Policy Number: 040
Risk Management
February 2015
TRIM Ref: TD14/482
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management
Policy Details
1. Owner
2. Compliance is required by
3. Approved by
4. Date created
5. Date of this review
6. Next review due
7. Driver
8. References
9. Contact Officer/Maintained by
10. Search terms
11. Compliance assurance method
12. Policy Document location
Manager - Business Operations
Staff, contractors and volunteers
The Commissioner
February 2015
July 2016
March 2017
NSW Treasury Internal Audit and Risk Management Policy
for the NSW Public Sector (TPP 15-03)
NSW Treasury Internal Audit and Risk Management Policy
for the NSW Public Sector (TPP 15-03)
NSW Treasury Risk Management Toolkit for NSW Public
Sector Agencies
ISO 31000:2009 Risk Management – Principles and
Guidelines
Manager, Business Operations who monitors changes to
legislation, policies and procedures and recommends any
amendment to the Risk Management Policy
Risk, likelihood, consequence
By incident monitoring
TD14/482
Policy
The Mental Health Commission of NSW complies with the NSW Treasury Internal Audit and Risk Management
Policy for the NSW Public Sector (‘TPP 15-03’).
TPP 15-03 sets out principles and core requirements to guide agencies in the fulfilment of their legislative obligation
under section 11 of the Public Finance and Audit Act 1983, that is, that an agency establish and maintain an effective
internal audit function.
Principle 1 of TPP 15-03 relates to risk management:
The agency has a risk management framework in place that supports the agency to achieve its objectives by
systematically identifying and managing risks to:


Increase the likelihood and impact of positive events
Mitigate the likelihood and impact of negative events
Core Requirements 1.1 and 1.2 stem from this principle:
Core Requirement 1.1
The Commissioner is ultimately responsible and accountable for risk management in the agency.
Core Requirement 1.2
A risk management framework that is appropriate to the agency has been established and maintained and the
framework is consistent with AS / NZS ISO 31000:2009.
Staff, contractors and volunteers at the Commission must comply with the policy and procedures.
TRIM Ref: TD14/482
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management
The Commission has established a risk management framework to assist the management of its fiscal, environmental
and social responsibilities and the successful delivery of its results and services and obligations under the NSW State
Plan and its enabling legislation.
The Commission has developed a risk management framework and operational model to provide for effective and
consistent risk management across the whole organisation. It includes a risk register that is used to record, rate,
monitor and report risk and risks are managed and escalated using structured processes at all business unit levels.
The Commission also has an established process for monitoring and reviewing risk control and governance systems.
Risk Management Framework
The framework and operational model establishes risk management as an integral part of the Commission’s
management to achieve organisational objectives and complies with the current international standard AS/NZS ISO
31000:2009.
Purpose
The Commission has developed a framework and process to provide for effective and consistent risk management
across the whole organisation.
Pursuant to AS/NZS ISO 31000:2009, the framework provides for a structured, consistent and continuous process
across the whole organisation for identifying, assessing and deciding on responses to and reporting on opportunities
and threats that affect the achievement of objectives.
Specifically, the framework:
 Assists in strategic decision making by providing a basis for identifying and controlling factors which may impact
on the achievement of organisational objectives

Enhances the safety of staff, members of public and clients involved in the work of the Commission

Provides a basis for responsible risk taking to enable and encourage innovation

Provides assurance that organisational objectives will be achieved within an acceptable degree of risk

Provides a basis for demonstrating due diligence in the event of adverse outcomes.
Risk Management at the Commission
Under AS/NZS ISO 31000:2009, risk is defined as “…the effect of uncertainty on objectives”.
The framework and operational model divides risk into 2 major categories of strategic risk and operational risk.
Strategic risks are those risks associated with poor business decisions or external influences that are beyond the
control of the Commission’s Management and may include:

Changes in the government disposition to the Commission’s objectives

Implementation of a major business initiative with significant financial impacts

Sustained economic downturn.
Operational risks are those risks associated with inadequate or failed internal processes, people or systems, or
from external events. Operational risks include those risks associated with individual projects and activities
undertaken by the Commission.
Examples of operational risks are:

Internal Fraud - misappropriation of assets, bribery

External Fraud- theft of information, hacking of IT systems and electronic data, theft and forgery
TRIM Ref: TD14/482
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management

Employment Practices and Workplace Safety - discrimination, workers compensation, employee
health and safety

Clients, Products, & Business Practice - market manipulation, improper trade, product and service
defects, fiduciary breaches

Damage to Physical Assets - natural disasters, vandalism, terrorism, accident

Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures

Execution, Delivery and Process Management - data entry errors, accounting errors, failed
mandatory reporting.
AS/NZS ISO 31000:2009 provides a generic process (fig.1) for managing risk within an organisation. The
framework and operational model complies with this process.
Figure 1: Commission’s Risk Management Process
Establish the Context
Risk Identification
Risk Analysis
Communication
and
Consultation
Risk Evaluation
Monitoring
and
Review
Risk Treatment
The Commission establishes the corporate “risk appetite” by setting the risk boundaries, ratings and
reporting requirements under the framework (tables 1-4).
TRIM Ref: TD14/482
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management
Risk Management Framework
The risk categories under the framework identify the context within which the Commission manages
risk and accounts for both internal and external factors affecting the ability of the Commission to
deliver on its corporate objectives.
Preliminary risk categories under the framework include:
 Financial and Economic

Health and Safety

Reputation

Political

Environment

Compliance.
AS/NZS ISO 31000:2009 provides for risks to be analysed and scaled according to likelihood and
consequence. The framework provides boundaries defining the likelihood and consequence of risk as
follows.
Table 1: Likelihood of risk definitions
Likelihood
Rating
Likelihood of Occurrence
(Qualitative)
Likelihood of Occurrence
(Quantitative)
Almost Certain
Occurs regularly; expected to occur in
most circumstances
The risk may occur several times
over a short period, say 6 months
Likely
Will probably occur
The risk may occur once or twice a
year
Possible
May occur at some time
The risk may occur once in a period
of several years
Unlikely
Doubtful that it will occur
The risk which is yet to occur but
could occur over time
Rare
May occur only in exceptional
circumstances
The risk that is relatively unknown
and has not been experienced to
date
TRIM Ref: TD14/482
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management
Table 2: Consequence of risk definitions
Consequence
Risk:
Insignificant
Minor
Moderate
Major
Significant
Financial and
Economic
(including
assets)
Impact on budget
insignificant and
managed within
discretionary limits
of single business
portfolio
Impact on budget is
managed within
Impacts budget at
Division level
discretionary limits
of single business
portfolio unit budget
Significant impact on
organisational
contingency between
Impact exceeds
MHC’s contingency
capacity
Impact exceeds
MHC’s contingency
capacity . Additional
funding necessary
over $100k
less than$10K
$10K-$50K
$50K
Insignificant
loss/damage to
assets- no
redirection of
existing budget
required.
Loss/damage to
assets may require
redirection of
existing budget
Loss /damage to
significant items of
critical plant &
equipment requiring
coordinated project
and significant
redirection of budget
to restore
Major loss/damage
to an item of plant
& equipment that is
restorable at a cost
of $25k plus
Major loss/damage to
an item of plant &
equipment that is not
restorable and is
required to be
replaced at a cost of
over $50k.
Minor injury
requiring first aid
and no lost time
Minor Injury
requiring medical
treatment
Temporary incapacity
or lost-time injury
Permanent
incapacity and long
term absence
Permanent incapacity
and long term
absence, with
possibility of no
return to work
Sustained
demonstration of
user concern and
Sustained
demonstration of
user and media
concerns resulting in
Ministerial
embarrassment and
possible loss of
political support.
Requiring attention
by Commissioner
Less than $1k
Health and
Safety
No lost time, but
minor temporary
incapacity
Reputation
Environmental
Compliance
Hospitalization
Additional funding
necessary over
Short-term absence
User complaints
direct to MHC
either by phone, in
writing or person.
Can be dealt with
by Team
management.
Possible minor local
media attention,
resulting in some
MHC
embarrassment,
requiring attention
by Director,
Strategic
Operations and
Communications.
Widespread user
complaints and
Brief impact
resulting in minor
diversion of
resources for less
than 1 day.
Brief impact
resulting in
Short-term impact
Sustained impact
resulting in diversion
of resources for more
than 3 days and
affects other business
activities
Resulting in
diversion of
resources from
other business
activities for more
than 5 days
Non-compliance
rectified with
immediate
management
intervention.
Non-compliance
readily rectified with
Management
intervention and
notifying the
regulatory agency
and addressed by
management
Non-compliance
resulting in a
notification from the
regulatory agency
and addressed by
management
Non-compliance
TRIM Ref: TD14/482
minor diversion of
resources for more
than 1 day.
Adverse Media
attention requiring
attention by
Director, Strategic
Operations and
Communications
and or Deputy
Commissioner.
Sustained national
adverse media
coverage, requiring
attention by
Commissioner
resulting in penalty
or prosecution or
restriction order
and addressed by
the Chief Audit
Executive.
Significant impact
resulting in diversion
of resources from
other business
activities for more
than 10 days.
Significant non
compliance resulting
in a Ministerial
warning and possible
mention in
Parliament requiring
intervention by the
Commissioner.
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management
The framework derives risk ratings from likelihood and consequence as follows.
Table 3: Risk ratings
Insignificant
Minor
Moderate
Major
Significant
Almost Certain
Medium
Medium
High
Extreme
Extreme
Likely
Low
Medium
High
High
Extreme
Possible
Low
Low
Medium
High
Extreme
Unlikely
Low
Low
Medium
Medium
High
Rare
Low
Low
Low
Medium
High
The framework provides for risk reporting and action as follows.
Table 4: Risk reporting and actions
Risk Rating
Consequence of Occurrence
Action
Reporting
Significant
Loss of ability to sustain ongoing operations. An
event that would cause operations to be
substantially disrupted resulting in severe impact
upon public image and reputation.
Immediate
Commissioner
Major
Significantly reduced ability to achieve corporate
objectives, impacting our overall business
operations, e.g. short term loss of service
Deputy
Commissioner
Moderate
Disruption to normal operations with a moderate
effect on the achievement of objectives, e.g.
temporary loss of service and/or processing
capability.
Manager
Minor
Limited impact on the achievement of objectives
Manager
Business
Operations
Insignificant
No impact on the achievement of objectives –
readily resolvable by management with no
consequences to the business
Manager
Business
Operations
Business
Operations
Risk Register
The Commission has developed a centralised, electronic risk database which acts as a central register
and repository for specific risk management data. The Risk Register permits timely reporting of risk
exposure to inform management action.
TRIM Ref: TD14/482
The Risk Register identifies the Commission’s strategic and operational risks, ascribes an internal owner to each risk, describes
the existing controls that are in place to manage the risk and assigns a risk rating based upon the likelihood and consequence of
the risk occurring. Proposed risk mitigation strategies for each risk are also described with the outcomes of these control
strategies then creating a target risk rating (that is, the residual risk after proposed control strategies are implemented).
The Commission’s Risk Register can be accessed via Trim Reference TF14/46.
Operational Model
The risk management model for the Commission is at Figure 2 and takes account of the physically dispersed nature of the
Commission’s operations and aligns with the current organisational structure. The model integrates risk management with the
Commission’s management structure and establishes risk management as a structured, consistent and continuous process
across the whole organisation in compliance with AS/NZS ISO 31000:2009.
Figure 2: Risk Management Model for the Commission
Strategic
Commissioner
ARC
Chief Audit Executive
(Deputy Commissioner
(full-time))
Director, Strategic
Operations and
Communications
Manager, Strategic
Engagement and
Innovation
Manager,
Communications and
Stakeholder
Engagement
Manager, Systems
Monitoring and
Review
Manager, Business
Operations
Under the model, strategic risk is managed by the Deputy Commissioner who is the Chief Audit Executive and a report on
strategic risks is made on a quarterly basis to the Audit & Risk Committee.
Operational Risk is managed by the Manager, Business Operations and a report on operational risks is made on a quarterly basis
to the Audit & Risk Committee.
Roles and Responsibilities
The Commission’s staff, contractors and volunteers will:

Manage risks – that is, identify, assess and treat risks, in the course of their work

Promptly report any existing or potential risk to their manager
Managers will:
 Foster an environment that promotes risk management as part of everyday decision making.
 Ensure staff have an awareness of internal controls and are accountable for managing risk in their roles
 Assess known risks using the risk framework and escalate responsibility as appropriate
 Manage project risks in a way that is consistent with, and linked to the Risk Management Framework




Identify uncertainties that will affect the achievement of Commission objectives
Establish policies, operating and performance standards, budgets, plans, systems and procedures to
address identified risks and reduce them to an acceptable or tolerable level
Monitor the effectiveness of controls
Undertake self-assessments (where directed) to certify the effectiveness of controls addressing risks for which
they are responsible.
Manager, Business Operations will:
• Report on operational risks on a quarterly basis to the Audit and Risk Committee
• Act as the primary champion for risk management at the operational level
• Prepare the Commission’s attestation for compliance with the NSW Treasury Internal Audit and Risk
Management Policy for the NSW Government Sector
• Maintain the Commission’s Risk Management Framework and Risk Register
• Monitor compliance with risk management policy and procedures.
Deputy Commissioner / Chief Audit Executive will:
• Report on strategic risks on a quarterly basis to the Audit and Risk Committee
• Act as the primary champion for risk management at the strategic level
• Review the Commission’s approach and activities with regard to risk management
• Review recommendations from the Audit and Risk Committee and ensure they are implemented
• Ensure risk management planning is part of the strategic, operational and annual business planning activities
of the Commission
• Review risk treatment plans and risk management reports, including the Risk Register.
Commissioner will:
• Have ultimate responsibility and accountability for risk management in the Commission.
• Ensure that a risk management framework that is appropriate to the Commission and consistent with ISO
31000:2009 is established and maintained within the Commission
• Formally attest to NSW Treasury compliance with NSW Treasury Internal Audit and Risk Management Policy for
the NSW Government Sector and publish the attestation in the Annual Report.
• Determine and articulate the level of risk the Commission is willing to accept or tolerate.
• Approve, monitor and communicate the Commission’s Risk Management Policy and Plans.
• Promote and communicate a positive risk culture
• Ensure that managers and decision makers in the Commission understand that they are accountable for
managing risk within their sphere of authority and in relation to the decisions they take.
Further Guidance and Resources
The NSW Treasury Risk Management Toolkit for the NSW Public Sector provides a range of tools to support
agencies to develop and implement their risk management framework and processes. The Toolkit provides
detailed and practical advice on the various elements of ISO 31000, templates and some worked examples based
on a hypothetical agency. It can be accessed via the following website:
http://www.treasury.nsw.gov.au/Publications/treasury_policy_papers/2012-TPP/tpp_12-03/tpp_12- 03_risk_management_toolkit.
Mental Health Commission of New South Wales
Policy Number: 040 - Risk Management
TRIM Ref: TD14/482
66