Risk management policy
Policy Statement
The Water Corporation (the Corporation) recognises the direct relationship between effective risk management and the achievement of objectives within the Corporate Strategy. In order to proactively anticipate, assess, and manage all threats and opportunities to achieving its vision to ‘for our people, communities and state to thrive’, the Corporation has committed to the ongoing implementation of a whole of organisation Risk Management Framework.
The Corporate Risk Management Framework is consistent with International Standard ISO AS 31000:2018 Risk Management - Guidelines and is an integral component of the Corporation’s corporate governance. The standards based, whole of organisation approach to embedding risk management drives risk based decision making through all levels of the Corporation and supports consistent application of the corporate methodology.
As a baseline set of principles to be complied with, it is expected that all planning, executing/operating, and responding/recovering activities must:
- Apply a risk-based approach referencing the Corporation’s Corporate Risk Assess Criteria.
- Be appropriately prioritised and managed in-line with the relevant standards, legislative and regulatory requirements.
- Be performed in a clear, transparent, consistent, integrated and documented manner.
Purpose
The purpose of this policy is to clearly describe the Corporation’s approach to anticipating and managing the risks involved in all aspects of its activities within the parameters of the Board approved Risk Appetite Statements. The policy provides a principles-based approach to guide professional judgement, promote consistent and transparent decision-making; and ensure risk based decisions are evidenced for future reference.
The Corporation will apply assertive and competent leadership to affect risk management and the resolution of incidents under the Corporate Risk Management Framework.
The objectives of this policy are:
- That risk management forms an integral part of all decision making and is adopted throughout the Corporation as a prudent management practice.
- To ensure that all employees, contractors and partners are made aware of the need to manage risk, and to promote a culture of participation in the process.
- To set the standard for the risk management process and subsequently the management of risk.
- To direct effective organisational resilience related practices including Incident Management, Emergency Management, Crisis Management, and Business Continuity Management (including Disaster Recovery i.e. IT Service Continuity Management).
Scope
This policy applies to Water Corporation employees, contractors and partners. All parties have a significant role in ensuring effective risk management in their area of business activity.
Corporate Risk Assessment Criteria - Terms of reference against which the significance of a risk is evaluated. It provides for a consistent measurement of risk that will be used by all areas of the business allowing for meaningful comparisons.
Crisis Management - Development and application of the organisational capability to deal with crisis (BS 11200:2014).
Incident Management - Combination of facilities, equipment, personnel, procedures and communications operating within a common organisational structure with responsibility for management of assigned resources to effectively prepare for, and then dynamically direct and control the ‘response’ to an incident with an identifiable command, control and coordination structure. Incident Management, within the Corporation’s context is typically inwardly focused.
Resilience - Expression of a system’s ability to withstand, react and adapt to disruption, and to achieve a stable state where its purpose and priority objectives can be achieved (AS/NZS 5050:2020).
Risk - Effect of uncertainty (either positive or negative) on objectives or desired/expected outcome.
Risk Assessment - The overall process of risk identification, risk analysis and risk evaluation (ISO AS 31000:2018).
Risk Management - The culture, processes, and structures that are directed towards the effective management of potential opportunities and adverse effects.
- A Framework for the management of all risks across the Corporation.
- A consistent terminology, methodology and process for the management of risk.
- The integration of risk management into decision making processes, and
- Assurance to the Board, Audit & Risk Committee and Executive that risks are identified and managed, and responded to in an effective and approved manner once they are realised.
All organisations face internal and external factors that create a level of uncertainty which will influence the achievement of their objectives. The effect this uncertainty has on the objectives of a business is defined as “risk”.
While risk management is implicit in all activities undertaken by entities (individuals, groups or the Corporation) this policy provides the formal compliance statement with regard to the management of risk, in all of its various contexts, across all products, services and business streams, and the approach to all resilience related practices including Incident Management, Emergency Management, Crisis Management and Business Continuity Management (including Disaster Recovery i.e. IT Service Continuity Management).
The Corporation has identified the following key principles to embed risk management through the business:
- Protection and preservation of life always has primacy.
- Under the Accountability and Empowerment Framework, Executive Process Custodians in conjunction with Process Custodians have full accountability and authority to manage a risk in relation to their process. Risks raised outside of a custodian’s accountability will be considered and allocated to the applicable area in accordance with accountability principles.
- The Executive and Senior Leaders shall lead and embed a risk culture that continuously matures to enable risk management to be an integral core element of the Corporation’s processes, and that is transparent and inclusive to enable the timely, accurate flow of information amongst all stakeholders.
- A full review of corporate and business risk profiles is conducted annually at a minimum, and also upon detecting a relevant change in the internal or external operating environment of the Corporation, such as an incident or process disruption.
- All risk assessments (corporate, business or project) within the Corporation will be assessed using the Corporate Risk Assessment Criteria (or any of its approved variations) and will be recorded in the Corporate Risk Information System or a formally recognised risk register.
- Crisis Management, Business Continuity Management, Incident Management and Emergency Management will be implemented and integrated to achieve disruption resilience, and to protect the Corporation’s reputation and standard of service delivery from the impacts of significant and unplanned events.
- Incident Management and Emergency Management will be conducted in accordance with Incident Management and Emergency Management standards.
- Robust risk reporting processes will be delivered through the Corporation’s Governance forums to provide oversight of the effectiveness of the Corporate Risk Management Framework, internal and external emerging risk issues, and opportunities to improve internal risk culture and process.
The Corporate Risk Management process is coordinated and monitored by the Risk & Assurance Business Unit.
Process Managers
Under the Water Corporation Accountability and Empowerment Framework, Executive Process Custodians in conjunction with Process Custodians are fully accountable for identifying and managing risk from the internal and external environment for their process, within the parameters of the Board approved Risk Appetite Statement.
Line Managers
Business Unit and Regional and Alliance Managers are accountable for identifying and managing risks from the internal and external environment which will impact on activities and objectives. They are then accountable to advise the relevant Process Custodians where these risks impact on process. They also are encouraged to identify and manage risks at a regional level which originate from the execution of business processes. Regional or Business Unit risk assessments form a fundamental component of ensuring that all risks have been identified and assessed.
Project/Program Managers
Project and Program Managers will use the Corporate Risk Assessment Criteria and identify and assess project risks throughout the project life cycle. Project risks are assessed within the context of their financial consequence criteria which is adjusted to the corporate financial consequence criteria as required.
External references
- Standards Australia AS ISO 31000:2018 Risk management – Guidelines
- British Standard BS 11200:2014 Crisis management: Guidance and good practice
- Standards Australia AS/NZS 5050:2020 Managing disruption-related risk
Corporate references
- PP066 – Position Statement – Risk Appetite
- S389 Corporate Risk Assessment CriteriaS542 Disruption Risk Management
- S050 State Emergency Management Framework- Water Corporation Support
- Corporate Risk Management Guidelines
- Corporate Incident Management Guideline