This procedure provides information for all personnel who are responsible for risk management.


The objectives of this risk-based system of internal control are to assist the Personal Audit Systems Ltd (PAS Ltd) in achieving its strategic objectives by: 

  • Protecting our people and assets (financial, property, and information)
  • Facilitating optimal use of resources and provide a system for setting priorities when there are competing demands on limited resources
  • Assisting us to realise opportunities 
  • Providing stakeholders with grounds for confidence in the business
  • Supporting innovative decision making through recognition of threats and opportunities
  • Improving service delivery, reporting systems, outcomes and accountability


Barrier - An existing control. Includes systems and procedures already in place to mitigate risks.

Consequence - Collective sum of all impacts to the capabilities of an organization(s) including long term and indirect effects such as combined health, economic, and psychological impacts.

Environment - Conditions or influences comprising built, physical and social elements, which surround or interact with stakeholders and communities.

Escalation Factors - Conditions that lead to increased risk due to improvement or diminution of barriers or controls, eg. Maintenance, failure to audit or inspection treatments or controls.

Hazard - Something which has the potential to adversely impact (ie. cause harm) to an asset if not controlled or if deliberately released or applied. eg. flammable liquids, trojan, virus etc.

Likelihood - The qualitative of semi-quantitative assessment or estimation of whether an event will occur, Used as a qualitative description of probability and frequency. 

Impact - The immediate downstream result of a risk manifesting. Multiple direct or indirect impacts, when aggregated, form the collective consequence(s) of the risk event.

Risk - The effect of uncertainty on objectives.

Risk level - The relative measure of risk as defined by the combination of likelihood and consequence. 

Risk Management - The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. The coordinated activities to direct and control an organization with regard to risk.

Risk Treatment - Measures that modify the characteristics of organizations, sources of risks, communities and environments to reduce risk,

Source (of Risk) - A real or perceived event, situation or condition with a real or perceived potential to cause harm or loss to stakeholders, communities or infrastructure.

Threat - An indication of something impending that could attack the system. Includes competitors, financial conditions, natural hazards, strategic threats such as a regional conflict or tactical threats such as impending physical attack, hacking, data modification, theft, and fraud.

Treatment - Controls that are proposed (i.e. not yet existing) to reduce or mitigate the likelihood or consequence of an event occurring, that is to reduce the residual risk. 

Vulnerability - The susceptibility of stakeholders, communities and environment to consequences of events.


Risk management is a core management requirement and integral part of day-to-day operations. As individuals we all play our part in managing risk and staff at all levels are responsible for understanding and implementing risk management principles and practices in their work areas.  

All employees are responsible for applying the agreed risk management policy and strategies in their area of responsibility and are expected to:

  • Ensure that risk management is fully integrated with other planning processes and considered in the normal course of activities at all levels 
  • Identify and evaluate the significant risks that may influence the achievement of business objectives
  • Assign accountability for managing risks within agreed boundaries
  • Ensure that a risk based approach is communicated to our people and embedded in business processes
  • Comply with internal and legislative standards which relate to particular types of risk
  • Define acceptable levels for risk taking and apply fit for purpose mitigation measures where necessary
  • Design, resource, operate, and monitor internal risk management systems
  • Monitor the effectiveness of the system of risk management and internal control 
  • Report identified weaknesses or incidents to executive management in timely fashion
  • Provide quarterly risk management and treatment progress reports to executive management

The Managing Director is responsible for the development, coordination, and dissemination of the Risk Management Framework including monitoring and reporting systems capable of identifying and reporting new and evolving risks. The business will coordinate training and assistance regarding implementation of the risk management framework, and ensure adequate information is available to all staff.


  1. Establish the scope, context, and criteria.
    Define the stakeholders and review the levels of acceptable risk using tools such as consultative groups and develop risk evaluation criteria. Successful RM requires the effective engagement of stakeholders and subject matter experts.   Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved. RM goes far beyond being a technical or political process - it is also a communications process. Context includes objectives, resources, assets, and capabilities as well as strategic, operational, and tactical considerations. Criteria includes risk attitude and tolerance as well as external, internal, and risk management considerations. Scope addresses timeframe, geographic regions, asset classes (eg: physical, logical, financial) and logical or virtual domains.
  2. Identify risks.
    Identify and describe the sources of risk, stakeholders, communities and environments. Scope the vulnerabilities and describe the risks. There may be great diversity of opinion on the actual risks and their various sources, given different perceptions, knowledge and experience.
    Risks should be documented and described using the CASE acronym:
    1. Consequence: What resources or assets could be affected and what would be the likely impact on objectives
    2. Assets: What assets, capabilities, or resources would be impacted or modified?
    3. Source: What is the source of the risk, and what hazards are involved?
    4. Event: What is the singular risk event that is being evaluated by this risk statement?
  3. Analyse risks.
    Analyse the risk associated with the problem by determining the likelihood and consequence of the identified risks. Tools used for this analysis should be appropriate to the scale and scope of the risk assessment and may include qualitative, quantitative, or semi-quantitative methods.
  4. Evaluate risks.
    Compare risks against risk evaluation criteria, prioritise the risks and decide on risk acceptability.
  5. Treat risks.
    Identify and evaluate the treatments. Respond to the level of risk by deciding which source of risk, stakeholders, communities or environment can be addressed, either by increasing resilience or robustness, to reduce risk. Model changes to obtain the new level of risk. Select treatments, plan and implement.
    Tools for this developing risk analysis include:
    1. Cost/Benefit Analysis
    2. Business cases analysis
    3. As (Appropriate, Agreed, Actionable, Achievable)

            Risks may be treated in the following ways:

  1. Accept the risk
  2. Share the risk (eg: insurance or outsourcing)
  3. Manage the likelihood of the risk occurring
  4. Manage the consequence of the risk occurring
  5. Eliminate the risk (eg: by ceasing the activity)
  6. Exploit the risk (for positive risks)
  1. Communication and consultation.
    Where stakeholders and communities contribute to the decision-making process there is a much larger pool of information and expertise to enable appropriate solutions to be developed. For catastrophic events communication and consultation is extremely important. Communication and consultation develop resilience amongst stakeholders and communities and will be invaluable in terms of regaining control of business activities.
  2. Monitor and review.
    Systems that monitor and review risk, and its management, must be established and maintained. Latent and residual risk are ever-present. RM must be on going to ensure that change and uncertainty can be accommodated.


Each stage of the risk management process is appropriately documented to retain knowledge and satisfy audit requirements. Documentation includes objectives, information sources, assumptions, methods, decisions, and results.At each stage of the process, documentation will include:

  • Objectives
  • Information sources
  • Assumptions
  • Decisions