opexxx/risk checklist

## risk checklist
1	Has the board and executive expressed their support for a risk management programme?
2	Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy?
3	Have you identified a person who will be responsible for implementing risk management?
4	Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?
5	Have you defined categories of risk relevant to your organisation and industry?
6	Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?
7	Is there a clear organisational strategy (or objectives) articulated for the organisation?
8	Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation?
9	Have you defined and agreed a consequence scale to help assess risk impacts across the organisation?
10	Does the organisation's consequence scale describe both financial and non-financial impacts?
11	Does the risk Management framework consider the effectiveness of controls or risk treatments?
12	Is there an agreed template or format for recording risks and risk treatment information (a risk register)?
13	Has a risk policy been defined?
14	Does the organisation have a documented risk management strategy?
15	Do job descriptions of key stakeholders include responsibilities for risk management?
16	Is a formal project management methodology used to manage projects?
17	Is a mechanism in place to identify, assess, record and monitor risks on projects?
18	Has the organisation agreed what types and levels of risk are unacceptable?
19	Is there an agreed format/ template for reporting on risk?
20	Is there a process and/or template where new risks can be recorded by the executive and staff?
21	Is risk management or awareness training provided to all staff?
22	Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required?
23	Do staff know that they have a right and responsibility to assist in risk identification and escalation?
24	Do staff know who to report/ escalate risks to?
25	Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility?
26	Have the executive and the board provided guidance on what information they would like to see in risk reports?
27	Is there agreement on when and how often risk reports will be produced?
28	Have the recipients of risk reports been identified and agreed?
29	Can different risk reports be produced to meet different needs of stakeholder groups?
30	Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible?
31	Are staff encouraged or incentivised to report risk or suggest risk reduction strategies?
32	Has a risk brainstorming workshop (or workshops) been conducted?
33	Have you considered the history of events and incidents in your organisation during the risk assessment process?
34	Has research been performed to understand common risks in the industry?
35	Has the executive and board considered risks relating to the achievement of key organisational goals and objectives?
36	Are risks identified during compliance reviews/ audits always added to the risk register?
37	Have existing controls been identified for risks during the risk assessment process?
38	Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place?
39	Has the risk register been updated in the last year?
40	Is the risk register updated throughout the year to reflect changes in risk and emerging risks?
41	Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')?
42	Have you identified possible actions/ treatment plans that could help to reduce the risk level?
43	Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?
44	Have risk treatment or action plans been documented and approved for important risks?
45	Have due dates/ completion dates been agreed for risk treatment actions and plans?
46	Is there a clear understanding of who will oversee the risk treatment selection and execution process?
47	Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas?
48	Are the organisation's physical assets appropriately insured?
49	Is a business continuity plan (BCP) in place for critical organisational functions/ processes?
50	Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard?
51	Does the Internal Audit function or equivalent review risk management processes?
52	Is an Internal Audit function/ process in place?
53	Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register?
54	Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels?
55	Has the risk policy been reviewed and approved in the last year?
56	Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable)
57	Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?
	1 Has the board and executive expressed their support for a risk management programme?
	2 Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy?
	3 Have you identified a person who will be responsible for implementing risk management?
	4 Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?
	5 Have you defined categories of risk relevant to your organisation and industry?
	6 Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?
	7 Is there a clear organisational strategy (or objectives) articulated for the organisation?
	8 Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation?
	9 Have you defined and agreed a consequence scale to help assess risk impacts across the organisation?
	10 Does the organisation's consequence scale describe both financial and non-financial impacts?
	11 Does the risk Management framework consider the effectiveness of controls or risk treatments?
	12 Is there an agreed template or format for recording risks and risk treatment information (a risk register)?
	13 Has a risk policy been defined?
	14 Does the organisation have a documented risk management strategy?
	15 Do job descriptions of key stakeholders include responsibilities for risk management?
	16 Is a formal project management methodology used to manage projects?
	17 Is a mechanism in place to identify, assess, record and monitor risks on projects?
	18 Has the organisation agreed what types and levels of risk are unacceptable?
	19 Is there an agreed format/ template for reporting on risk?
	20 Is there a process and/or template where new risks can be recorded by the executive and staff?
	21 Is risk management or awareness training provided to all staff?
	22 Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required?
	23 Do staff know that they have a right and responsibility to assist in risk identification and escalation?
	24 Do staff know who to report/ escalate risks to?
	25 Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility?
	26 Have the executive and the board provided guidance on what information they would like to see in risk reports?
	27 Is there agreement on when and how often risk reports will be produced?
	28 Have the recipients of risk reports been identified and agreed?
	29 Can different risk reports be produced to meet different needs of stakeholder groups?
	30 Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible?
	31 Are staff encouraged or incentivised to report risk or suggest risk reduction strategies?
	32 Has a risk brainstorming workshop (or workshops) been conducted?
	33 Have you considered the history of events and incidents in your organisation during the risk assessment process?
	34 Has research been performed to understand common risks in the industry?
	35 Has the executive and board considered risks relating to the achievement of key organisational goals and objectives?
	36 Are risks identified during compliance reviews/ audits always added to the risk register?
	37 Have existing controls been identified for risks during the risk assessment process?
	38 Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place?
	39 Has the risk register been updated in the last year?
	40 Is the risk register updated throughout the year to reflect changes in risk and emerging risks?
	41 Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')?
	42 Have you identified possible actions/ treatment plans that could help to reduce the risk level?
	43 Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?
	44 Have risk treatment or action plans been documented and approved for important risks?
	45 Have due dates/ completion dates been agreed for risk treatment actions and plans?
	46 Is there a clear understanding of who will oversee the risk treatment selection and execution process?
	47 Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas?
	48 Are the organisation's physical assets appropriately insured?
	49 Is a business continuity plan (BCP) in place for critical organisational functions/ processes?
	50 Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard?
	51 Does the Internal Audit function or equivalent review risk management processes?
	52 Is an Internal Audit function/ process in place?
	53 Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register?
	54 Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels?
	55 Has the risk policy been reviewed and approved in the last year?
	56 Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable)
	57 Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?