DOCUMENT 1
FOI 20/21-0854
Risk Management
Guide
November 2019
ndis.gov.au
Page 1 of 35
FOI 20/21-0854
Risk Management Guide
Objectives
This document is a guide for NDIA staff to use in identifying, assessing, managing and reporting risk
across the agency. It provides guidance on the risk management process that each of the divisions
are expected to apply as part of their annual business planning processes.
How to use this guide
The NDIA has developed criteria, aligned with our corporate plan aspirations and goals, to support a
consistent way for us to:
a. Identify risks through the decision making and planning process
b. Consider the relative significance and priority of different risks;
c. Inform decisions on whether actions and resources currently in place are sufficient to manage
the risk and what else is required.
These criteria can also be used to inform decisions on the escalation of risk. Separate risk appetite
and tolerance guidance has been developed which wil be the primary tool used for risk acceptance
and escalation. This guide outlines:
The steps that each Division is required to undertake in relation to the risks that it faces.
Areas of consideration when carrying out these steps.
Templates to assist you in carrying out these steps.
The overal process is described in the diagram below:
Diagram 1.
Familiarise yourself with the complete process before using this guide and commencing your annual
business planning activities. The outputs of this process should be captured in the Divisional Risk
Action Plan or the Regional Risk Snapshot. Further information and guidance on this process can be
provided by the Risk Champion in your area or by contacting the Enterprise Risk Branch.
2
Page 2 of 35
FOI 20/21-0854
Risk Management Guide
1. Identify
1a. Consider the external and internal environment
The identification of risk should include both external and internal sources of risk as wel as the risks
that are inherent in the work the Agency is doing. The NDIA has developed a risk taxonomy
(Appendix B) that provides sources and examples of risk that can be used to assist the identification
process. To ensure appropriate identification of risk it is important that input is sought from a
sufficiently broad group of stakeholders and sufficient sources of information.
1b. Identify key risks to the achievement of objectives
Risks should be considered during the Annual Planning Cycle, the Monthly Performance Review,
Project Planning and whenever a key decision or change to process is being made. The 6D decision
model that is used in key decision making contains a step for the identification of risks.
Risks wil be identified and described under three key components:
Risks are uncertainties which, if they occur, would negatively affect achievement of the objectives.
What might inhibit the ability to meet objectives?
Causes are events or set of circumstances that give rise to uncertainty (risk). What may cause the risk
to occur?
Impacts (effects) are unplanned negative variations from objectives, which would arise as a result of
risks occurring. What can happen if the risk occurs?
In generating the description of these three components, it is necessary firstly identify what might happen (the
risk name), and then consider the possible causes that lead to the uncertain event or risk, and final y identify the
impacts that arise if the risk was to occur. A risk may have one or more causes and, if it occurs, one or more
impacts.
1c. Consider and share what you learnt from previous experiences
A source of information that should be considered in reviewing previous experiences to understand
how actual performance differed from the expected outcomes and what caused the variance. This
information can be used to inform potential risk areas for consideration and highlight any biases that
may have prevented appropriate identification of risk previously.
Risks identified should be documented in the Risk Action Plan (insert hyperlink) and assigned a risk
owner that wil be responsible for the overal management of the risk.
3
Page 3 of 35
FOI 20/21-0854
Risk Management Guide
2b. Assess the potential consequences.
In determining the potential consequences of a risk if it eventuates, consider the corporate aspirations
to form a view of what the risk may impact on and how bad the impact could be.
Using the table below select the most applicable aspiration and metric (e.g. participant satisfaction)
and then determine what impact the risk could have on that metric (e.g. significant and sustained
underachievement it would be considered ‘Five Severe’). For any risk there wil typically be more than
one aspiration that could be impacted. In this instance, it is important to identify the most material
consequence, as this wil help in the prioritisation of risk actions.
Table 3. Risk consequences on NDIA aspirations
5
Page 5 of 35
FOI 20/21-0854
3. Manage
3a. Identify and document and additional actions that are required.
If step 2a has identified that the current actions in place to manage the risk are not sufficient, or if the risk rating is
stil too high against the risk appetite if the agency then consideration should be given to what else can be done to
better manage the risk on a cost effective basis.
When thinking through additional actions things to consider include whether the action wil :
Reduce the chances of the risk occurring (preventative)
Reduce the consequences if the risk does occur (post-event management)
Limiting the variability around a certain outcome
Consideration should also be given to the:
Resources required to implement
Ongoing resources required to operate
Time required to implement (i.e. Certain risks may be more time sensitive than others)
Capacity for the Agency to accept the change and alignment with any other initiatives underway
Any additional actions that are agreed should be documented in the Risk Action Plan with assignment of clear
deadlines and accountabilities.
9
Page 9 of 35
FOI 20/21-0854
4. Monitor and Report
Monitor and review of Risk Action Plans is an essential ongoing component of the risk cycle as it wil :
detect any changes to the internal and external context
identify emerging risks
measure performance of risk actions in place
provide oversight and governance of risks and treatments
assess if the risk has changed and requires escalation, or is no longer valid and can be archived from the
risk action plan.
Consistent reporting of risk wil :
support stakeholder engagement and accountability in the process
include the right people to help to reduce uncertainty
provide information and reports to relevant stakeholders
create opportunities to collaborate, advise and provide expertise to assist the process
increase awareness of risk management and its value
improve the decision-making process.
4a. Document the outcomes of your work in the risk action plans. Update and report on them
regularly.
The ongoing monitoring of risk exposures and the effectiveness of current actions in place is an important
component of the risk management process, providing the opportunity to refine activities as circumstances change.
The process of monitoring is through the review and update of the Risk Action Plan on a Quarterly Basis. In
addition to this there should be continuous and regular discussions on the progress of risk management actions
and the levels/ratings of risk.
The review of the Risk Action Plans wil be facilitated by the Risk Champions but the Risk Owners should drive the
review, assessment and update of the Risk Action Plan. When a significant change occurs within the division or
region or a critical decision is being made a review of the Risk Action Plans should also occur.
4b. Report any significant changes in risk as required
The Risk Action Plan is reviewed and updated on a quarterly basis and reported through to the Enterprise Risk
Committee for review.
In addition, any incidents and significant risks should be escalated as and when they happen.
At least once a year each Divisional General Manager is required to report to the Enterprise Risk Committee to give
a more detailed overview of the risks to their area and key actions that are being taken to manage the risks.
The main risk reporting activities and outputs are outlined below.
10
Page 10 of 35
FOI 20/21-0854
Table 6.
11
Page 11 of 35
FOI 20/21-0854
5. Learn
5a. Consider and share what you learnt from previous experiences.
A key component of a risk management cycle and one of the key risk behaviours at NDIA is that staff share and
learn from the NDIA’s mistakes and successes. Whenever the risk management cycle is used or whenever the
Risk Action Plans are reviewed and updated there should be an element of looking back to understand what
happened previously and how that differed from expectations.
This information can be used to inform potential risk areas and mitigation strategies for consideration. Insights
gained from the exercise should be shared with the rest of the Agency on a regular basis.
The Risk Champion network is in place to facilitate this process but Divisional and Regional Managers should also
look to share risk learnings at meetings and forums that they attend.
12
Page 12 of 35
FOI 20/21-0854
Appendix A – Risk Action Plan
13
Page 13 of 35
DOCUMENT 2
FOI 20/21-0854
Risk in Change
Guide
December 2019
ndis.gov.au
Page 15 of 35
FOI 20/21-0854
Table of contents
Risk in Change Guide ........................................................................................................... 1
Table of contents ............................................................................................................... 3
1. Introduction ................................................................................................................ 4
1.1
Context of Risk in Change ................................................................................... 4
1.2
Purpose of this Guide .......................................................................................... 5
2. What is Risk in Change? ............................................................................................ 5
3. Objectives and Benefits .............................................................................................. 5
4. Scope of Risk in Change Activity ................................................................................ 6
5. Risk in Change Process ............................................................................................. 7
6. Risk in Change Governance ..................................................................................... 12
7. The Roles and Responsibilities ................................................................................ 13
Helpful Links ................................................................................................................ 15
Attachments ................................................................................................................. 16
ndis.gov.au November 2019 | Risk in Change Guide
3
Page 17 of 35
FOI 20/21-0854
1. Introduction
1.1 Context of Risk in Change
The scale, pace and complexity of change required to implement the NDIS brings with it
considerable uncertainty. To address this uncertainty the Agency has largely managed risk
within business areas and programs/projects.
However, it is also acknowledged that any change driven by a ‘project, or a business
improvement delivered within a business area’, has the potential to impact the activities of
other projects or business areas. Our change management approach has always been
focused on mitigating risks and impacts to the business as a result of the change delivered
from projects to business areas, however, there has not been a framework to capture these
risks in any formal way. Risks associated with change were variably reported from projects,
and were not often transferred to impacted areas.
To ensure our approach to managing risk within NDIA is comprehensive the Agency is now
implementing Risk in Change practices that essential y integrate our existing, well
established, Enterprise Risk Management Guide and Change Management Framework
(Attachment 1 and Figure 1 below).
Figure 1 Risk in Change Architecture
This Risk in Change Guide supports the NDIA Risk Management Strategy by helping to build
a robust, high-performing, professional and systems-based Agency that continues to
improve its practices through six areas of focus:
Culture and behaviour – we are risk aware and sensitive to financial sustainability
and positive participant outcomes
Operating model and risk governance – ensuring the way we work is contemporary
ndis.gov.au November 2019 | Risk in Change Guide
4
Page 18 of 35
FOI 20/21-0854
and reflects bet er practice in risk management and governance
Leadership – our leaders setting the ‘tone at the top’ to reinforce the importance of
being prepared for risk
Capability – building the skil s and insights of our staff and community partners
Processes and approach – ensuring a risk lens informs the way we think and act
Supporting infrastructure – establishing what is needed to operationalise the RMS
1.2 Purpose of this Guide
This Guide is built on the Agency’s commitment to high quality risk and change
management, as described in its Risk Management Strategy and Change Management
Strategy respectively.
The purpose of the Guide is to build an understanding of how to successfully implement Risk
in Change practices within the NDIA and specifical y aims to:
explain the context of Risk in Change and the scope of its implementation
explain the objectives of Risk in Change and the benefits to be achieved
explain how Risk in Change is an integration of NDIAs enterprise risk management
and change management frameworks
describe the Risk in Change management phases and steps
describe how Risk in Change is incorporated into the Program Execution Framework
explain the roles and responsibilities for implementing Risk in Change
provide guidance on available Risk in Change management tools and templates
provide a common language when communicating about risk in change
embed consistent Risk in Change methodology throughout the Agency
2. What is Risk in Change?
Let’s break it down…a risk is, by definition, the effect of uncertainty on objectives and
change is to make something different.
Risk in Change is the process of identifying and managing risks, resulting from a
business improvement, and associated change. implemented within a
program/project, or business activity, that can impact on Agency aspirations/goals
and delivery of business processes (unintended consequences)
Delivered Risk is a risk impacting the objectives of the business area, or
program/project, who wil receive the change (people, process, system).
3. Objectives and Benefits
By implementing a structured approach to identifying and managing delivered risks it is
expected that key stakeholders (including business process owners, product owners, project
owners, project managers, change managers, and risk partners) wil have an understanding
of how:
ndis.gov.au November 2019 | Risk in Change Guide
5
Page 19 of 35
FOI 20/21-0854
the change, being implemented by their Project or business activity,
can potentially
impact other areas of the NDIA, and that these impacts wil be acknowledged as
delivered risks in their risk management activities
their activities
can potentially be impacted on from changes being implemented in
other areas of the NDIA, and wil incorporate associated delivered risks into their risk
registers
While project delivery risks and business risks are largely managed internally, it is clear that
the successful implementation of a Risk in Change process requires effective engagement
and collaboration between business areas and projects.
Formal consideration and incorporation of Risk in Change practices, within a project or
business area, wil lead to:
a more complete understanding of your entire risk exposure
clearly identified areas/processes of the Agency impacted and where
control/treatment needs to be focused
more confident and improved decision making
more effective allocation of resources
continued maturing of Agency Risk Management Framework
4. Scope of Risk in Change Activity
Risk in Change practices wil be implemented in any area of the NDIAs operations where a
change driven by a project or business area has the potential to create a risk in another
project or business. Figure 2 below highlights that risks can be delivered between
programs/projects, programs/projects to business areas and between business areas
Figure 2: Scope of Risk in Change Activities
Risk in Change practices can either be formerly implemented through PMO coordinated
projects, facilitated by a dedicated Change Manager and Project Manager, or ‘less formerly’
implemented within a business area using internal resources and facilitated by the relevant
ndis.gov.au November 2019 | Risk in Change Guide
6
Page 20 of 35
FOI 20/21-0854
First Line Risk Partner (Figure 3). In this situation the change management tasks are not
always undertaken, as indicated by the dashed line box in Figure 3. Change management
tasks can, however, be completed by the First Line Risk Partner, or a business area
representative(s) assuming they have participated in change management training and are
capable in effectively completing the change templates etc located on the intranet.
Assistance can be provided by Enterprise Change.
In the future as the change and risk management frameworks are further adopted by
business area’s it wil be expected that the formal application of the risk in change process
wil be applied to all change initiatives within the Agency.
Figure 3: Implementing Risk in Change
5. Risk in Change Process
The Risk in Change process is effectively the integration of existing enterprise risk and
change management frameworks.
It is important to note that the change management process may vary dependent on project
size, complexity and time factors. However, the change process indicated in the figure
below, is a good indication of the types of change activity as they occur across a typical
project lifespan. Aligned with this flexibility the risk process can commence at whatever
stage the change management approach commences.
ndis.gov.au November 2019 | Risk in Change Guide
7
Page 21 of 35
FOI 20/21-0854
Figure 4 shows the Risk in Change Process (Change and Risk Processes), and how the
Risk in Change process is deployed across the key phases of the NDIA Project Execution
Framework (PEF).
Figure 4: Risk in Change Process
It is worth highlighting again that for the Risk in Change process to be successful there
must
be engagement between the project team (project owner, change manager, project
manager) and the business area receiving the change (business process or product owner,
first line risk partner …)
from project commencement to completion.
This ensures that any
delivered risks are wel considered, relevant and are agreed to between project and
business teams throughout project delivery and therefore, avoiding any ‘surprises’ at
project closure and handover.
The key stages of the Risk in Change process, highlighted in Figure 4, are summarized
below. The NDIA’s Risk Management Guide and Change Management Guidelines provide
further information on the Risk in Change process stages.
Stage 1 High Level CIA
At the commencement of a change activity (“Conceptualise Phase” in the PEF), a “High
Level Change Impact Assessment” (HLCIA) is completed to determine the size and
complexity of the change impact to:
service delivery stakeholders including participants, providers, Partner LAC, service
delivery staff, and national access and workflow
NDIA national office groups and divisions
size, scope and risk associated with the change
ndis.gov.au November 2019 | Risk in Change Guide
8
Page 22 of 35
FOI 20/21-0854
The outcome of the assessment wil determine if the proposed change impact is either
“Major” or “Minor”. A Minor impact is often limited to a specific group or team, whereas a
Major impact often af ects multiple groups or divisions, internal y and/or externally.
Stage 2 Delivered Risk Identification
If the HLCIA determines the change impact to be “Major” this triggers the requirement to
undertake a ‘delivered’ risk assessment, consistent with the approach described in the NDIA
Risk Management Framework. A delivered risk review meeting needs to held with
appropriate project and business representatives at the ‘Conceptualise’ Project Phase (see
above) to identify the delivered risks associated with the change. To support this risk
identification process the NDIAs “Risk Categories” can be referred to for ‘prompts’
(Attachment 2). These risks are captured in both:
“PPM Tool” by the Project Manager, working closely with the Change Manager, and
are referred to as ‘Delivered Risks’ in the Tool
“Risk Module” in the Insight Tool, by the applicable First Line Risk Partner, and are
referred to as ‘Operational Risks’
Note that a “Minor” change impact from HLCIA does not preclude the project and business
teams from identifying and recording any delivered risks.
Step 3 Change Strategy (Parts 1 & 2)
If delivered risks have been identified high level mitigating actions are identified in the
Change Strategy.
The Change Strategy provides an overview of the change characteristics, scope and
change vision for an initiative. The strategy also defines at a high level the approach to
be taken for elements including but not limited to:
stakeholder communication requirements and timelines
training requirements, timeline and approach for the stakeholder group
activities to be included in the Business Readiness to Go-Live checklist
support strategy to handover to the Business
The Strategy describes at a high level the sequencing of such activity in order to take
impacted stakeholders through the change in such a way that they have the desire,
knowledge and ability to adopt the change in a sustainable way.
Step 4 Delivered Risk Assessment and Treatment
While the Change Strategy is being updated an assessment of the identified delivered risks
is conducted to determine the risk rating (significance of the risk). If a delivered risk is
impacting on a business process or product then it is imperative that the enterprise
‘consequence’ and ‘likelihood’ criteria, shown in the NDIA Risk Management Guide, are
referred to during this assessment. If however, a delivered risk is impacting on the delivery
ndis.gov.au November 2019 | Risk in Change Guide
9
Page 23 of 35
FOI 20/21-0854
of another project then the equivalent criteria used for project risk assessment, provided in
the “
PPM Tool”, must be referred to. Key tasks to assess and treat the risk comprise:
identify the controls that are currently in place, within the impacted business area or
project, to manage the delivered risks
undertake ‘current risk assessment’ by determining consequence and likelihood
levels of the risk occurring
with the current controls in place
determine the additional actions (treatments) that could be cost effectively
implemented, either during project delivery, or within the impact business area, to
further mitigate the risk. Clearly any mitigation that can be implemented during the
change activity may eliminate the risk from ultimately being delivered into the
impacted business area or project, or at least reduce the significance of the risk
when delivered
undertake ‘treated risk assessment’ by determining the most probable consequence
and likelihood levels
after additional actions have been applied
Once agreed, the risk assessment ratings, controls and additional actions are included in
both
“PPM Tool” and the risk module in
“Insight”, and also incorporated into the Change
Strategy.
Step 5 Detailed Change Impact Assessment, Change Plan, and Risk Update
The Detailed CIA and Change Plan builds on the output of the HLCIA and Change Strategy
for each of the key stakeholders impacted by the change, and documents:
in detail, what is changing for each stakeholder and the impact of that change
the change impact rating (high, medium or low)
the type of change activity required
the actions necessary to mitigate the change
a sequence of activity to take the impacted stakeholders through the change
The information compiled in both
“Insight” and
“PPM Tool” needs to be regularly reviewed
during the project, with impacted business area representatives, to ensure it remains up to
date and is an accurate record of delivered risk information. A key consideration during this
review is to determine if any ‘additional actions’ (treatments) identified are being
implemented. Once agreed the controls and additional actions are and also incorporated
into the Detailed CIA and plan as change impact mitigating actions.
Stage 6 Business Readiness Assessment Dashboard
The purpose of the Business Readiness Assessment is to indicate the readiness status of a
change from a business adoption perspective and to ensure stakeholders (participants,
providers and staff) considerations are at the centre of our thoughts. It provides business
owners with a succinct summary of the readiness status of a change prior to the change
‘going live’. This information allows the business owner to make an informed decision to
proceed with the change or make alternate plans. The readiness assessment aims to
answer the question: Is the business ready to support the change and ensure it is a success
at implementation?
ndis.gov.au November 2019 | Risk in Change Guide
10
Page 24 of 35
FOI 20/21-0854
The Dashboard has a section indicating the status of delivered risks which must be
completed by the project team.
Stage 7 Project Closure (Change and Risk Inputs)
At the completion of a project a closure report is prepared by the Project Delivery Lead in
order to complete the business improvement (change activity) transition to business and
project closure process. The report includes the requirement for the:
Project Change Manager to document ‘Performance Against Change’ (change
objectives, change measures and change performance)
Project Risk Lead or Project Change Manager summarise key risk information (risks
being delivered to the impacted business area, impacts if the risk was to occur, risk
rating, and the controls/treatments to mitigate the risk by the business area).
Assuming the required engagement between project and impacted business area
representatives has occurred throughout the project (ie from ‘Conceptualise’ to
‘Deploy’), the delivered risks listed in the Project Closure Report wil have been
recorded as ‘Operational Risks, in
“Insight”, for the impacted business area.
Therefore, their agreement for these risks to be transferred into the business, from
the project, wil be a ‘formality’.
The interaction of the key risk in change activities, responsibilities, and supporting tools,
during the delivery of a change initiative, and transition into business as usual, is shown in
Figure 5.
Figure 5 Interaction of risk in change activities, responsibilities and supporting tools
ndis.gov.au November 2019 | Risk in Change Guide
11
Page 25 of 35
FOI 20/21-0854
Project Impacts on Business Areas Risk Profile
While not a prescribed stage in Risk in Change process it is highly recommended that the
Project Change Lead consults with the applicable First Line Risk Partner, one to two months
after project closure, to determine how the project change activity impacted the business
area’s risk profile (ie have the current risk ratings been increased or reduced as a result of
the change and delivered risks?) This is an informal consultation, however, provides further
insight into how successful the change activity was.
6. Risk in Change Governance
The key Risk in Change activities, responsibilities, and supporting tools, as described
throughout this Guide, are incorporated into the NDIAs First Line and Second Line
governance model (Figure 6).
Figure 6 Risk in Change Governance
ndis.gov.au November 2019 | Risk in Change Guide
12
Page 26 of 35
FOI 20/21-0854
Helpful Links
Change Management
Program / Project Management
Risk Management
ndis.gov.au November 2019 | Risk in Change Guide
15
Page 29 of 35
FOI 20/21-0854
Attachments
Attachment 1
NDIA Risk Management Guide/Process
NDIA Change Management Process
ndis.gov.au November 2019 | Risk in Change Guide
16
Page 30 of 35
