- Draft only uploaded by Bill Owens for consideration, needs simplifying and some graphics
Risk Management Policy Version M 001.1 Date 24/2/2024
This risk management policy is to provide a way of managing WDMOC inc's potential liability exposure.
It is to educate and create a culture of risk awareness in day-to-day activities for members in a convenient and cost-effective manner.
1. This Risk Management Policy contains:
(a) information on the concept of risk
(b) roles and responsibilities regarding the implementation of this policy.
(c) procedures, principles, techniques and tools to be applied in all areas of risk exposure with special emphasis on safety which may affect WDMOC inc in meeting goals and objectives
(d) an outline of how the risk management process is to be conducted on a day-to-day basis.
- WDMOC inc will maintain a Risk Register to:
(b) potential risks identified will be recorded;
(c) current controls in place to mitigate risks and/or suggested improvements on controls.
WDMOC inc recognises that risk is inherent in a motorcycle club and that everyone in it manages risk. WDMOC inc promotes the adoption of a culture which embraces a strategic and formal approach to risk management which improves decision-making and enhances outcomes and accountability.
2. REGULATORY REQUIREMENTS
There is legislation in place for the management of specific risks, etc.
Risk management does not relieve WDMOC inc. of its responsibility to comply with legislation such as relating to Workplace Health and Safety, Equal Opportunity, Environmental Sustainability or similar obligations.
All Members are responsible for minimising risks to themselves, to others and to WDMOC inc.
WDMOC inc's Committee has the ultimate responsibility for successful risk management, with the President taking day-to-day responsibility for the process.
4. THE RISK MANAGEMENT PROCESS
In line with the Standard, WDMOC inc’s approach to risk management requires a number of key steps:
1. establish the scope, context and criteria of risks
2. identify risks
3. analyse risks
4. evaluate risks and
5. treat risks
This risk management process includes communicating and consulting with stakeholders, and the continuous monitoring and review of risks. The process adopted by WDMOC inc is explained below:
Communicate and Consult
WDMOC inc will communicate and consult with relevant internal and external stakeholders as appropriate at each stage of the risk management process.
Types of risk
(a) Risks can be classified into 5 types:
- 1. Strategic Risks - protection of intellectual property, loss of a major account, pursuing or not pursuing a new opportunity.
- 2. Operational Risks – breakdown of procedures or technology causing delays, data security, theft, fire, dealing with WHS risks.
- 3. Financial Risks - increase/decrease in interest rates, non-payment by a member/s, managing bad debts.
- 4. Compliance – failure to comply with a regulation or standard, breach of contract, responding to the introduction of new legislation.
- 5. Environmental - external risks that WDMOC inc. has little control over such as pandemics, natural disasters, global financial crisis, changes in government legislation or policies.
Note: Risks can fit more than one type.
5. Categories of Risk
(a) The following risk categories should be considered one by one, with identified risks assessed against the following sources:
- 1. Compliance/Legal: includes compliance with legal requirements such as legislation, regulations, standards, codes of practice and contractual requirements. This category also extends to insurance.
- 2. Financial: includes cash flow, budgetary requirements, creditor and debtor management and other general account management concerns.
- 3. Health & Safety: includes the safety of WDMOC inc members. This extends from individual safety, to public safety.
- 4. Reputation: the threat to the reputation of WDMOC inc due to the conduct of the club as a whole, or the conduct of members or other individuals associated with WDMOC inc.
- 5. Strategic: includes the planning, scoping and resourcing requirements for the establishment, sustaining and/or growth of WDMOC inc.
- 6. Operational: includes the management of equipment, resources (including people), technology, timeframes and people associated with the management of WDMOC inc.
- 7. Service delivery: relates to the delivery of services, including the quality and appropriateness of service provided, or the manner in which a service is delivered, including Member and public interaction.
- 8. Security: includes the overall security of the assets and people, and extends to security of information, intellectual property, and technology.
- 9. Product: extends to the operations and conduct of WDMOC inc events. It includes the general operations, appropriateness, development, training and development of officials, enforcement and technical standards.
- 10. Technology: includes the implementation, management, maintenance and upgrades associated with technology. This extends to recognising the need for and the cost benefit associated with technology.
Risk identification involves asking and answering the following questions:
- What can happen, where and when?
- How and why might it happen?
Both retrospective and prospective risks need to be considered.
Retrospective risks are incidents or accidents that have occurred in the past. Retrospective risk identification is the most common way to identify risk and the easiest. A risk is easier to understand if its impact has already been experienced. It is also easier to quantify its impact and to evaluate the damage. There are many sources of information about retrospective risks including:
- .hazard or incident logs
- .member surveys
- .newspapers or professional media, such as journals and websites.
Prospective risks are harder to identify. These are things that have not yet happened, but might happen in the future. Identification should cover all risks, whether or not they are currently managed. The plan will be to record all significant risks and monitor the effectiveness of their treatment.
Methods for identifying prospective risks may include:
- .brainstorming with members and external stakeholders
- .researching the economic, political, legislative and operating environment
- .interviewing members to identify potential problems
- .flow charting a process
WDMOC inc will implement a top-down bottom-up approach to identifying and prioritising risk:
“Bottom Up” system: The objective is to ensure a comprehensive identification and prioritising of all important risks, define and implement risk policies and processes that control daily decision making throughout WDMOC inc, and ensure a robust risk culture throughout the organisation.
“Top down” system: The objective is to provide the President and Committee with the top 5 to 10 most important risks which shape the club’s performance to ensure a risk dialogue among the management team. It will enable proper risk oversight by the committee.
This step in the process involves analysing the likelihood and consequences of each identified risk, to determine its severity, and ensure that relevant actions can then be implemented. The analysis, generally, utilises a qualitative approach, however from time to time a quantitative approach may be possible based on data available.
To assist the analysis process, a five-by-five rating scale will be used. Through use of the rating scale, a clear picture of the risk degrees associated with each risk can be identified allowing the Club to prioritize resource usage to manage the most critical risks.
Within the Risk Register, each identified risk is assigned a level for both Likelihood and Consequence, in line with the five-point descriptive rating scales detailed below. These figures are then multiplied together to provide a Risk Rating.
Risk analysis involves asking and answering the following questions:
What is the likelihood of the risk happening?
What will be the consequence if the risk occurs?
The rating scales are detailed as follows:
Qualitative measures of Likelihood
- .Almost certain
Qualitative Measures of Consequence
- Extreme risks that are likely to arise and have potentially serious consequences requiring urgent attention
- Major risks that are likely to arise and have potentially serious consequences requiring urgent attention or investigation
- Medium risks that are likely to arise or have serious consequences requiring attention
- Minor risks and low consequences that may be managed by routine procedures
Risk evaluation involves deciding whether the identified risk rating is acceptable, after considering:
- .the controls already in place;
- .the cost impact of managing the risks or leaving them untreated;
- .benefits and opportunities presented by the risk; and
- .the risks borne by other stakeholders.
The outcome is a list of risks, with agreed priority ratings, recorded in the Risk Register.
Risk treatment determines what can be done in response to the risks that have been identified, with a risk rating of 10 or higher, to reduce, transfer, or eliminate the risk by implementing new controls or enhancing existing controls.
Treatment strategies will aim to achieve one or a combination of the following outcomes:
- .risk elimination (avoidance or discontinuance)
- .risk transfer
- .risk reduction
- .risk retention/acceptance (acceptance of risk and/or adequate controls).
- .education & training
- .administration controls (i.e., signage, policy and/or procedures)
- .contingency planning
- .risk transfer (including insurance).
The following steps will be utilised to assist in the development of effective risk treatments:
.identification of actions, that will eliminate, reduce and/or transfer the likelihood or consequences of risks identified with a risk rating of 6 or higher
.determine the potential benefits and costs of each action, including the possible impact on WDMOC inc if the risk occurred, the reduced level of risk if the actions were implemented and the financial impact
.select the best action
.specify the “trigger points” at which the action might be implemented for those that have the form of contingency plans
.identify links to related processes or activities currently within or outside of WDMOC inc.
Treatment strategies will be recorded in WDMOC inc’s Risk Management Register. Responsibility for implementation of this will be the committee. Implementation will involve integration into existing policies/procedures.
6. RISK MONITORING AND REVIEW
The President and committee will periodically assess the effectiveness of risk treatment measures.
6.2 Risk Closure
When all recommended actions have been undertaken and the risk is either reduced to an acceptable level, eliminated altogether and/or transferred, the risk will be closed off. This process will involve the risk being updated to the status ‘closed’ on the Risk Register.
7. COMMUNICATE AND CONSULT
7.1 Communication and consultation play an integral part in WDMOC inc’s Risk Management. Using WDMOC inc’s established communication strategies, identified risks will be brought to the attention of relevant stakeholders. This includes:
.media releases (where necessary).