Risk Management Template
Purpose
· A risk management plan can assist your child care service by clearly setting out the strategies and processes that may aid your service to manage risk.
· The following Risk Management Template can assist your child care service to develop a robust risk management plan, including defining the risk management processes and procedures that your service will use in implementing any program/project being undertaken.
What information may be included in a risk management plan?
Most risk management plans will include the following sections:
· introduction, including purpose, scope and audience
· risk management principles
· risk management process, which may include the following key activities:
o establishing the context
o identification of risks
o analyse the risks
o treat the risks
o monitor and review
· a Risk Log, which may include the following (for each risk):
o date raised
o description of risk
o assessment of likelihood
o assessment of impact
o risk rating
o risk treatment
o risk owner
o risk closed and comment
Some of these sections may not apply to your child care service and may need to be adapted to best suit your needs.
Introduction
Purpose
The purpose of this document is to define the risk management processes and procedures, for [insert name of your child care service].
Scope of this document
This document provides information on:
· risk management principles
· risk management process
· risk reporting
Intended Audience
This document provides guidance on risk management for relevant child care service key stakeholders such as:
· Child care service management/administration
· Board of Directors
· any program/project officers involved in developments impacting overall child care service delivery
· other stakeholders, for example, community representatives.
Risk Management Principles
What is a Risk?
A risk is defined as:
“An uncertain event, which if it occurs, will have an effect on your child care service”
A risk can have either a positive or a negative effect, however, for the purpose of this document the management processes described will solely focus on dealing with risks that could have a negative impact on your service.
Risks or Issues?
A risk is not an issue. An issue is defined as any functional, technical or child care service-related event that arises requiring a satisfactory resolution for the operation of the service or program/project. An issue is known to have already occurred and needs an immediate resolution whereas a risk has the potential to occur. A risk, if not treated, may evolve into an issue.
Risk Management Process
Process overview
The risk management process is a step by step systematic approach, which is designed to assist your service in undertaking adequate assessment and planning to support the commitment of resources to manage and treat your service’s identified service risks.
The risk management process can be divided into the following key activities:
· establish the background in relation to your service
· identification of risks
· analyse the risks
· treat the risks
· monitor and review
Figure 1. Example of a risk management process overview
Process steps
Establish background
This first step is to build your service management teams’ understanding of the child care service’s specific service background and context. As an initial activity, the service management team should review and record the following information:
· wider organisational and strategic objectives and constraints
· planned child care service outcomes
· measures of success which are specific to your service
Your service’s management team should monitor this information and, if any changes occur, reconsider the risk profile.
Identify risk
The purpose of the risk identification step is to produce a comprehensive list of risks that may affect the sustainability of your service. Stakeholder interviews and workshops should be conducted to compile a list of risks.
Risks will be identified throughout the operating lifespan of your service and should be recorded in your Risk Log.
Analyse the Risks
The risk analysis activity is broken down into four further steps, as previously shown in Figure 1 and these steps are outlined below:
Identify controls
Once the initial risk identification has been completed, the service management team needs to determine the existence and effectiveness of any controls that may already exist within your child care service. A control is an existing process, policy, device, practice or action that acts to minimise the impact or likelihood of risk.
These controls will have an impact on the assessment of risk likelihood, consequence and any treatment actions that may have to be defined and implemented.
The identified controls must be recorded in the Risk Log, as part of the risk description. The review of controls should be repeated following the completion of any treatment action.
Assess consequence
Once the existing controls are understood, the service management team should assess and describe the expected consequences resulting from a risk event occurring.
If at all possible, the consequences should be expressed in quantifiable terms (e.g. cost, delayed services). The description of the expected consequences must be recorded in the Risk Log.
Consequence descriptions should be updated each time there is a change in the risk profile.
Estimate impact and likelihood
The risk impact and likelihood are expressed in a form of relative (descriptive) ratings.
The impact ratings and their meaning might be:
Name / ImpactRating / Description /
Severe / 5 / Would result in catastrophic events resulting child care service failure and financial sustainability not being realised
Major / 4 / Would result in significant disruption to your child care service, resulting in the need to conduct re-planning and re-estimating of your service’s financial forecasts. In the extreme, it may result in the failure of your service to be financially sustainable
Medium / 3 / Would result in delays to your service’s operations that would exceed existing contingencies, resulting in exceeded time scales, for example, delays in opening additional rooms, and/or additional budget requirements
Low / 2 / Would result in delays to your service’s operations or additional work that could be contained within existing contingencies
Insignificant / 1 / Would result in negligible delays or disruption to your service’s operations
The likelihood ratings and their meaning might be:
Name / LikelihoodRating / Description /
Almost Certain / 5 / Is a feature of this type of child care service, or has occurred many times in recent history, or is a brand new risk that has been identified that is imminent /
Likely / 4 / Has occurred many times in the past, or has occurred a few times in recent history /
Possible / 3 / Has occurred a few times in the past, or, has occurred infrequently in recent history /
Unlikely / 2 / Has occurred infrequently in the past, or, a “one off” from the past /
Rare / 1 / Possible to occur but no known precedents /
Assess Risk Rating
The risk rating is derived from the estimated impact and likelihood and could be ranked according to a matrix such as the following:
LikelihoodRare / Unlikely / Possible / Likely / Almost certain
Impact / Severe / High / Very High / Very High / Extreme / Extreme
Major / Moderate / High / Very High / Very High / Extreme
Medium / Moderate / High / High / Very High / Very High
Low / Low / Moderate / High / High / Very High
Insignificant / Low / Low / Moderate / Moderate / High
The risk ratings and their meaning are:
· Extreme – immediate service management involvement is required, to actively prevent the risk occurring, to reduce the impact or both. The risk profile must be reported to the owner of the child care service or service provider in the case of family day care
· Very High – management involvement will be required to actively prevent the risk from occurring, to reduce the impact or both. The risk must be reported to service director
· High – service management involvement is required
· Moderate – accept risk or manage it by routine service procedures
· Low – close this risk
The risk rating should be assigned each time there is a change in the risk impact or likelihood. Each time there is a change in the risk rating, the risk owner should assess if the change is reasonable and realistic. The child care service director must regularly perform a “sanity check” on the risk ratings, both for individual risks and the overall number of “Extreme” and “High” risks. The overall picture must be monitored and action taken if there are factors that are deemed “too risky” for the service to undertake and would negatively impact the service’s financial sustainability.
Treat risk
When the risk rating is established, the service’s management team can use this information to define treatment actions for each identified risk.
The treatment actions will normally fit into a broad risk treatment strategy. The selection of the risk treatment strategy will be influenced by the risk ratings determined in the previous step.
The service’s management team must also define appropriate treatment for operational risks expected to persist past significant deadlines or dates, including the program/project completion date.
Typical strategies for treatment of financial or service sustainability risks include:
· Terminate or Avoid– this involves changing your business plans to eliminate the threat posed by the risk;
· Treat or Reduce –
- mitigation – this involves taking action to reduce the impact or likelihood of risk event to an acceptable level
- contingent response – this involves preparation of a treatment plan which will only be invoked under certain/predefined conditions
· Tolerate or Retain – this strategy is adopted for risks for which the impact and likelihood cannot be further reduced by practical, realistic means. Acceptance strategy may require establishment of a contingency reserve (time, money or resource).
The choice on which of the above strategies is adopted will depend on the feasibility and cost of the treatment options. At times, the service’s management team may decide to adopt more than one treatment strategy.
Approval should be sought for treatment strategies that require additional resources and/or a change to your service’s business plan.
It is important to incorporate the selected treatment action(s) into your service’s business planning and monitoring processes. Any resources and program/project costs necessary to manage operational risks must be clearly identified and included in the ongoing support and maintenance of the program/project.
Once completed, risk treatment actions should have a tangible, positive effect on the existing risk controls. The re-assessment of the likelihood and/or impact ratings should result in a noticeable reduction in the risk rating.
Monitor and review
A formal review of overall operational environment and program/project risks should occur regularly.
This may be performed within a normal service management meeting. Alternatively, a formal risk review meeting can be held to review the status of all risks. A risk review activity can often lead to a need for escalation/communication of uncompleted risk treatment actions and/or any significant changes in the risk.
The service director/manager must manage risk owners to ensure that a Risk Log is kept up-to-date.
Updating risks
If the likelihood and/or potential impact of a risk changes, the risk owner (service director/manager) should discuss the changes with the service management team. Approvals must be sought accordingly, and then the risk updated in your service’s Risk Log. The likelihood, consequences, and risk rating should also be updated, once the treatment plan has been acted upon.
Closing a risk
The risk should only close when advised by the "risk owner” and not removed from the Risk Log to preserve a reference to it. There should be agreement by the service management team that there is no longer the potential for the risk to eventuate due to the mitigation strategy being effective or due to changed circumstances.
7