SAMPLE RISK MANAGEMENT PLAN

INTRODUCTION
The following guidelines have been developed to assist employees to meet the intent and to
gain the benefits of our organisations Risk Management Policy. The overall aim of the risk
management program is to ensure that our organisation is able to meet its strategic,
operational and compliance goals and objectives in an environment of possible risks.
We recognise that our organisation will have to incur risks in the pursuit of its business and
corporate objectives. The purpose of these guidelines is to provide a consistent framework
which will assist all employees to recognise and manage risks inherent in the conduct of
their activities

We encourage all employees to act in ways which controls and treat risks in order to
minimise potential injures, damage to assets and setbacks which will adversely affect our
organisations pursuit of excellence and leadership.

SCOPE

These guidelines apply to all departments within our organisation and its controlled entities.
They apply to all Departments, Divisions, Centres, controlled entities and joint ventures.

RESPONSIBILBITIES
As per the Risk Management Policy, risk management is a whole-of-organisation activity. All
members of our organisation have a role to play; in particular, staff should take an active role
in the identification of potential business and operational risks facing their department or
Division, programs, research, business or work unit and take steps to successfully treat
these risks to minimise their frequency and consequences on our organisation.

We promote a risk management culture. For senior management, this role may be more
strategic in nature, however, line management are responsible for the identification of risks
and the development of mitigation plans. This includes the implementation of risk reduction
strategies within their areas of concern. Similarly, staff with project management
responsibilities will also be responsible for the development and implementation of risk
treatment plans for the projects they oversee.

As part of our culture, we promote the view that risk management is to be integrated with
other strategic and operational planning processes and management activities.
Typical risk related roles and responsibilities include:

Senior Management who have the responsibility to ensure that risks are identified for their
departments and effective control measures are in place.

Supervisors have the responsibility to ensure that risks in areas of responsibility are
identified and reviewed on an annual basis. This includes the design and implementation of
appropriate treatment plans and the monitoring the effectiveness of such control measures.

Employees have the responsibility to ensure that risks in areas of responsibility are
identified and reported as they arise. Employees are to report risks directly to their
supervisor
 SAMPLE RISK MANAGEMENT PLAN

CONCEPT OF RISK MANAGEMENT

Our organisation is committed to the protection of its assets and promotion of strategic
opportunities through effective management of risk by identifying, analysing, evaluating and
treating exposures that are likely to impact on its goals and objectives. We recognize that
risk management is an integral part of good management practice. We are committed to
achieving best practice in the area of risk management and will communicate its principles
and practices throughout our organisation.

We recognise that risk is inherent in all administrative and business activities and that every
member of our organisation manages risk. Over the years formal and systematic
approaches have evolved to manage risks and are regarded as good management practice.
Our systems are based on the Standards Australia AS/NZ 4360 Risk Management. As a
result we promote the adoption of a culture which embraces a strategic and formal approach
to risk management which improves decision-making, enhances outcomes and
accountability.

Key Risk Management Documents

1. Risk Management Policy
The cornerstone of our Risk Management Program is the Risk Management Policy which
outlines the expectations Senior Management and Supervisors have of all staff and public
with respect to risk management.

THE RISK MANAGEMENT PROCESS

To meet the commitment of the Risk Management Policy for ongoing best practices in the
area of risk management, our organisation follows a risk management process based on the
AUS/NZ Standards 4360: Risk Management. The Risk Management Manager is available to
assist all Senior Managers and Supervisors with the implementation of the risk management
process.

The process is depicted in Table 1 below:

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

When to Conduct the Risk Management Process

While the management of risk is an ongoing management activity there are times when the
formal risk management process should be utilised. Examples include:

1. On an annual basis as part of the environmental scan of the strategic

planning process,
2. Prior to the commencement of new initiatives by or projects,
3. Prior to the commencement of any project with a total value greater than $3
million ,
4. Prior to undertaking any new commercial activity or joint venture,
5. Following a significant incident, near miss or other event which identifies a
previously unrecognised risk,
6. Prior to the commencement of any activity where serious injury or significant
property loss foreseeable, and
7. When required by organisational policy or procedures.

A Brief Guide to the Steps in the Risk Management Process

While the implementation of the risk management process may vary from application to
application, there are common elements in all risk assessments which must be incorporated.
These common elements are illustrated in Table 1 above, can be found in greater detail in
the AUS/NZ Standards 4360: Risk Management and are outlined below. Our organisation
employs a 5-step process, based on 4360. Each step is summarised below and lists the
possible tools and resources available assist in each step. The appendices contain copies of
forms, templates and guides to be used in the process.

Process Step Step Summary Tools & Resources

Our organisations context is its strategic and Tools & methods by which Senior
Step 1 organisational environment against which the risk Managers and supervisors can better
management process will take place. It establishes the understand their context include:
Establish the criteria against which risk will be evaluated and
Context conducted. Reviewing strategic goals and
objectives.
Typical Strategic Elements Include: SWAT Analyses
Personal experience, corporate
Strategic Goals and Objectives history
Key Stakeholders Past audits
Political Environment Brainstorming
Natural Environment Questionnaires
Economic Environment Expert judgements
Technological Environment Loss histories and incident
Legal Environment report investigations
Social Environment AS/NZ: 4360
Typical operational elements of our organisations The Risk Management database
context would Include: and consulting
Financial Environment
Community Environment
Research Environment
Human Resources
Compliance Environment

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

Risk identification is the most critical step in the risk Commonly used risk identification tools
Step 2 management procedure. A risk not identified is include:
excluded from the rest of the risk management process Checklists (See Appendix Item
Identify Risks and may be untreated or inadequately controlled. C Risk Categories)
Guide to Risk Identification
The risk Identification procedure is best performed Exercise (See Appendix C)
utilising a well-structured systematic process as the Past experience
objective of the process is to generate a comprehensive Past loss records
list of events, which if they occur would affect our Flow Charts
objectives, goals and operations. Work Unit Brainstorming
Interviews
In additional to identifying potential risks it is also Structured Seminars and
necessary to consider possible causes and impacts of Workshops
each individual risk. Systems and Scenario Analysis
Risk Management Unit
Risks should be identified and recorded on the consultation
business units Risk Register (Appendix A) on an
annual basis.

If possible a consistent method of expressing risk

should be utilised across the organisation. A guide to
the standard expression of risk our organisation is
found in Appendix B.
All risks identified through Step 2 and recorded on the Risk Register (Appendix A)
Step 3 business units Risk Register (Appendix A) should be Risk Frequency Assessment
analysed and assessed to determine their level of risk. Tool (Appendix D)
Analysis and Risk Consequence Assessment
assessment of We have developed a risk rating system, which is found Tool (Appendix E)
identified risks in Appendix A - F. Risk assessment tools allow risks Risk Rating Matrix (Appendix F)
identified in Step 2 to be qualitatively assessed and AS/NZ: 4360
recorded on the Risk Register

The risk assessment process is a three step process

where we:
1. Consider the consequence of the risk what
could reasonably happen as well as what has
actually happened. Select a descriptor which
is most suitable for the consequence in light of
existing controls. (Appendix E)
2. Consider the likelihood of the risk what is the
likelihood of the identified risk happening?
Consider this without any new controls in
place. Look at the descriptions and chose the
one which is most suitable. (Appendix D)
3. Calculate risk taking the ratings established
in Steps 1 and 2, consult the risk matrix to find
the appropriate score which corresponds with
the ratings on the matrix found in Appendix F.
4. Record values on the Register of Risks in the
appropriate columns (Appendix A)

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

The objective of the risk control step is to identify and Risk Register (Appendix A)
Step 4 implement the most appropriate risk treatment or Sample risk control techniques
control option(s) so risks can be regarded as in Appendix B
Control of risks adequately mitigated. The Risk Management Unit
Internal Audit
This step in the process requires a wide range of Senior Management
control and treatment options be identified and consultation
examined. The overall objective of this step is to ensure Stakeholder consultation
that effective strategies are in place to minimise the
frequency and severity of identified risks. Existing
controls must also be examined to determine whether
they are effective in reducing the overall risk to our
organisation.

Risk Control options often fall in to the following

categories:
Risk Avoidance taking action or making
decisions which ensure the risk cannot
possibly occur.
Risk Reduction taking actions or making
decisions which reduce the likelihood of a risk
occurring.
Risk Mitigation taking action or making
decisions which reduce the consequences of
risk if they should occur.
Risk Transfer - taking actions, making
decisions, or establishing management
systems which transfer either the responsibility
for the risk or responsibility to finance the
effect risk if it should manifest itself

Selecting the Best Risk Controls

The selection of appropriate risk controls requires each

business unit to take an action which will assist in the
management of the identified risk. These actions are to
be listed in the Register of Risks, (Appendix A) can to
be created as a result of workshops, meetings of key
stakeholders or other such methods which facilitate the
listing of the most efficient and effectives risk control
techniques given the environmental factors and
available resources.

It is useful to identify control measures in terms of Pre-

Loss actions, those which take place before the risk
manifests itself, and Post loss actions, those which
occur after a loss in order to reduce its consequence.

Each risk control or treatment action should be

assigned to a person who is responsible to ensure the
prescribed action takes place. This person will also be
directly responsible for ensuring progress is made
toward issues affecting the selected risk control
measure. The identity of the responsible person should
be recorded in the appropriate column on the Register
of Risks.

Copies of completed Registers of Risks should be

submitted to the Risk Management Unit.

Each risk control action should also have a date when

the risk and its control actions will be re-examined by
the nominated responsible person or a date by when
the selected risk control method will be fully employed
or implemented for the identified risk. Such dates may
also depict dates of inspection, implementation dates
for selected control techniques, etc.

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

As risk controls are set up to manage known and Internal Audit Review
understood causes, it should also be recognised that Internal Audit Self-Review
both the sources of risk and/or controls may change Risk Management Unit
over time thus regular monitoring and review is Consultation & Review
required. Our organisation operates in a dynamic Physical inspections
environment and as a result; we witness frequent Policy Reviews
changes in the operating context. Review by external experts

Each business unit should establish a treatment

monitoring program to ensure that:
Risk treatments are implemented as required.
Risk treatments are reasonable and efficient
their operation.
Risk treatments are suitable for their intended
purpose.
Risk treatments are effective in meeting their
objectives of reducing the frequency or
severity of the identified risks.

All business risks should be reviewed on at least an

annual basis as part of the Risk Management
Assurance Program, outlined below.
Each department should note there may be a particular
need for awareness of potential changes resulting new
situations, projects or activities. Such changes may
affect the successful application of risk control
strategies. It is also important to note that changes in
stakeholder expectations should be considered as well.

Risk Management Process Summary

Through the use of methodologies such as those above, we can ensure an ongoing review
process is taking place so that the risk management process remains relevant in our
dynamic environment. Few risks remain static, and the risk management process must
recognise this fact and ensure systems are in place to regularly repeat the risk management
cycle. According to the AS/NZ 4360, review is an integral part of the risk control and
treatment process.

The Standard also tells us that communication and consultation are important considerations
at each step in the risk management process. This requires a two way dialogue between
stakeholders at every step in the process, with efforts focused on consultation rather than a
one way flow of information from the Management to Employees.

It is important to communicate risk management information. We encourage employees to

be open about risks, as we feel that by sharing information we can learn from the
experiences of others and share the ways in which we manage similar risks. Risk
information sharing can be facilitated through:

An annual business unit risk review, established as a regular feature of management

and staff meetings.

An annual department risk review as part of the strategic planning process

Following an accident, incident, lawsuit or near miss which has highlighted the need
for closer examination and treatment of risks

As a standard part of an application, approval or business case process within the

department.

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

It is also important to consult with members of the organisation community and relevant
stakeholders about risks and to include them in the risk management process. Stakeholders
could include:

Senior Management Groups

Other departments

The Risk Management Unit

Financial Services Division

Legal Division

Members of the local community.

RISK ASSURANCE PROCESS

The Annual Risk Review

All Senior Managers and Supervisors will review, on an annual basis their operations
strategic and operational risks. Their completed Register of Risks is evidence of that
process.

It is recommended that the following participants contribute to the Unit annual risk review:

The senior manager will lead the process as part of the departments strategic
planning session.
One or more supervisors from the department
Experienced employees
A Representative of the Risk Management Unit, if required.
A minute taker or recorder.

The purpose of the Annual Risk Review will be to:

1. Allow the senior manager to report on the strategic goals and objectives for
the department and how those objectives align with the organisations
strategic objectives.

2. Allow the manager to review historical loss information provided by the Risk
Management Unit.

3. Allow a comprehensive assessment of the departments risks including

identifying risks which may affect the department meeting their goals and
objectives.

4. Permit the department to employ risk management methodology as outlined

above.

5. Permit the department to update and/or complete their Register of Risks for
all identified risks for submission to the risk management unit.

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

Additional Risk Reviews

In addition to the annual review as listed above, there may be times when a formal risk
assessment is required. This risk assessment will result in either additional to the existing
Register of Risks for the business unit or in the compilation of a separate Register of Risks.
Examples include:

All new activities planned for the upcoming year to ensure that any unacceptable risk
exposures are identified and managed at an appropriate level.

All new projects with a total value in excess of $3 million.

All new joint ventures or commercial activities planned for the upcoming year to
ensure that any unacceptable risk exposures are identified and managed at an
appropriate level.

Following reports of serious losses, accidents, injuries affecting their operations.

At the recommendation of the Risk Management Advisory Group (RMAG)

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

Risk Management Glossary of Terms

(Source: AS/NZ 4360)

Theoutcomeofaneventexpressedqualitativelyorquantitatively,beinga
Consequence loss,injury,disadvantageorgain.Theremaybearangeofpossible
outcomesassociatedwithanevent.
Includesbothdirectandindirectcostsofactivities,involvinganynegative
Cost impact,includingmoney,time,labour,disruption,goodwill,politicaland
intangibleloss.
Anincidentorsituation,whichoccursinaparticularplaceduringa
Event
particularintervaloftime.
Ameasureoftherateofoccurrenceofaneventexpressedasthenumber
Frequency ofoccurrencesofaneventinagiventime(seealsolikelihoodand
probability)
Hazard Asourceofpotentialharmorasituationwithapotentialtocauseloss.
Likelihood Usedasaqualitativedescriptionofprobabilityorfrequency.
Loss Anynegativeconsequence,financialorotherwise.
To check,supervise,observecritically,orrecordtheprogressofanactivity,
Monitor
actionorsystemonaregularbasisinordertoidentifychange.
Thelikelihoodofaspecificeventoroutcomemeasuredbytheratioof
specificeventsoroutcomestothetotalnumberofpossibleeventsor
Probability outcomes.Probabilityisexpressed,asanumberbetween0and1,with0
indicatinganimpossibleeventoroutcomeand1indicatinganeventor
outcomeiscertain.
Thechanceofsomethinghappeningthatwillimpactuponobjectives.Itis
Risk
measuredintermsofconsequencesandlikelihood.
Aninformeddecisiontoaccepttheconsequencesandlikelihoodofa
Riskacceptance
particularrisk.
Asystematicuseofavailableinformationtodeterminehowoftenspecified
Riskanalysis
eventsmayoccurandthemagnitudeoftheirconsequences.
Riskassessment Theoverallprocessofriskanalysisandevaluation.
Riskavoidance Aninformeddecisionnottobecomeinvolvedinarisksituation.
Partofriskmanagementthatinvolvestheimplementationofpolicies,
Riskcontrol standards,proceduresandphysicalchangestoeliminateorminimise
adverserisk.
Appropriatestaffmemberwhoisresponsibleandaccountableforthe
Riskdelegate decisionregardingwhetherariskisacceptableorrequiresfurther
treatment.
Theapplicationofengineeringprinciplesandmethodstoriskmanagement.
Riskengineering

Theprocessusedtodetermineriskmanagementprioritiesbycomparing
Riskevaluation thelevelofriskagainstpredeterminedstandards,targetrisklevelsorother
criteria.
Themethodsappliedtofundrisktreatmentandthefinancial
Riskfinancing
consequencesofrisk.
Theprocessofdeterminingwhatcanhappen,whyandhoweventsariseas
Riskidentification
thebasisforfurtheranalysis.

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

Risklevel Thelevelofriskcalculatedasafunctionoflikelihoodandconsequence.
Theculture,processesandstructuresthataredirectedtowardsthe
Riskmanagement
effectivemanagementofpotentialopportunitiesandadverseeffects.
Thesystematicapplicationofmanagementpolicies,proceduresand
Riskmanagement
practicestothetasksofestablishingthecontext,identifying,analysing,
process
evaluation,treating,monitoringandcommunicationrisk.
Thecombinedeffectofthelikelihoodoftheoccurrenceoftheeventand
Riskrating
theseverityoftheimpactoftheevent.
Aselectiveapplicationofappropriatetechniquesandmanagement
Riskreduction principlestoreduceeitherlikelihoodofanoccurrenceoritsconsequences
orboth.
Intentionallyorunintentionallyretainingtheresponsibilityforlossor
Riskretention
financialburdenoflosswithintheorganisation.
Shiftingtheresponsibilityorburdenforlosstoanotherpartythrough
Risktransfer legislation,contract,insuranceorothermeans.Risktransfercanalsorefer
toshiftingaphysicalriskorpartthereofelsewhere.
Risktreatment Selectionandimplementationofappropriateoptionsfordealingwithrisk.
Thosepeopleandorganisationswhomayaffect,beaffectedbyorperceive
Stakeholders
themselvestobeaffectedby,thedecisionoractivity.
Providesanassessmentofanorganisation'sstrengths,weaknesses,
SWOTanalysis opportunitiesandthreatstoprovideasnapshotofthepresentandaview
ofwhatthefuturemayhold.

Appendices
Appendix A Register of Risks (To be used to record risks in each department)
Appendix A Sample Risk Categories (categories and definitions to assist in identifying risk categories)
Appendix B Guide for a Risk Identification (use to assist in the compilation of the risk register)
Appendix C Risk Frequency Assessment Guide (guidance on identifying risk frequency level)
Appendix D Risk Consequence Assessment Guide (guidance on identifying risk severity level)
Appendix E Risk Rating Matrix (guidance on establishing risk rating)

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

APPENDIX A | REGISTER OF RISKS

Notes:
1. Identify the categories of staff, students, visitors working or visiting your area and the activities in which they may be involved.
2. Identify the hazards associated with those activities and then assess the level of risk using the rating system outlined below
3. Examine the adequacy of existing risk controls relative to the level of risk and take further action to reduce the level of risk, if required.
4. Review register on a yearly basis or when any changes are made to the workplace or procedures

Assessment
Risk Risk Responsible Review
Statement of Risk Impact of Risk Risk Controls
Category Rating Person Date
Severity Frequency

A risk of widespread
- Research income
adverse publicity - Routing Reviews
Image and - Enrolments
resulting from a poorly 3 C M - Ethics Committee Harry Rosenthal 01/12/2009
Reputation - Recruitment
administered high profile - Policy & Procedure
- Staff
research project

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

APPENDIX B | SAMPLE RISK CATEGORIES

- In order to assist in the risk identification process, please refer to the following 6 general categories of risk (listed below). These categories are not designed to be
exhaustive but are to serve as a guide for organising, identifying and reporting risks and findings. These risk categories may be helpful when identifying and analysing risks
and identifying key risk drivers and underlying causes, as well as links between various categories of risk and specific departments.
- Managers are advised to take note of these categories but not to be constrained by them. The categorisation of risks is a key element of the Risk Management Process
and is recorded on the business units Risk Register under the appropriate column.

RISK CATEGORIES BROAD DEFINITIONS

Risks relating to the generation of adverse publicity, deletion of goodwill, course content, course reviews, examinations or any other
Image and Reputation Risks
mechanism by which there would be a negative effect on the organisations local, national and international reputation.

Risks relating to environmental impacts of the organisations activities including pollution, toxic substance release, exposure to
Environmental Risks
radiation which affects the organisations tangible & intangible assets and the local environment.

Risks relating to potential liabilities including third party lawsuits, contract disputes, or con-compliance with Acts and Regulations,
Liability & Compliance Risks Common Law or internal policies and procedures. It can include legal issues arising from matters of discrimination, negligence, failure
in duty of care, or the delivery of the organisations services or products.
Risks relating to any aspect of the organisations operations which results in either an increase in the organisations expenses or a
decrease in the organisations revenues. Examples of sources of revenue decreases could include significant reduction in student
Financial Loss Risks
enrolments, reductions in research funding or traditional funding sources. Sources of increases in expenses could include additional
costs in the organisations administration, legislative compliance, internal auditing, recruitment and investigations.
Risks relating to the members of the organisations community and resulting from utilising academic and general staff at the
Staff Risks organisations. These risks can include staff management issues such as, organisational change, staff morale, training and
development, retirement, discipline, industrial relations, etc.
Risks relating to accident, injury or illness to the organisations staff, contractors, visitors, consumers of the organisations products,
Health & Safety Risks members of the organisations community or public. Examples would include injuries which result in medical treatments, disability,
fatalities or mental trauma.

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

APPENDIX C | GUIDE FOR RISK IDENTIFICATION

- As per the Risk Management Policy, and the strategic planning process, it is the responsibility of all departments, on at least an annual basis to identify the risks which will
prevent them from meeting their business goals and objectives. The guide below is designed to facilitate discussion on possible risks by providing a framework for
discussion.
- This tool (Based on AS/NZS 4360) is to be used to assist users in the risk identification process called the Sources of Risk (Below). This template guides users to assist in
the compilation of their Risk Register
- Note: Please use 6 Areas of Impact (Categories of Risk) as a guide. If other areas of impact are significant please record them on the Risk Register and submit to the Risk
Management Unit.

AREAS OF IMPACT
Sources of Risk Image & Liability &
Environment Health & Safety Financial Loss Staff Product
Reputation Compliance
Commercial & Legal Relationships

Human Behaviour

Technology / Technical Issues

Management Activities & Controls

Commercialisation

Economic Circumstances

Individual Activities

Community Involvement

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

APPENDIX D | RISK FREQUENCY ASSESSMENT GUIDE

- This is a description of the probability or likelihood of the risk expressed. We make this judgement based on our past experience and our knowledge of future strategic
plans.
- For all risks listed in the Register of Risks, there is a column for recording the likelihood or frequency of each risk. To analyse each risk we must assign a designation (A,
B, C, D, E or F) to reflect our judgement probability or frequency of this risk occurring in the future.
- Please use the six point scale below to rank the likelihood of each identified risk and records this on the Register of Risks under the appropriate Frequency column.
- The following Table offers the rating range for risk frequency and suggested metrics by which the ratings should be used. It is recognised that the suggested metrics are
for consideration only, and should serves as guide to allow the user to consistently distinguish between the various 6 points on the scale.
- The objective of the process is to, to best of the users ability, identify whether the occurrence of a particular risk, under the current situation would occur and whether the
occurrence of this risk would be regarded as rare, unlikely, possible, likely or almost certain.

RATING LIKLIHOOD OF THE RISK ARISING AND LEADING TO THE ASSESSED LEVEL OF CONSEQUENCES
A Almost Certain It is expected to occur in most circumstances More than once a year

B Very likely It is expected to occur on an annual basis Once a year

C Likely Will probably occur in most circumstances Once in 2 years to 5 years

D Possible Might occur at some time Once in 5 years to 30 years

E Unlikely Not expected to occur Once in 30 to 100 years

F Rare Might occur in exceptional circumstances Exceptional circumstances maybe once in 100 years

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

APPENDIX E | RISK CONSEQUENCE ASSESSMENT Guide

- Severity or consequences are the outcome of an event, being loss, injury, disadvantage or gain, in the event that a particular risk manifests itself. It is a measure of the potential impact of an
expressed risk if it should manifest itself, leading to losses.
- Depending on category of risk being assessed, we consider factors such as human impact (including the number of people injured), property impact, net income impact (and the possible
financial costs), reputation impact (including mitigating costs), and liability impact (including fines and penalties) to the organisation.
- Please refer to the five point scale found below to rank the consequences for all risks found within the organisations register of risks and record them in the appropriate column.
Criteria
Description Liability &
Health & Safety Financial Loss Image & reputation Environment Staff
Compliance
Damage to reputation at Long term
Regulatory intervention international lever; adverse environmental damage
Multiple fatalities of staff, Net revenue loss or A large number of
and prosecution possible, international media (5 years or longer),
5 Catastrophic students, contractors or asset damage senior or experienced
fines, costs or penalties coverage, major loss of requiring >$5 million to
the public exceeds $20 million staff leave
above $1 million government student of study or correct or in
community support penalties

Damage to reputation at
Single fatality; or non- Breach of licenses, national level; adverse Medium-term (1-5 yr) Some senior and
Net revenue loss or
recoverable occupational legislation, regulation or national media coverage; environmental damage experienced staff
asset damage
4 Major illness; or permanent mandated standards; Government agency requiring $1 to $5 leave, high turnover,
between $5 and $20
major disability (acute or fines, costs or penalties questions or enquiry; million to study or not perceived as an
million
chronic) from $500K to $1 million significant decrease in correct employer of choice
community support
Breach of external
standards, guidelines or
impending legislation, or Short term (<1 yr)
Net revenue loss or
Lost time or restricted subject raised as a Adverse news in state media; environmental damage Poor reputation as an
asset damage
3 Moderate injury or occupational corporate concern through decrease in Government, requiring up to $1 employer, widespread
between $.05 to $5
illness (recoverable) audit findings or voluntary client or community support million to study or attitude problems
million
agreements; fines, costs correct
or penalties from $100K to
$500K
Breach of internal Net revenue loss or Adverse news in local media;
Environmental damage General morale and
Medical treatment procedures or guidelines; asset damage concerns on performance
2 Minor requiring up to $250K attitude problems,
required fines, cost or penalties between $100K and raised by Government,
to study or correct increase in turnover
less than $100K $0.5 million students or the community
Public awareness may exist,
Negligible
On-site First Aid required, No breach of licenses, Net revenue loss or but there is little public
environmental impact, Negligible or isolated
1 Insignificant no lost time or standards, guidelines or asset damage < concern; issue resolved
managed within dissatisfaction
occupational illness related audit findings $100K promptly by day to day
operating budgets
management process

NotForCommercialUse
 SAMPLE RISK MANAGEMENT PLAN

APPENDIX F | RISK RATING MATRIX

- Using the Risk Rating Matrix below, you are to complete the analysis and assessment process by combining the selected risk frequency and risks severity ratings to
determine the overall risk rating for each identified risk
- All Risks should be ranked from most extreme to the lowest to ensure the most critical risks are being managed

Consequences
Insignificant Minor Moderate Major Catastrophic
Likelihood
1 2 3 4 5
A Almost certain Medium Medium High Extreme Extreme
B Very likely Medium Medium High High Extreme
C Likely Medium Medium Medium High High
D Possible Low Medium Medium High High
E Unlikely Low Low Medium Medium High
F Rare Low Low Low Medium Medium

RISK RATING MATRIX KEY

Risk Rating Suggested Management Response

E Extreme Risk Unacceptable risk action must be taken immediately to reduce risk

H High Risk Senior management attention needed and management responsibilities specified for further action. Goal is to reduce high risks

M Medium Risk Managed at divisional level, monitored by senior management, specific monitoring or response procedures

L Low Risk Managed by routing procedures, unlikely to need specific application of resources

NotForCommercialUse