Risk Management Policy
1. Risk Management Policy Overview
The company is committed to effectively managing operational, financial and other risk in the context of business strategies and with a view to achieving a balance between acceptable levels of risk and reward. The risk management is of concern to all levels of the business and requires a risk management policy and process involving all personnel, with reporting structures to the Board.
2. Risk Management System Overview
- Identifying risk;
- Analyzing risk;
- Evaluating risk;
- Managing risk.
Identifying, Analyzing and Evaluating the Risk
Each unit is responsible for identifying and documenting the risks to that business. The risks to the business, including its causes, are identified and documented. Each risk is analyzed in terms of likelihood and consequence and the adequacy of existing controls. These criteria are used to determine the level of risk, ranging from ‘low’ to ‘extreme’, and to aid in identifying the order of priority in which risks and their associated mitigating actions should be addressed by the businesses.
Managing the Risk
The Board oversees, reviews and monitors the risk register half yearly, or in the case of escalated and high priority risks, quarterly.
Roles and Responsibilities
The Board is responsible for overall oversight of risk management of the company and reviews the risk register half yearly, or as required on escalation of high priority risks.
3. Risk Management Process Identifying Risks
The company risk assessment methodology relies on the principle that those employees who have a very good knowledge of their respective areas of the business are in the best position to provide the necessary information and assessments of risks. As each risk is identified, information is passed regarding this risk throughout the identification, analysis, evaluation and treatment steps in relation to that risk.
Analyzing and Evaluating Risks
Each risk is analyzed to identify the consequence and likelihood of the risk occurring and the adequacy of existing controls. These measures are used to establish the priority and ranking of the risk, which in turn indicates the priority for risk treatment actions.
Once the risks have been identified and assessed, risk treatment measures and actions are identified. Risk treatment activities may include tasks to:
- reduce the likelihood of risks;
- reduce the consequence of risks;
- reduce both the likelihood and consequence of risk;
- transfer the risk in part or in whole;
- accept the risk and do nothing; and/or
- avoid the risk by changing business practices
A priority is further established for each risk treatment action reflecting the complexity of the treatment, effort, funding and resources required. Each risk treatment action must also indicate the position manager responsible and the estimated dates for implementation.
- The risk profile of every business area is dynamic and therefore subject to continuous change with the ever present chance of a risk occurring. To manage this change, the following process of scheduled maintenance has been adopted:
- The risk management process is reviewed by the Board for efficiency and effectiveness.
- The risk contexts for each business unit are reviewed.