Procedure - Risk Management

---

Purpose
1.	Definitions
2.	Commitment
3.	Process
4.	Accountability
5.	Coordination
6.	Reporting
6.1	Strategic Risk Register
6.2	Directorate/Business Unit Risk Register
7.	Risk Treatment Managers
8.	Business Continuity
8.1	Custodial Operations and Probation and Parole
8.2	Staff Training

Purpose

To provide for a systematic approach to identifying, assessing, monitoring and managing risks at the strategic, business unit and project management levels within Queensland Corrective Services. The concept of risk incorporates both uncertainty and opportunity, and is not limited to hazard only.

1. Definitions

“corrective services facility” - refer Corrective Services Act 2006, Schedule 4

2. Commitment

The Agency is committed to managing risk in accordance with the Financial Accountability Act 2009, Financial and Performance Management Standard 2009, and the process outlined in the Australian/New Zealand Standard for Risk Management (AS/NZS4360:2004). This procedure should be read in conjunction with the Department of Community Safety (DCS) Risk Management Framework.

Refer - Risk Management Framework (Department of Community Safety) (in-confidence)

The Agency is committed to using risk management as a tool to support organisational performance, defensible decision-making and to support accountability.

The Agency will ensure a suitable system of internal control and risk management and:

1. identify, analyse, evaluate and treat risks, including business continuity disruptions, which have the potential to adversely affect the achievement of business objectives; and
2. integrate risk management with strategic and operational objectives to assist with decision making.

3. Process

Documenting, reviewing, monitoring and communicating risk processes and outcomes form part of a continuous performance improvement process. Each stage of the risk management process must be appropriately recorded. Assumptions, methods, data sources, analyses, results and the rationale for decisions must all be recorded and are an important aspect of effective and efficient corporate governance.

The main elements of the risk management process are:

1. establishing the context within which risk management occurs, including the organisation context and the needs of internal and external stakeholders;
2. identifying risks - what, why and how things can go wrong;
3. analysing risks - determining the likelihood and consequences, given that existing procedures and controls are already in place to reduce the likelihood of something going wrong;
4. evaluating risks - determining what risks are acceptable and which are not;
5. treating risks - developing and implementing a plan to reduce the likelihood or impact of something going wrong;
6. monitoring risks - regularly reviewing the organisational context and internal controls to understand how changes can affect risks; and
7. documenting and reporting each stage in the process, aiming towards iteratively better levels of risk management.

Refer to - Risk Management Framework (Department of Community Safety) (in-confidence), Safety Risk Management Policy (Department of Community Safety); Guidelines for the Management of Risk; and Guidelines for Maintaining the Risk Management System; Australian/New Zealand Standard for Risk Management (AS/NZS4360:2004)

4. Accountability

The Commissioner for Corrections is accountable to the Director-General for ensuring that all risk management responsibilities are met within the Queensland Corrective Services division.

All deputy commissioners, executive directors, directors, and general managers are accountable for the implementation, integration and maintenance of sound risk management processes in their respective areas of responsibility.

All Agency staff are responsible for identifying and managing risk in their area of operation and reporting of those risks they cannot manage to their supervisors.

5. Coordination

Coordination and monitoring of risks at the departmental level is undertaken by the Audit and Risk Management Working Group

The Committee monitors the internal control and risk management environment within the Department of Community Safety.

6. Reporting

The Queensland Corrective Services Strategic Risk Register must be maintained by the Risk Management Coordinator, Queensland Corrective Services, concentrating on high to extreme risk. The high to extreme risks recorded in a Directorate or Business Unit Risk Register will be reported by the Coordinator to the Board of Management for review and analysis.

The Strategic Risk register must also include any risks pertinent to the Agency not otherwise included in business unit registers. For a detailed description of the processes and templates used in identifying, analysing, evaluating and monitoring risks refer to the Guidelines for Maintaining the Risk Management System.

6.1 Strategic Risk Register

The Strategic Risk Register must be updated-

1. quarterly;
2. in the event of a change of circumstances; and
3. when a critical event has occurred.

Strategic Risk Registers are subject to review by the Internal Audit Branch.

Risks of strategic significance (high to extreme) must be reported to the Director-General through the Board of Management.

6.2 Directorate/Business Unit Risk Register

Directorate/Business Unit Risk Registers must be made available to the Internal Audit Branch during the course of their operational audit program.

Risk Registers of each work unit must be updated-

1. quarterly;
2. in the event of a change of circumstances; and
3. when a critical incident has occurred.

Copies of updated Risk registers must be provided to the Risk Management Coordinator, Queensland Corrective Services, who must review the registers for consistency in defining, assessing and treating risk across the state.

7. Risk Treatment Managers

Generally, a risk of strategic significance (high to extreme) will have a single Risk Treatment Manager assigned to it, however, the Board of Management reserves the right to determine if more than one Risk Treatment Manager is required. Risk Treatment Managers are responsible for ensuring the reporting and coordination of the completion of risk mitigation strategies. Risk Treatment Managers are responsible for ensuring that mitigation strategy's are implemented and monitored.

8. Business Continuity

The Agency's Board of Management must oversee the Agency's compliance with the State's Counter-Terrorism Risk Framework, as well as the Agency's ongoing involvement in counter-terrorism activities and exercises.

This corporate role requires the identification of the nature and source of potential business interruptions (including acts or threats of terrorism), analysing the consequences of such events and implementing strategies to effectively mitigate and manage any disruption.

Interruptions can include, but not limited to:

1. natural disaster/s;
2. industrial accidents;
3. pandemic/s;
4. major disturbance/s;
5. a situation where access to a facility and/or information technology systems may be restricted; and/or
6. a situation where staff may be absent or unable to perform their normal duties for an extended period of time.

Refer procedure - Contingency Planning

8.1 Custodial Operations and Probation and Parole

Custodial Operations and Probation and Parole must develop a Business Impact Analysis (BIA) to identify processes that are to be implemented at a corrective services facility to ensure the successful recovery of critical services from an interruption to normal business operation.

Refer appendices - Business Impact Analysis (in-confidence); Guidelines for Completing Business Impact Analysis (in-confidence)

Correctional centres must develop a Business Continuity Plan (BCP) to provide recovery plans for identified critical services.

Refer appendices - Corrective Services Facility Business Continuity Plan Template (in-confidence); Guidelines for Completing Business Continuity Plans (in-confidence)

8.2 Staff Training

Appropriate training and instruction on risk management procedures must be developed and maintained by the Principal Officer, Risk (Department of Community Safety) to enable staff, supervisors and managers to discharge their responsibilities. Training may be delivered through induction programs, workshops and other facilitated seminars.

KELVIN ANDERSON
Commissioner

---