achieve its objectives either before or after treatment.
Risk Owner is a named person/entity with accountability or authority to manage a risk.