Risk Management in Risk Man Strategic Operational Corporate

Risk Management in Risk. Man Strategic Operational. Corporate Support Functions . DOHS . NAHRLS . RAHC . Aspen Aged Health Care. Operations . Aspen Corporate Health Projects. RAMSI . Origin Energy . Wheatstone . Customs . CSIRO . Royhill . WARAME . PNG Clinic

Purpose To explain the process for recording in Risk. Man: How to access the Risk Management section in Risk. Man How to enter Risk descriptions How to enter Risk assessments How to enter risk treatments How to enter risk effectiveness and acceptability How to conduct reviews • • • 2

Risk. Man provides: • Reporting of Incidents (Staff, Clinical, Patient/Visitor, Environment, Near Misses, and Hazards) • Capturing, Classifying, and Investigating Incidents • Feedback – Reporting Compliments, Complaints and Suggestions • Risk Registers – the full risk management process • Riskman also enables users to establish individual profiles and delegations 3

Logging onto Risk. Man Externally 4

Accessing Risk. Man Internally 5

Set up or Edit your Assigned Manager The Edit My Manager page allows staff to change the manager/s they report to: To access the Edit My Manager page o From the menu either select My Workspace Edit My Manager or o From the Home Page click on Edit My Manager icon under Miscellaneous • • 6

Set up or Edit My Manager 1. Highlight the manager to remove from the list of People you report to 4. Highlight the manager you report to from the list 5. Press Assign 2. Press Remove 3. Optional: Use these fields to filter the list of users to select as your new manager 7

Enter New Risk • 8 In order to enter the new Risk, you are required to click on “New Risk”

Enter New Risk • • 9 In order to enter the new Risk, you are required to: Go to My Workspace New Risk

Risk Entry Page 10

Risk Classification • • All the fields have drop down menu’s which provides options that you are required to complete. The first table is for the level of the Risk which includes: a) Strategic Risk b) Operational Risk c) Project Risk • The next field is the Project which includes all Aspen project (If your project name is not there please contact HSE Coordinator for assistance) 11

Key Personnel • It is very important to make sure the nominated Key Personnel for each Risk is correct. • This section includes Accountable Executive, Responsible Manager and Opened by (which has automatically been pre-field with your Riskman ID number) • In order to enter the people’s name you are required to press on the person’s head sign which is next to each field and it opens the box which you can type the required person’s name and it will automatically put that person’s name in to the box • The next field is Notify of Associated Incident next to the accountable Executive you may wish to tick “No” and Responsible Manager should be ticked as “Yes” 12

Key Personnel • The last section is ‘Reported to’ which means your manager’s name 13

Project / Work Activities • Enter a single one liner, in free style, on the Type of Work Activity • Enter a more detailed description of Project / Work activity • Risk Status is the next field which automated option is “Open” but you can also change it 14

Type and Description of Risk • Enter the “Type of Risk” which is a drop down menu that includes Aspen’s 10 areas of all type of risks • Enter the Risk Description phrasing following the technique below where you can: 15

Consequence Ratings Table Part 2: Consequence Risk Criteria Extreme Business/Service Delivery Significant loss of Government and / or industry support resulting in reduced appropriation. Loss of contracts Significant negative National media coverage for more than 3 days Operational Financial H&S/Clinical People Information & Security Communication Technology Essential services/objectives Serious financial loss Single fatality to staff or Gross staff Major release of toxic Multiple cases of Serious loss of systems Civil unrest of the project not delivered. ($1 m - $10 m) patient dissatisfaction resulting pollutants/Biological litigation resulting in due to infected viruses targeting medical Premature termination of Permanent or disability in loss of several key materials resulting in serious fines and centre project due to default. or health effects/ for staff and industrial long term damage to sanctions Notice of breach raised by the one or more staff or disputation – Significant environment and / or Potential Jail term Intruder in premises customer patients. loss of service delivery significant for Board Members Notification to capability compensation costs. WHS/OHS Regulator Multiple Key Performance Substantial financial Extensive injuries or Major staff Substantial release of Major regulatory Cyber. Crime / Malicious Major loss of Indicators not met. loss ($500 k - >$1 m) serous health dissatisfaction resulting toxic breaches resulting ICT attack from an equipment / Significant delays in multiple impacts/temporary in loss of some key staff pollutants/Biological in major fines external source vehicles / service delivery elements disability for one or and industrial materials Localised medications Multiple Complaints/concerns more staff or patients. disputation – major loss impact with significant raised by customers at the Potential Notification to of service delivery clean-up costs Assault at work or Corporate Level WHS/OHS Regulator capability leisure Major Substantial loss of Government and / or industry support resulting in discussions for reduced appropriation and/or reduced appropriation. Substantial issues with contracts Negative National media coverage for up to 2 days Moderate Concerns raised by government/stakeholders resulting in informal and/or formal briefings to key government /stakeholders Some disruption to service delivery and contracts Adverse local media coverage for less than 2 days Single Key Performance Noticeable financial indicator not met. loss ($50 k - >$500 k) Moderate delays to a single service delivery element Complaint/Concern raised by the customer at the Corporate Level Some negative local media coverage for less than 2 days Minimal impact on serviced delivery but actions to be implemented Multiple complaints / concerns Minor financial loss ($5 First Aid injury or minor Localised and raised at the project level by > $50 k) health impact to staff or moderate impacts to the customers regarding patients staff productivity multiple elements of service delivery. Some impact on capacity of project to meet objectives. Slight delays to some project activities. Minor complaint / concern Negligible financial loss No injuries/illnesses to Localised and minimal raised at the project level by (>. $5 k) staff or patients impacts to staff the customers regarding productivity service delivery Minor delays to some service delivery activities that can be overcome by effective project management Minor Insignificant No immediate impact on service delivery but requires some remedial action No adverse local media coverage Environment Medical treatment Staff dissatisfaction Transient release of required and moderate with minor service pollutants//Biological health impact to staff or delivery disruptions and materials. . patients productivity Localised impact with Potential notification to no long term damage regulator and minimal clean-up costs Legal Regulatory Breach of IT security breaches resulting protocols in fines and sanctions Loss of radio communications Minor local release with Minor legal issues Failure of system to remedial action raised by regulators secure electronic required but does not result records in fines or sanctions No immediate impact No legal issues but requires some minor clean-up required Breach of security protocols Minor theft or vandalism of equipment Loss of communication Insignificant theft or equipment vandalism or graffiti

Likelihood Ratings LEVEL DESCRIPTOR LIKELIHOOD – DESCRIPTION 1 Rare Very unlikely that the situation in the defined consequences will occur 2 Unlikely Low probability that the situation in the defined consequences will occur 3 Possible Has occurred with the defined consequence 4 Likely to occur 5 Almost Certain The event will happen several times Chronic risk with history of occurrence Risk Management

Risk Matrix CONSEQUENCES LIKELIHOOD 1 Insignificant 2 Minor 3 Moderate 4 Major 5 Extreme 5 Almost Certain Medium High Extreme 4 Possible Medium High Extreme 3 Unusual but Possible Low Medium High 2 Unlikely Low Medium High 1 Rare Low Low Medium High Risk Management

Inherent Risk • • Inherent Risk means what is the Risk Rating without controls. You are required to enter the Consequence from a drop down menu which can be: a) b) c) d) e) Insignificant Minor Moderate Major Extreme In the next section, you are required to enter the Likelihood from drop down menu which can be : a) b) c) d) e) Almost Certain Possible Unusual but possible Unlikely Rare The Riskman will automatically choose the correct Inherent Risk Rating 19

Controls • Enter the “Controls” as many as you need in free style which are the current and planned controls to mitigate the risk. • Enter the “Effective Day” which in most of the cases is the day that you are entering the Risk. • And Last Reviewed “by who” and “when”? • Next Review “By who “ and “When” which is normally 6 months after the last review date and will be by the same person. 20

Residual Risk Acceptability Table RISK RATING RESIDUAL RISK LEVEL A Extreme risk Immediate Aspen Medical executive action required to eliminate or mitigate risk High risk Senior Aspen Medical management attention Unacceptable needed and management responsibilities specified for further action to mitigate risk C Moderate risk Manage by specific monitoring or response Barely procedures, develop more detailed actions as Acceptable resources allow to control risk D Low risk Manage by routine procedures, unlikely to need specific application of resources B DESCRIPTION OF ACTION AND RESPONSIBILITIES Risk Management ACCEPTABILITY Grossly Unacceptable Acceptable

Risk Control Effectiveness Table RATING Highly Effective Partially Effective Ineffective CONTROL EFFECTIVENESS Controls effectively reduce the likelihood of the risk/s escalating towards the consequences with routine assurances. Apply normal monitoring and review. Controls contribute to reducing the likelihood of the risk/s escalating towards the consequences. More work is required to improve effectiveness and routine assurances. Regular routine monitoring and review required. Controls have a limited effect on reducing the likelihood of the risk/s escalating towards the consequences and improve more frequent assurances. Enhanced effort needs to be undertaken to improve the effectiveness of the controls with a higher level of monitoring and review required. Controls do not reduce the effect of the likelihood of the risk/s escalating towards the consequences to a more improved acceptable level and provide assurances. Executive effort required to manage the risk on a highly frequent basis to ensure the controls are not escalating. Constant monitoring required and more frequent review necessary to provide assurances.

Assessment of Controls • After recording the controls, re assess the Risk to determine the “Residual Risk” levels as conducted previously – Consequence and Likelihood • Riskman will automatically count the Residual Risk and the score and the Risk Rating • Assess the “Control Effectiveness” level and Risk. Man will automatically enters the management plan. • The next section requires information regarding our Acceptability about the Risk Level. 23

Action Plan • Enter any actions and who is required to completed them in the “Action Plan” for any activities that need to be completed to compete the work on the Risk Register. Check your managers are correct 24

Action Plan • • • You may add any documents that you think may be relevant for the Risk under “Add Document”. You have an option to “Add New Journal Entry” which is the communication tool between the person who has entered the Risk and other parties who are involved in this Risk. Once you complete all the fields you can press “Save” and complete your entry. Check your managers are correct 25

Entered Risks - Risk Register • Once you have saved your Risk Entry Page the risk assessment is automatically saved in a Register. 26

Review Risks that you have entered In order to review the entered Risks, you are required to go to the main page of the Risk man system and from the tool bar, choose : My Workspace Review My…. . Risks • 27

Entered Risks Review Risks that you have entered • You can review the Risk Entry Page individually by entering into each Risk number. 28

Risk Register - Selection Settings Scroll down the “New Risk” page, see “Selection Setting” section which offers options: • Display You can choose from Risk Register, Deleted Risks, Entered Risks and Newly Assigned Risks. • Enter the number of the risks that you would like to see in one page in the “Row Count" • Other fields all have drop down menu which gives you lots of options to choose from and be able to choose your preference. • Once finished click on “Change View” to reset the register. 29

Excel Spreadsheet Option You can create an excel worksheet to report or review your Risk Register. • Scroll down the page in the Entered Risk page and on top of the Selection Settings you will see a toolbar - the last option in the Toolbar is “Export” • Once you press that button, you will see an alert that asks if you want to open the excel form? • Press “open” and an Excel Work Page will open with all the data which are in the “entered Risk” tables 1 2 30

Excel Risk Register Spreadsheet 31

Thank you • Are there any final questions? 32