Appendix C: Risk Management Policy and Procedure Risk Management Policy The Righteous Bean understands the importance of monitoring and managing n'sks to our business. We aim to take a proactive approach to risk management in all areas of our business to help ensure the sustainability of our organisation. Our risk management process provides a systematic approach that continuously reviews and treats risks as they occur. Types of risks Examples of risks that may impact our business include: Risk area Examples Commercial and Legal rlsks Economic and financial risks Insurance issues, resolving disputes, contractual breaches, non-compliance with regulations, and liabilities Interest rate increases, cash flow shortages, customers not paying, rapid growth and rising costs, not achieving forecasted sales or income Technology rlsks IT infrastructure failures, problems associated with using outdated equipment or software, security of information systems Operational risks Reduction in customers or clients, poor client service delivery Regulatory and government policy changes Changes to legislation that impact industry growth or business Management controls Inappropn'ate objectives, mismanagement, inappropriate use of resources Human resources Loss of key staff, employee relations, conflict management, performance management, difficulty filling positions, conflict Natural events Earthquake, cyclones, floods, bushfires, droughts Work health and safety Workplace accidents and injuries or work ceasing due to safety issues Property and equipment Damage from natural disasters, robbery or vandalism Security Theft, fraud, loss of intellectual property, extortion or online security and fraud Suppliers not being able to provide products or materials, issues with supply chain, shortages of vital Suppllers resources Market Changes in consumer preference or increased competition Utilities and services Failures or interruptions to power, water, transport or telecommunications Why we manage risks a Risk management is a fundamental part of sound organisational management. o The organisation will not be able to eliminate all risks but they can take active steps to prevent or minimise the likelihood level and impact of n'sk by developing an organisational Risk Management Plan. 0 An annual n'sk management plan should be prepared and reviewed as part of the Strategic and Operational Planning Process. . By managing risks, the organisation is better placed to: 0 protect the safety and wellbeing of staff, customers and visitors 0 provide efficient and effective service and product delivery 0 manage and maintain facilities and equipment 0 improve confidence and public perception of the business 0 operate within the allocated budgets 0 protect or reduce likelihood of legal action 0 comply with legislative requirements. Responsibilities for risk management . All employees and management are responsible for identifying, reporting and managing risks. - Managers and Team Leaders are accountable for implementing and maintaining sound n'sk management processes in their work areas. This includes creating a culture and environment in which employees are encouraged and supported to identify and manage risks. . All project teams established by the business are required to conduct a risk assessment and treatment plan for the project. Procedures Reporting Managers and Team Leaders: . Report regularly on assessment and management of risks in work area. 0 Ensure the recording of identified risks and their treatments using the Risk Management Plan fortheir work area every three months. c Project team leaders must ensure that risks are identified and treated using the Risk Management plan. This must be conducted in the early stages of any project plan. o Where extreme or high impact n'sks are identified, these must be reported to the Managing Director. Wn'tten reports should be submitted within 1 working day. Managing Director: 0 Review all n'sks identified and the measures proposed or undertaken to manage them. All Risk Management Plans must be forwarded to the Managing Director forfinal approval. 0 Manage extreme and high impact n'sks that impact the entire organisation . Ensure resources are allocated to control risks o Monitor and evaluate the implementation of the Risk Management Plan. Operational Planning The Righteous Bean develops quarterly operational plans to focus the business on current and emerging objectives. The operational planning process includes a risk management assessment to ensure that risks are identified on a regular basis. The operational planning n'sk assessment process uses regular n'sk reporting from each team as a key basis for identifying risks. Team risk management plans provide information about current risks and existing n'sk treatment in place. Risk management process The following risk management process is to be used in all risk management assessments throughout the organisation. The only exception isWHS n'sk management which follows a similar process, but is aligned to the relevant WHS Code of Practice. Refer to the WHS Policy and Procedure for details on how WHS hazards and risks are managed. Step 1 Consultation and communication One of the most important aspects of risk management framework, is to ensure continual communication and consultation with all stakeholders. The Righteous Bean's risk management process include ongoing consultation with team members, management, people who are impacted by any risk management activities, and in some cases, external stakeholders like customers, government agencies or consultants. Communication and consultation is vital throughout the entire process for managing risk to ensure that n'sks have been accurately identified controls for identified risks are adequate and effective "buy-in" from teams, management and other stakeholders is secured all stakeholders are engaged and committed to the risk management process o the risk management process is effective and well embedded within the organisation, and its culture and processes. Step 2 Analyse the context a Considerthe environment in which the organisation operates to establish the boundaries in which risks must be managed and guide decisions on managing risks. o The financial, operational, competitive, political, public perception/image, social, cultural and legal aspects of the organisation's functions are all part of the risk management context. Step 3 Identify the risks Identify the risks (what can go wrong) that arise from all aspects of the environment outlined in Step 1. Include: . Commercial and Legal risks 0 Economic and financial risks Technology risks Operational risks Regulatory and government policy changes Management controls Human resources Natural events Work health and safety Property and equipment Security Suppliers Risk identification will be earned out by the following means: c Discussion in management and team meetings to generate n'sk identification across the organisation . SWOT analysis of risks relating to each business area o Analysis of existing documentation from the following systems: Continuous improvement systems WHS hazard reporting systems Accident and injury reports Review of previous risk assessments Review of audits conducted in the past Step 4- Analyse and Evaluate risks Risks are evaluated using the following risk matrix which considers the following: 1. Likelihood - A likelihood rating is determined on how likely or how often the potential risk could occur. The ratings are based on probabilities that are estimated by the risk assessors. 2. Consequence - A consequence rating is determined on the seriousness or consequences of the impact should the risk occur. These ratings are based on determinations of risk consequences estimated by the risk assessors 3. Priority - A priority rating is determined based on both the likelihood and the consequence of the potential risk. The priority rating given to a risk determines the actions required. Risk Matrix Consequence Insignificant Minor (Some Moderate (Significant Major (Eg: Significant Catastrophic (Eg Minor problem disruption time/recourses required. financial loss, unable to Business unable to easily handled possible. Over Significant delay. Eg: operate division or cafe for operate for more than two by normal day to budget 0-5%) Unable to operate cafe more than two days or meet weeks or indefinitely. day processes. Injury that does or warehouse for 1-2 customer orders, significant Significant financial No effect on not require days. Over budget 5- damage to reputation of losses. Major reputation budget) trained first aider 20%, injury requiring first business. Over budget 20- damage. Business Likelihood (eg papercut that aid, small loss of 50%) survival at risk. Over requires a band customers budget 50% or more) aid ) Almost certain (90% High High Extreme Extreme Extreme chance Likely (50-90% chance) Moderate High High Extreme Extreme Moderate (10-50% chance) Low Moderate High Extreme Extreme Unlikely (3-10% chance Low Low Moderate High Extreme Rare (less than 3% chance) Low LOW Moderate High High Risk ratings and priorities for action are determined as follows: Risk Action Table Risk Rating Required Actions Low Acceptable Unlikely to require specific application of resources; Manage by routine procedures. Monitor and review. Unlikely to cause much damage and/or threaten the efficiency and effectiveness of the program/activity. Moderate Acceptable Treatment plans to be developed and implemented by Division Leaders. Manage by specific monitoring or response procedures. Generally not Likely to cause some da some damage, disruption or breach of controls. High acceptable Senior management attention needed and management responsibility specified; Treatment plans to be developed and reported to the Managing Director Likely to threaten the survival or continued effective functioning of the organisation, either financially or reputation Extreme Not acceptable wise Immediate action required; Must be managed by senior management with a detailed treatment plan reported to Managing Director. Step 5 Treat the risk Risk treatment options will need to be determined using one of the following options to manage the risk: Avoid the risk. The business might decide to simply stop doing whatever it is that was creating the risk Substitute the risk. The business might choose to replace an activity creating risk with one that has less risk, or no risk at all. (e.g. replacing dangerous or unreliable equipment with safer or more reliable equipment) Transfer the risk. The business might shift responsibility for the risk to another person or organisation (e.g. take out insurance against the risk). Reduce the risk. The organisation might reduce the likelihood or consequences of the risk by adopting a strategy such as regular training, progress reporting and monitoring of high risk activities or procuring physical or human resources to help address the risks. Accept the risk. If all other options are not available to the organisation, they might decide to accept the risk but put in place policies and procedures to manage it.Mitigation strategies Where risks are identified, mitigation strategies need to be put in place as control measures to eliminate, reduce or manage the risk. Examples of Risk Control Measures/mitigations include: Changing or creating policies, procedures and processes Staff training Information sharing Monitoring processes Internal auditing and inspections Personal Protective Equipment Procuring appropriate resources and equipment Contract Management and Administration Performance management systems Step 6 Monitor and review The Righteous Bean accepts that risks do not remain the same. The environment contexts change and other factors impact the businesses operations Risk controls will be regularly monitored. Each risk assessment will have an established review date that will ensure that risk controls and mitigations are reviewed for effectiveness. Each quarter, the management team will review organisational Risk Registers to ensure that controls and mitigation strategies continue to be effective in managing risk. Risk identification will also be conducted on a quarterly basis so that new or emerging risks can be treated effectively. Recording of risk assessment Risk assessment should be recorded using the following documentation: 1. WHS risks are recorded using the Hazard Checklist and Risk Control Action Plan All risk assessments are to be recorded in the Risk Management Plan template. Document record management Risk management records may be generated in the form of hardcopy or electronic media. All records must be stored in an orderly manner and be easily identifiable so they can be efficiently retrieved for purposes such as: Evidence of legal compliance Evaluation and review Training needs. Organisational risk management records are stored and maintained by the Managing Director's Personal Assistant. All team-based risk management should be maintained by the relevant Division Manager. Auditing of risk management processes Audits of risk management processes, including WHS risk management, will be conducted on an annual basis. The Righteous Bean will contract an external consultant to conduct an independent audit of our processes to ensure that risks are being managed effectively, and in compliance with WHS Legislation