173220775.

DOC
This document provides examples of the information to be included in different types of risk reports and the templates/ formats that can be used to report on risk. It is important to not that there is no one size fits all approach to risk reporting, and that any reports should reflect organisational preferences and board/ executive managements expectations and preferences.

Risk Profile
Purpose The Risk Profile Report provides a graphical representation of the placement of key risks on a heat map. This report provides a quick reference for Directors and Executives as to the organisations risk exposure. It helps to guide the allocation of resources to treat those risks, which pose the biggest threat, both in terms of likelihood and consequence. This report is a snapshot of the organizations current organisational risk profile. In addition, the Risk Profile Report will document the extent of risk rating changes that have occurred and explain the known or likely reasons for the change. The types of reasons that might be presented include: Change in operations Internal Audit findings indicate that controls are less effective than anticipated Implementation of risk treatment actions Change in the external environment, for example, creation of a new stakeholder body, and / or Knowledge of events that have occurred which raise either the likelihood of or consequence if an event occurs, for example, a competing business has begun a market poaching exercise increasing the likelihood of staff turnover. This report can be used to track the movement of risks and their specific ratings across the organisation and to develop an understanding of what factors (external / internal) can influence changes in risk ratings. It enables tracking of the effectiveness of risk treatment actions in reducing risks, while also supporting awareness of risk increases so that proactive management of these may occur. Information included The organisational risks plotted on its risk heat map. Beneath the heat map in the report, the following summary information is provided for each risk: Risk description Prior risk rating (Extreme, High, Medium, Low) Current risk rating (Extreme, High, Medium, Low) Any trend / movement that has occurred Reasons for change in risk rating Any improvements required The status of any approved treatment actions.

PAGE 1 OF 13

173220775.DOC

Risk treatment actions status - detailed

Purpose The Risk Treatment Actions Report contains a status update on progress against approved risk treatment actions. People are more likely to deliver upon what they are measured against. Therefore this report increases accountability for delivery against agreed risk management actions. It also provides comfort to Directors and Executives that risks are being treated as anticipated. Information included Risk description Risk rating Description of the risk treatment action Date for completion of risk treatment Person(s) responsible Status (e.g. in progress, completed) Additional comments (e.g. specific detail around the status)

Assurance coverage of key risks

Purpose The Assurance Coverage of Key Risks Report indicates which risks have been covered by assurance activities in the previous year and which are proposed to be covered over the coming year. This assurance can cover reviewing current control existence and effectiveness, as well as treatment action completion. Gaining assurance around key risks provides an objective review of self-assessed risk and control effectiveness ratings. Sometimes perceptions about a given risk may be incorrect. This objective assessment of risks provides comfort that the risk information, as contained in the risk register, is reflective of the actual situation. Information included Risk description Controls / treatments being covered by assurance activities Risk rating Trend (increase / decrease) Description of the assurance activities Previous year Description of the assurance activities Current year. The key findings of assurance activities, as they influence risk, would be reflected in the organisations Risk Profile Report within the reason for change column.

PAGE 2 OF 13

173220775.DOC

Risk management annual activity schedule and improvement Initiatives

Purpose The Risk Management Improvement Initiatives Report tracks progress against the risk management improvement initiatives approved to be implemented over the coming year. It provides assurance around the continual improvement of the risk management processes and practices. Information included Description of the initiative; Description of the risk management activity; Person(s) responsible; Date for completion; Status (e.g. in progress, completed); and Additional comments (e.g. specific detail around the status).

New and emerging risks

Purpose The New and Emerging Risks Report provides an opportunity to highlight emerging risks or add new risks to the risk register throughout the year. It is important to retain the risk register currency outside of the formal annual risk review process. Personnel from within the organisation would notify the Risk and Compliance Officer of any new or emerging risks. They would then need to be source the information for inclusion in this report. This report helps to develop awareness and understanding of the importance of managing new and emerging risks and provides a formalised structure for the reporting of these risks. Information included This report is a summary risk register that includes the following information: Risk description; Risk category; Risk rating; Causes; Impacts; and Current controls. The would then determine whether the risks contained in this report warranted inclusion in the risk register. Where risks are included in the risk register, the Audit and Risk Committee and the Board would have visibility of the new risk information in the Risk Profile Report.

Detailed risk register

Purpose The Detailed Risk Register Report contains all information contained in the risk register. All information provided in other risk reports should be reflected in the risk register. This report is only produced at completion of the annual risk review process unless otherwise specifically requested by the Board, Audit and Risk Committee or the . PAGE 3 OF 13

173220775.DOC
Information included Risk description; Risk category; Risk owner; Shared responsibility; Description of the cause / contributing factors; Description of the impact; Description of current controls; and Description of risk treatment information including action, responsible person, due date and status.

PAGE 4 OF 13

173220775.DOC

Templates (Examples) Risk Profile

Almost Certain Likely Possible Unlikely Remote LIKELIHOOD/ CONSEQUENCE 14 1 7 2,3 15 13 11 8 9,5,10 12,4 6

Insignificant

Minor

Moderate

Major

Extreme

Rank
1 2 3 4 5

Ref
6 8 9 5 10

Risk Category

Risk Description

Rating
High High Significant Significant Significant

Trend

Reason for Change

<reason for change> <reason for change> <reason for change> <reason for change> <reason for change>

Improvement Required?
Yes Yes Yes Yes No

Improvement Status

PAGE 5 OF 13

173220775.DOC
Rank
6 7 8 9 10 11 12 13 14 15

Ref
12 4 2 3 13 1 11 7 14 15

Risk Category

Risk Description

Rating
Significant Significant Significant Significant Medium Medium Low Low Low Medium

Trend

Reason for Change

<reason for change> <reason for change> <reason for change> <reason for change> <reason for change> <reason for change> <reason for change> <reason for change> <reason for change> <reason for change>

Improvement Required?
No Yes Yes Yes Yes No Yes No No Yes

Improvement Status

Key

Risks in red are new/ emerging risks Rows highlighted contain opportunities

Completed In Progress Overdue

Not Applicable
Improvement Status

PAGE 6 OF 13

173220775.DOC

PAGE 7 OF 13

173220775.DOC Risk Treatment Actions Status Detailed

Ref
6

Risk Description

Rating
High

Treatment Actions
1. 2. 3. 4.

Due Date
<date> <date> <date> <date> <date> <date> <date> <date>

Responsible Person
<person responsible> <person responsible> <person responsible> <person responsible> <person responsible> <person responsible> <person responsible> <person responsible>

Status
In progress Completed In progress Completed In progress In progress Completed In progress

Comments
95% complete (example)

Significant

1. 2. 3. 4.

Completed In Progress Overdue

PAGE 8 OF 13

173220775.DOC Assurance Coverage of Key Risks

Rank
1 9 5 6 4 8

Risk Description

Control / Treatment

Risk Rating
High Significant Significant Significant Significant Significant

Trend

Assurance Activities Previous Year Assurance Activities Next Year (i.e. internal audit, external audit) (i.e. internal audit, external audit)
None. None. None. Internal Audit. Internal Audit. Internal Audit. Internal Audit. Internal Audit. Internal Audit External Audit. None. None.

PAGE 9 OF 13

173220775.DOC

Risk Management Annual Activity Schedule and Improvement Initiatives Improvement Initiative Action Responsible Person Due date Achieved Comments

PAGE 10 OF 13

173220775.DOC
New and Emerging Threats and Opportunities Title: Category: Identify Risks Risk Description / Impact Cause Existing Controls Risk Assessment Completed By: Date Assessed: Analyse Risks Control Assessment Risk Assessment Evaluate Action Treat Risk?

Consequence

Likelihood

Avoid Risk. Accept Risk. Reduce Risk. Transfer Risk. Increase Risk

Risk Rating

PAGE 11 OF 13

173220775.DOC 5. Detailed Risk Register

Title: Category: Identify Risks Risk Description / Impact Cause Existing Controls Risk Assessment Completed By: Date Assessed: Analyse Risks Control Assessment Risk Assessment Evaluate Action Treat Risk?

Consequence Likelihood Risk Rating Risk Owner: Preferred Risk Treatment & Objective Treat Risks Monitor & Review Timelines Risk Rating Review / Monitor Insurance KRI

Avoid Risk. Accept Risk. Reduce Risk. Transfer Risk. Increase Risk

KCI

Risk Treatment / Action Plan

Accountabilities

Insurance Status Insurable? Insured?

Measurement and monitoring

PAGE 12 OF 13

173220775.DOC

PAGE 13 OF 13