Robot Limited

IGRC Facilitator Guide


INTEGRATED GRC TRAINING
FACILITATOR GUIDE

SAI GLOBAL LIMITED
Document Name: Facilitator Guide
Document ID: SAI-EDAUT 01.05 07/12
Date of Issue: 14th November 2012

COURSE OVERVIEW
PURPOSE
The purpose of this course is to provide an understanding of Governance Risk and Compliance as separate concepts and as an integrated set of drivers for an Enterprise Risk Management framework.

TARGET AUDIENCE
This training course is ideally suited to the following:
⦁ Risk Management Professionals – who are responsible for the successful implementation and ongoing management of enterprise risk management systems
⦁ Compliance Managers – who are responsible for managing compliance obligations (both internal and external) and the associated risks.
⦁ Managers in a leadership role – at a corporate, divisional or departmental level of an organisation who are required to lead or to comply with ongoing governance, risk and compliance obligations.

LEARNING OUTCOMES
The course incorporates the requirements of Standard ISO 31000: 2009 Risk Management – Principles and Guidelines and the management of such a system.

Upon successful completion of this course, participants will be able to:
⦁ Understand the concept of governance and its relationship to risk and compliance obligations.
⦁ Understand the concept of compliance and its relationship to risk and governance expectations.
⦁ Understand the links between governance, risk & compliance and identify appropriate areas for integration.
⦁ Establish infrastructure and processes for managing governance, risk & compliance requirements.
⦁ Understand what factors to consider when implementing risk management & compliance strategy.
⦁ Monitor and review system implementation.

ACCREDITATION
This course has been mapped to:
NATIONALLY REGognised TRAINING

Participants who successfully complete this program and ALL of the associated formal assessment tasks will be eligible for a Statement of Attainment for the following competencies from the Business Services Training Package.

The competencies & their elements covered include:

BSBCOM501B Identify & Interpret Compliance Requirements

⦁ Clarify the Scope of Operations
⦁ Identify Compliance Requirements
⦁ Interpret, Analyse & Prioritise Identified Compliance Requirements
⦁ Document Compliance Requirements

BSBRSK501B Manage Risk

⦁ Establish Risk Context
⦁ Identify Risks
⦁ Analyse Risks
⦁ Select & Implement Treatments

RABQSA INTERNATIONAL

There are no RAB QSA competencies attached to this program.


Participant ASSUMED PRIOR KNOWLEDGE
Participants should have prior knowledge of the following disciplines or standards:
⦁ Basic understanding the Standard ISO 31000: Risk management – Principles and Guidelines, 2009; and
⦁ Understanding of the Risk Management process and how it relates to their area of responsibility.

Participant Pre-Course Research
Participants are sent out pre-course research work to complete prior to attendance at the course to ensure they have a basic understanding of the Risk Management framework and process in use in their organisation.
Refer to Appendix One for a copy of the pre-course research work
The findings of this pre-course work will be used at the end of Section Four: Enterprise Risk Management Fundamentals and if appropriate further referenced in Section Five: ERM Framework and Section Six: ERM Assurance Requirements.

ASSESSMENT REQUIREMENTS
Participants who attend this course in its entirety will receive a Certificate of Attendance.
Participants wishing to receive a Statement of Attainment for the nationally recognised units of competency are required to complete the required formal assessments associated with this course.
The assessment has been devised to correspond with the requirements of the associated qualification/units of competency, including skills knowledge and critical elements. It consists of two assessment tasks:
⦁ Participation in class activities conducted over the duration of the course observed by the trainer (recorded on the In-Class Assessment Activities Record),
⦁ A post course written work based assessment task submitted within 3 months of the completion date of the training.

Participants are advised to ask for any further information, assistance or feedback that may be required.

No responsibility will be taken by SAI for assessments that do not reach their required destination.

PREPARATION
FOR THE FACILITATOR
This course is intended to be very interactive and is to be delivered in a facilitative manner. Please consider the following points when preparing to deliver the course:

⦁ Who has had experience in risk and compliance? Consider who is from “manufacturing” and who is from “service”. Also establish their position in their organisation.
⦁ Encourage participants to share, and work with, examples from their organisation.
⦁ When people are working in teams, try and group service people together and manufacturing people together. However if there are two or more from the same organisation, they may wish to stay together.
⦁ Timings for this course are flexible to ensure that the needs of each individual group are identified. These timings can be changed, but the integrity of the course should not be compromised (i.e. do not miss sections, activities, or assessments).

FACILITATOR TIPS
The following tips highlight key points that will assist you in ensuring participants understand what is expected and gain the appropriate knowledge and skills from the training you provide.
⦁ Familiarise yourself with varying levels of participant experience and backgrounds. Encourage mutual respect among all present.
⦁ Encourage all participants to be involved in discussion and activities.
⦁ Contextualise concepts and principles – make information meaningful.
⦁ Encourage constructive debate where appropriate, be open to suggestion and if you don’t know the answer, note the point and get back to the participant(s) when you have an answer.
⦁ Summarise discussions, link relevant points and avoid going off topic.
⦁ Use open-ended questions to promote discussion and consolidate learning.

FOR THE PARTICIPANT
There is pre-course preparation required of participants for this course as follows:
⦁ Identify the Risk Management process used by their organisation; and
⦁ Using this information, complete the Self-Assessment questionnaire and bring the results to the course for general discussion and reference purposes.
Note: Refer to Appendix One for a copy of the Self-Assessment Questionnaire
.
SECTION INTRODUCTIONS
The section introduction is a single page that will briefly outline that section. It provides the allocated timeframe for this section, background information and objectives, this will help you prepare a focus for the section and guide you in fulfilling the section objectives.
This introduction will also direct you to the accompanying slides, activities and evaluation covered throughout this section.
SECTION PLANS
Each section plan provides a detailed outline of what is covered throughout the program. It will guide you through content to be covered, allocated time, activities and point to supporting resources. Icons are used throughout sections plans to easily identify actions and resources.

ENERGISER ACTIVITY GUIDE
There are several types of activities you are likely to undertake during this training. Most activities are prescribed in the Section Plans, each being linked to specific content in a manner which will reinforce learning and challenge participants to a higher order of thinking.
Additional activities have been provided in Appendix Three; these activities are commonly known as Energisers. Energisers are used to refocus the group after a break or to inject some fun after periods of intense activity or prolonged concentration. They can be used purely as a game or as a light-hearted means of making a key point.

EQUIPMENT AND MATERIALS CHECKLIST
The following is a list of audio-visual equipment, stationery and resources that will be required for the classroom training.
Equipment Training room to seat number of participants
Whiteboard
Flipchart paper
Pens, flipchart textas, whiteboard markers, and Blutac
Laptop and Computer speakers
Materials Participant Guide
Facilitator Guide
Case Study (Healthcare for U) Handout
In-Class Assessment Activities Record
PowerPoint Slides
DVD Clip: Risk Maker Risk Taker
Post Course Assessment
Recommended Reading Relevant ISO Standards relating to governance, compliance and risk, with a list provided below:
⦁ ISO 31000: Risk management – Principles and Guidelines, 2009, Standards Australia
⦁ ISO 31010: Risk management – Risk assessment techniques, 2009, Standards Australia
⦁ AS 8000: Good Governance Principles, 2003, Standards Australia
⦁ AS 8001: Fraud and Corruption Control, 2008, Standards Australia
⦁ AS 8002: Organisational Code of Conduct, 2003, Standards Australia
⦁ AS 8003: Corporate Governance – Corporate Social Responsibility, 2003, Standards Australia
⦁ AS 8004: Whistle-blower Protection Program for Entities, 2003, Standards Australia
⦁ ISO 26000: Guidance on Corporate Social Responsibility, 2010, Standards Australia
⦁ AS 3806: Compliance Programs, 2006, Standards Australia

Program ROAD MAP

Figure 1: GRC Training Road Map

Facilitator Note:
Please note that Section Five (5) runs over 2 days so this road map is indicative of the sections that commence on each of the days. Section Five will not be concluded on the same day.

PROGRAM SCHEDULE

Day 1
SECTION TIME
Program Introduction 9 am – 9.15am
Section One: Integrated Governance, Risk & Compliance (GRC) 9.15 am – 10.30 am
Morning Break 10.30 am – 10.50 am
Section Two: Governance Fundamentals 10.30 am – 12.30 pm
Lunch Break 12.30 pm- 1.15 pm
Section Three: Compliance Fundamentals 1.15 m – 3 pm
Afternoon Break 3 pm – 3.15 pm
Section Four: Enterprise Risk Management Fundamentals 3.15 pm – 4 pm
Section Five: Enterprise Risk Management (ERM) Framework 4 pm – 4.45 pm

Day 2
SECTION TIME
Section Five: Enterprise Risk Management Framework (Conti.) 9 am – 10.30 am
Morning Break 10.30 am – 10.50 am
Section Five: Enterprise Risk Management Framework (Conti.) 10.50 am – 12.30 pm
Lunch Break 12.30 pm – 1.15 pm
Section Five: Enterprise Risk Management Framework (Conti.) 1.15 pm – 3 pm
Afternoon Break 3 pm – 3.15 pm
Section Six: Enterprise Risk Management Assurance Requirements 3.15 pm – 4.30 pm
Course Close-Out 4.30 pm – 4.45 pm

Facilitator Guide Icons
Facilitator led explanation
Question
Discussion
Activity
Participant guide
Flipchart
Answers / Note for facilitator
Observation Assessment Opportunity
Total duration of session

DAY 1 INTRODUCTION
Timing Action Outline Resource
Not appliciable FACILITATOR BACKGROUND INFORMATION
To provide a real-life example of an IGRC Program a basic review of the program in place at Brisbane Airport Corporation was undertaken to gain into the following aspects of the Program:
The details of the review are provided in Appendix

15 minutes INTRODUCTION TO INTEGRATED GRC TRAINING PROGRAM
EXPLAIN:
Welcome to the Integrated Governance, Risk and Compliance training program
This 2 day program is designed to provide the following learning outcomes:
⦁ Understand the concept of governance and its relationship to risk and compliance obligations.
⦁ Understand the concept of compliance and its relationship to risk and governance expectations.
⦁ Understand the links between governance, risk & compliance and identify appropriate areas for integration.
⦁ Establish infrastructure and processes for managing governance, risk & compliance requirements.
⦁ Understand what factors to consider when implementing risk management & compliance strategy.
⦁ Monitor and review system implementation.
The course is designed to encourage participants to consider risk management across the enterprise (organisation) with consideration to managing governance and compliance obligations.
Today we will be looking at basic principles, terms and definitions relating to Governance, Risk and Compliance, and how the integration of these concepts can provide the basis for a robust Enterprise Risk Management framework and tomorrow we will consider the design, development and implementation of a framework to ensure risk is managed consistently and effectively across the organisation.
PARTICIPANT INTRODUCTION:
Ask each participant to introduce themselves to the other participants:
⦁ Name, company and role within that company;
⦁ Their experience related to this course?
⦁ Their learning expectations of this course?
HOUSEKEEPING:
EXPLAIN:
⦁ Start/Finish/Break Times and Places
⦁ Toilets and Facilities
⦁ Mobile Phones
⦁ Safety and Security including emergency evaluation for the building
⦁ Valuables
COURSE INTRODUCTION:
Refer participants to the front section of their workbooks
EXPLAIN:
⦁ The learning outcomes in their workbooks and ensure all participants clearly understand them.
⦁ The two day course schedule in their workbooks and briefly explains each of the topics to be covered.
Facilitator NOTE: Provide an opportunity for questions
POST COURSE ASSESSMENT
EXPLAIN:
Advise the participants that this is a unit of competency out of a nationally recognised training package.
⦁ Explain to the participants that they will be assessed through a series of in class activities conducted over the duration of the course observed by the trainer (recorded on the In-Class Assessment Activities Record): and
⦁ A post course written work based assessment task submitted within 3 months of the completion date of the training.
⦁ Mandatory Facilitator Requirement to review the PCA at conclusion of the course: Advise participants that an in-depth review of the PCA will be conducted at the conclusion of the course to provide them with opportunity to seek clarification of the assessment tasks.
⦁ Ensure you allow sufficient time at the end of the course to conduct this review with participants.
EXPLAIN:
We encourage you to contribute to a positive learning environment for all by:
⦁ Fully participating in learning activities and working in groups.
⦁ Being responsible for your own learning.
⦁ Asking questions and contributing to the learning – don’t hold back!
⦁ Be open minded – “I would rather be proved wrong than right.” [Socrates]
⦁ Allow for differences of opinion.
⦁ Don’t write off new information until it has been put to the test.

SECTION ONE Introduction:
Integrated Governance, Risk & Compliance (GRC)
Time Approximately 1 hour
Background information The management functions and disciplines of governance, risk and compliance in mature organisations are increasingly becoming more closely related and organisations can benefit from a more collaborative approach.
Knowing the interactions that are required to integrate GRC is critical in achieving effective integration. The areas of most value may vary from organisation to organisation, knowing which areas will present most value is critical
Section objectives ⦁ Understand the meaning of Integrated GRC
⦁ Understand the drivers for Integrating GRC
⦁ Understand the benefits of a collaborative approach to managing risk and compliance within a robust governance framework.
Slides 10-15
Activities Activity 1 – Drivers for Integrated GRC

SECTION ONE PLAN – Introduction to Governance, Risk & Compliance (GRC)
Timing Action Outline Resources

5 minutes TOPIC: INTRODUCTION TO SECTION
Review the topics that will be covered in Section One
⦁ Understand the meaning of Integrated GRC
⦁ Understand the drivers for Integrating GRC
⦁ Understand the benefits of a collaborative approach to managing risk and compliance within a robust governance framework.

5 minutes TOPIC: WHAT IS GOVERNANCE, RISK AND COMPLIANCE?
Discuss the diagram G-R-C Working Together explaining the different components and how these have a direct relationship to the culture of the organisation.
Highlight to participants that there are many definitions and the PG cites a review of GRC definition provided based on Nicolas Racz (review his website to gain further background on this SME)

5 minutes TOPIC: WHY IS IT NECESSARY TO INTEGRATE GOVERNANCE, RIKS AND COMPLIANCE
Review drivers for risk noted in the PG.
⦁ Increasing stakeholder demands on the business
⦁ Increased volume, speed and complexity of risk management & compliance
⦁ High costs to manage governance, risk management & compliance Increasingly competitive business environment

20 minutes ACTIVITY 1: DRIVERS FOR INTEGRATION
Timing: Approximately 20 minutes
Facilitator Notes:
This activity is designed to generate discussion about what drives the need for an ERM in an organisation. Advice participants that need can come from internal or external sources and these needs to be understood to ensure the framework meets these needs in a manner and timeframe defined by stakeholders.
Participant Instructions
In your groups review the case study provided and discuss the following topics and their relationship to driving GRC management in the organisation.
Debrief:
Suggested answers to questions may include (but are not limited to):
⦁ Increasing Stakeholder Demands
⦁ Accountable to shareholders, owners, regulators, patients
⦁ Demands can include ROI, maintain or enhance reputation, legal compliance, quality of care and service
⦁ Accountable for operating the business in accordance with legal obligations and promises made to clients.
⦁ Increased volume, speed and complexity of risks to an organisation
⦁ Strategic risks include damage to reputation, adequate cash flow, industry regulatory compliance
⦁ High costs to manage governance, risk management and compliance
⦁ Cost of duplicated effort ( manpower and systems)
⦁ Poor information quality can lead to decisions made that may be beneficial to one area at the detriment of another area of the organisation
⦁ Getting GRC wrong could simply mean we are focused on the obvious or easy areas where GRC requirements are known and easy to manage, whereas there are other, less overt areas such as reputation or sustainability that are not easy to manage

10minutes TOPIC: BENEFITS OF INTEGRATION
Integration does not mean consolidation. Rather the various GRC areas should adopt a common vocabulary, methods and, if appropriate, shared technology and shared services to be more effective, efficient and agile.
That way, improvements in one GRC area can be replicated in other GRC areas across the enterprise. And perhaps most importantly, integration provides a single version of the truth, when senior executives and the board ask questions like:
⦁ “What are the most important risks that we face?” and
⦁ “How do we know that the organisation is operating within defined boundaries?”
According to a study by Deloittes a few years ago Regulatory Breach was identified as No 1 of the Top 10 Risks for Australian Organisations.
This translates into an organisations inability to not only map/identify regulatory obligations but also to apply change management (i.e. as external things change how do we know what we need to change internally) ; as well as confirming internal practice complies with external requirements.

10 minutes TOPIC: TRANSFORMATIONAL OPPORTUNITY OF INTEGRATING GRC
Hand out the Transformational Opportunity diagram sourced from the OCEG and facilitate a discussion about the diagram is promoting using the information in the PG highlighting the key points:
⦁ Enterprise approach to governance, risk and compliance where everyone in the organisation has a clear understanding of these elements and their responsibilities in adhering to the defined protocols.
⦁ Proactive approach to systematically managing risks across the organisation
⦁ Adopting a holistic approach where synergies can be leveraged i.e. communication and reporting on obligations,

5 minutes TOPIC: SECTION ONE EXTENSION & ASSESSMENT
Direct participants to the review information in their PG. Advise it is intended to ensure the key learning from the section are reinforced through a small number of questions.
MORNING BREAK – 15 MINUTES

SECTION two INTRODUCTION – Governance Fundamentals
Time Approximately 1 ½ hours
Background information This section aims to provide participants with an understanding of Corporate Governance and its role in an organisation providing guidance on behavioural standards and expectations when making decisions.
Understanding how governance expectations influence the approach to managing risk and compliance provides context for an Enterprise Risk Management structure.
Section objectives ⦁ Understand the role of corporate governance in contemporary organisations and its value.
⦁ Identify the elements of governance as either proactive or reactive.
⦁ Review the legal/regulatory and other guidance on corporate governance.
⦁ Know the role of both risk management and compliance in governance.
Slides 16-25
Activities Activity Two – Understanding Governance Expectations

SECTION two PLAN – Governance Fundamentals
Timing Action Outline Resources

5 minutes TOPIC: INTRODUCTION
Review the topics that will be covered in Section Two
⦁ Understand the role of corporate governance in contemporary organisations and its value.
⦁ Identify the elements of governance as either proactive or reactive.
⦁ Review the legal/regulatory and other guidance on corporate governance.
⦁ Know the role of both risk management and compliance in governance

5 minutes TOPIC: WHAT IS GOVERANCE?
Review the definition of Corporate Governance provided by the Organisation for Economic Cooperation and Development (OECD).
Ensure you highlight that the OECD definition refers to a “system” of “direction” and “control”. These terms of system, direction and control are referenced again in a later section of the course.

10 minutes TOPIC: GOVERANCE PRINCIPLES
Discuss the range of Australian Standards providing guidance on corporate governance covering a range of behavioural factors that can have an impact on how the organisation responds to risk in relation to response to opportunities or threats that could impact the organisation.
Many organisations mandate a set of behavioural standards within a governance framework to facilitate the appropriate cultural environment that reflects their defined appetite to risk.
The standards provide guidance on how to achieve this outcome.

AS 8000 – Good Governance Principles is designed to enhance existing legislative guidelines around Governance relating to ownership (shareholders) and control (provided by the organisations board or management team).
Highlight with participates that while the concept of ‘shareholders’ does not apply strictly in the public sector and the not-for-profit entities ( see footnote below for additional comment on this sector), the general principles of corporate governance translate across to these entities with appropriate recognition of the different legal framework and types of stakeholders and the purpose of the entity.
Footnote: FYI: There is currently a Bill under way that may actually place a regulatory framework across Not For Profit organisations (Refer the Joint Parliamentary Committee on Corporations and Financial Services is in regards to the Australian Charities and Not-for-profits Commission Bill 2012 and the Australian Charities and Not-for-profits Commission that provides some information about Consequential and Transitional requirements). This may mean some changes are required for Not For Profit Governance & Compliance processes in the near future.

10 minutes TOPIC: GOVERNANCE – SETTING DIRECTION AND ESTABLISHING CONTROL
The earlier reference to the terms direction and control generate the discussion about the approaches to governance as
⦁ Proactive elements of governance – “delegating authority and accountability to be discharged within established boundaries and in the pursuit of established objectives”
⦁ Reactive elements of governance – “requiring accurate data that explains the performance of the proactive elements of governance, and responds to their shortcomings in an effective and appropriate way”.

10 minutes TOPIC: GRC FRAMEWORK
Review the diagram and discuss the key protocols within an organisation that define Corporate Governance expectations.
⦁ Government Owned Corporation (GOC) and Corporation Acts
⦁ General Legislation
⦁ Shareholder Directions
⦁ Industry Standards
Each aspect has a defined set of expectations of the organisation that must be met
Corporate Governance framework ensures these expectations are managed and met through a series of controls, plans and resource utilisation to ensure goals and objectives are achieved within the constraints that compliance obligation and risks presents.
Generate a discussion about some of the specific processes in place in each category:
⦁ Organisation, Delegation & Accountability – responsibility and authority at a financial and operational level
⦁ Documented Controls – policy rules and protocols in response to routine and ad-hoc events
⦁ Strategy & Planning – goals, objectives, and targets
⦁ People & Capability – induction training
The diagram is intended to stimulate thinking about factors used to define the Governance framework.

30 minutes ACTIVITY 2: UNDERSTANDING GOVERANNCE EXPECTATIONS
Timing: Approximately 30 minutes
Facilitator Notes:
Review the background information with participants to ensure they understand the intent of information provided to directors and senior executives at commencement in an organisation. Relate this approach to the general induction protocol in an organisation.

The difference is the level of authority a Director or Senior Executive is afforded in their role and the related responsibility and accountability is associated with the authority.

Hand out the Case Study document to participants and review the topics included in the case study. Instruct participants to review the introductory information to gain a broad overview of the organisation.
Participant Instructions
On the next page is a list of documents and other administrative information found in a Directors Induction Pack. In your groups discuss and agree on the following:
⦁ Whether each of the listed items contributes to the direction or control of the organisation; and
⦁ What other information might be included in the Directors Pack.

Debrief:
⦁ Board Charter – Direction as it provides guidance on expectations
⦁ Vision, Mission, Values – Direction as it provides guidance on current and future goals for the organisation
⦁ Policy suite and Code of Conduct – Control as it provides guidance on expected standards
⦁ Declaration of externality, pecuniary interests and conflicts – Direction as it provides guidance on what factors are to be considered for future direction related decisions
⦁ Insurance certificates – Control as it provide guidance on tolerance levels
⦁ Reporting calendar – Control as it provides guidance on mandatory deadlines
⦁ Last quarter operational reports and actions status – Direction as it provides guidance on predicting future growth and areas of interest and concern
⦁ Committees structure and charters – Control as it provides guidance on specific aspects of operational areas that are managed collaboratively
⦁ Org structure and executive delegations – Control as it provides guidance on levels of responsibility and accountability
⦁ Authorised signatories – Control as it provides guidance of levels of authority
⦁ Enterprise Risk Management (ERM) Overview – Control as it provides guidance on the range of risks faced by the organisation with a definition of tolerable risk.

Additional information that could be considered may include:
⦁ Overview the range of product and services offered,
⦁ Overview of existing client base including the types of clients that meet the organisations profile.
⦁ Overview of industry competitors to gain an understanding of current market position.

10 minutes TOPIC: RISK MANAGEMENT IN A GOVERANCE CONTEXT
One way to understand governance is to look at the way certain business functions are governed. Of particular relevance to this course is the governance of Risk Management.
In the absence of a tidy definition for the governance of risk management (refer to footnote about the duty of directors in regard to governance and risk) we can refer to the terms mentioned earlier in the course ‘system’, ‘direction’ and ‘control”. The governance of risk management would then require a systematic means of directing and controlling the performance of risk management practices within an organisation.
Figure 4: Delegation of Authority provides a visual diagram of how an organisation’s board or executive management team would delegate or cascade accountability throughout the organisation to ensure all employees are aware of their responsibility in relation to managing risk.
Footnote: Failure by Directors to Create and Protect Value for Shareholders = number one duty of boards. Key board responsibility is to approve the organization’s strategy and monitor risks assumed (and mitigation treatments).
Management must make risk pay-off by identifying and selecting opportunities which MORE THAN compensate for the risks.
The Board is responsible for informed oversight not direct management of risks.

5 minutes TOPIC: LEGAL COMPLIANCE IN A GOVERNANCE CONTEXT
There is a set of clear legal compliance obligations for the governance of modern organisations particularly those listed publicly. Legal obligations for Directors and companies are in two main categories;
⦁ Administrative such as registration, lodgement, and disclosure; and
⦁ Obligatory such as Directors duties, liabilities/ industrial manslaughter, and indemnifications.
Review the definition provided by Brian Sharpe that provides an authoritative definition for compliance that is quite useful in a governance context:
Review the questions in the PG designed to encourage participants to consider their organisation’s governance of legal compliance.

5 minutes TOPIC: CONSEQUENCE AND CONTROL
Discuss the role of governance in the context of consequence and control. The level of governance or oversight required is indicative of the type and level of consequence and the ability of the organisation to control this factor.

5 minutes TOPIC: SECTION TWO EXTENSION AND ASSESSMENT: GOVERNANCE FUNDAMENTALS
Direct participants to the review information in their PG. Advise it is intended to ensure the key learning from the section are reinforced through a small number of questions.
LUNCH BREAK – 45 MINUTES

SECTION three INTRODUCTION – Compliance Fundamentals
Time Approximately 1 ¾ hours
Background information This section aims to provide participants with an understanding why compliance with the law is essential to effective governance and proactive and diligent risk management. An effective compliance program is a powerful tool in influencing organisational outcomes.
Section objectives ⦁ Understand the role of compliance in an organisation.
⦁ Review the definitions and guidance for compliance programs
⦁ Understand the role of risk management and governance within a compliance context.
⦁ Understand the role of compliance in managing risk.
Slides 26-32
Activities Activity Three – Understanding Compliance Obligations

SECTION THREE PLAN – Compliance Fundamentals
Timing Action Outline Resources

5 minutes TOPIC: INTRODUCTION
Review the topics that will be covered in Section Three
⦁ Understand the role of compliance in an organisation.
⦁ Review the definitions and guidance for compliance programs
⦁ Understand the role of risk management and governance within a compliance context.
⦁ Understand the role of compliance in managing risk.

5 minutes TOPIC: WHAT IS COMPLIANCE?
Recap definition of Regulatory Compliance discussed in Section Two.
Discuss the scope of modern compliance programs are no longer confined to law, but to a range of obligations from external stakeholders that reflect the need to do the ‘right’ thing as opposed to simply meeting legal obligations.
Relate the role of compliance to managing risks that may adversely impact the organisations.

10 minutes TOPIC: COMPLIANCE PRINCIPLES
Review and discuss the compliance principles outlined in AS 3806 Compliance Programs.
Discuss how these principles provide guidance on the management of a compliance framework in an organisation.

10 minutes TOPIC: ELEMENTS OFA COMPLIANCE MECHANISM
Review the material relating to the use of a Compliance Mechanism is an element of a Compliance framework.
Method used by an organisation to identify, analyse, and respond to compliance obligations to ensure ongoing obligations are maintained.
Review the detailed information in each step noted in the PG.

30 minutes ACTIVITY 3: UNDERSTANDING COMPLIANCE OBLIGATIONS
Timing: Approximately 30 minutes
Facilitator Notes:
The activity is designed to provide participants with an understanding of how a Compliance Obligations Register is collated.
Reassure participants that their limited knowledge of the case study organisation will constraint the level of accuracy that can be achieved. The activity is not focused on technical accuracy but providing an opportunity to work through a couple of compliance obligations and how these translate into policy and procedure in an organisation.
Instruct participants to refer to the relevant sections of the case study as indicated in the activity instructions.
Participant Instructions
Refer to PG for detailed instructions. The number of compliance obligations are optional as it will depend on the level of experience of participants on how many can be identified in the time allocated for the activity.
Debrief:
Review of the functional areas noted in the case study and reviews the answers of each group. Some example answers have been provided below to enable you to generate a discussion.
⦁ Finance: generic function that is the responsibility of the Financial Controller. Processes can include Accounts Payable and the need to ensure GST is correctly recorded for ATO obligations.
⦁ Human Resources: generic function that is the responsibility of the Human Resources Director. Processes can include Induction and the need to ensure the WHS requirement are explained to ensure WHS obligations are met
⦁ Facilities Management: generic function that is the responsibility of the Facilities Manager. Processes can include emergency response planning and the need to ensure clear signage of facility evaluation points to ensure legal of obligation relating to Duty of Care for visitors and patients
⦁ Technology Management : refer to example provided in activity
⦁ Patient Administration: specific function that is the responsibility of the Hospital General Managers. Processes can include admission, discharge and records management and the need to ensure patients are processed in accordance with healthcare industry guidelines
⦁ Clinical Services: specific function that is the responsibility of the Clinical Services Manager. Processes can include patient diagnosis and treatment and the need to ensure patients are treated by suitably qualified professionals in accordance with industry professional standards relating competence of medical professionals.
⦁ Legal Counsel: specific function that is the responsibility of the Legal Counsel. Processes can include Negligence Claims processing in accordance with industry guidelines and legal regulations.

5 minutes TOPIC: THE ROLE OF RISK IN COMPLIANCE
Discuss the relationship between effective compliance programs and the intent of managing those legal risks that are imposed on an organisation by generic laws that apply to all organisations, and those industry specific requirements that are imposed by industry bodies and regulators.

5 minutes TOPIC: SECTION THREE EXTENSION AND ASSESSMENT: COMPLIANCE FUNDAMENTALS
Direct participants to the review information in their PG. Advise it is intended to ensure the key learning from the section are reinforced through a small number of questions.
AFTERNOON BREAK – 15 MINUTES

SECTION fOUR INTRODUCTION – eNTERPRISE rISK mANAGEMENT fUNDAMENTALS
Time Approximately 1 ¾ hours
Background information This section aims to provide participants with an understanding of Enterprise Risk Management (ERM) as the process that allows business managers to understand the elements of an enterprise risk management framework, and how this approach can facilitate gains in capability by protecting business processes that support the business objectives of the organisation.
Discuss the concept that modern organisations are always striving to manage risk more effectively. There is a growing expectation from stakeholders that risk will be managed at every level of the organisation in a highly coordinated way.
Section objectives ⦁ Understand the value of managing risks across the organisation in a collaborative manner using information and insight from subject matter experts across the organisation
⦁ Understand terms and definitions that relate to Enterprise Risk Management
⦁ Understand the principles that underpin Enterprise Risk Management
Slides 33 – 41
Activities Activity Four – Risk Maker Risk Taker

SECTION Four PLAN – Enterrise Risk management Fundamentals
Timing Action Outline Resources

5 minutes TOPIC: INTRODUCTION
Review the topics that will be covered in Section Four
⦁ Understand the value of managing risks across the organisation in a collaborative manner using information and insight from subject matter experts across the organisation
⦁ Understand terms and definitions that relate to Enterprise Risk Management
⦁ Understand the principles that underpin Enterprise Risk Management

5 minutes TOPIC: WHAT IS ENTERPRISE RISK MANAGEMENT?
Review the definition in the PG. Discuss how there are a wide range of definitions to choose from, with the example in the PG one that seems the most comprehensive.
Introduce the ISO 31000 Standard and its use as a guideline standard about risk management providing information related to risk principles, terms and definitions, risk management framework components, and the risk management process

10 minutes TOPIC: ENTERPRISE RISK MANAGEMENT MODEL
Review the ERM model depicted in ISO 31000
⦁ Principles in Clause 3
⦁ Framework for Managing Risk in Clause 4
⦁ Process for Managing Risk in Clause 5

5 minutes TOPIC: ENTERPRISE RISK MANAGEMENT PRINCIPLES
Review the principles in the PG and discuss how these can underpin the development of the ERM framework and process.

5 minutes TOPIC: ENTERPRISE RISK MANAGEMENT TERMS & DEFINITIONS
Review the terms and definitions in the PG and discuss the importance of defining these terms in the context of your own organisation. Highlight the following definitions and the value of understanding what these terms mean to the organisation:
Risk Attitude – what is our attitude to risk? Are we risk adverse?
Risk Appetite – what are we prepared to tolerate when it comes to risks? What are our financial, reputational, operational limits?
Risk Policy – provides a statement of intent that defines the appetite for risk

5 minutes TOPIC: ENTERPRISE RISK MANAGEMENT FRAMEWORK
Review the importance of an effective ERM framework, what the framework should include:
⦁ Mandate and Commitment
⦁ Design and Implementation Guidance
⦁ Monitoring and Improvement Guidance

5 minutes TOPIC: ENTERPRISE RISK MANAGEMENT PROCESS
Review the ERM Process indicating these are the fundamental steps needed to manage each risk.
Highlight to participants that we will be reviewing the framework elements needed to manage risk in Section 5.

45 minutes ACTIVITY 4: RISK MAKER RISK TAKER
Timing: Approximately 45 minutes
Facilitator Notes:
Review the objective of this activity as providing examples of how culture and drive to achieve objectives can have a devastating impact on an organisation because the risks have been overlooked or underestimated.

Participant Instructions
Watch the DVD Risk Maker Risk Taker and in your team, discuss and answer the questions in your PG.

Debrief:
Dr Patel:
Appointed as a surgical medical officer at Bundaberg Hospital. He soon assumed the position of Director of Surgery. Over two years, Dr Patel saw 1450 patients. Eight-eight of his patients died. A clinical review in 2005 found that Dr Patel directly contributed to the deaths of thirteen patients.
Suggested answers or discussion points could include:
⦁ Qld Health did not check the credentials of Dr Patel because they assumed the hospital done so.
⦁ Hospital took no action because they needed funding to provide health services to the community and thought the risks out weighted the benefits
⦁ From the outside and looking back the behaviour of the hospital and Qld health was not rational as it focused on the financial gains in the short term with little or no consideration to the long term impact on the organisation.
HMAS Westralia
A fire occurred in the main machinery space of HMAS Westralia on 5 May 1998, which resulted in the death of four navy personnel. The fire was caused by diesel fuel from a burst flexible hose spraying onto a hot engine component and then igniting. The hose was one of a number of new flexible hoses supplied by the ship’s support contractor to replace the original pipes.
Suggested answers and discussion points could include:
⦁ Outsourcing key operational tasks need to be more closely monitored to compensate the loss of control
⦁ Cost savings can sometimes drive errors in judgement as the amount of risk it presents
⦁ Management cannot avoid risk. But risk is as much about maximising opportunities as it is protecting against loss

New York Metropolitan Transport Authority
The New York Metropolitan Transportation Authority installed a $700 million automatic fare collection system which included better integration between modes of transport and new turnstiles. Among other improved performance indicators, bus and subway usage rose and fare evasion fell. But within another year, bus usage surged way beyond the prediction models. The reason was that the free transfer system proved so much more important to customers in terms of convenience, flexibility and simplicity, and provided a catalyst for subway riders to discover buses. So, the changes helped the organisation achieve its objectives but it also allowed for much greater opportunities.

Suggested answers and discussion points could include:
⦁ The management of risk and risk is very much about how do we grasp opportunities while managing to minimise the loss and we’re not about eradicating risk, we are about managing risk to a tolerable level.
⦁ Organisations sometimes become so focused on a particular outcome that they allow it to overwhelm all other considerations.
⦁ No matter what an organisation does, it interacts with a wider environment. What industry sector is it in? Who are its stakeholders? What are its capabilities?

15 minutes TOPIC: PARTICIPANT PRE-COURSE WORK
Ask participants to share their research findings with the group.
Discuss what information was gathered in regard to a risk management framework and process. Did participants find a ERM policy; identification criteria; assessment matrix; risk register; compliance register
Discuss the completed Risk Management framework self-assessment results. Are there areas of weakness or strength; is there sufficient commitment and support from senior management; what could be improved.
Explain that this insight will be further considered in Section 5 and 6.

5 minutes TOPIC: SECTION FOUR EXTENSION AND ASSESSMENT: ENTERRISE RISK MANAGEMENT FUNDAMENTALS
Direct participants to the review information in their PG. Advise it is intended to ensure the key learning from the section are reinforced through a small number of questions.

SECTION Five INTRODUCTION – eNTERPRISE rISK mANAGEMENT Framework
Time Approximately 6 hours
Background information This section aims to provide participants with an understanding of the elements of an Enterprise Risk Management framework
Managing risks associated with compliance obligations and governance expectations can only be achieved through the systematic application of a robust risk management framework across the enterprise.
Such a framework requires careful consideration regarding the design, development and implementation to ensure it meets the needs and context of the organisation.
Section objectives ⦁ Understand the factors that must be considered when designing a framework.
⦁ Understand the need to ensure the context of operations is fully understood to ensure the framework is fit for purpose.
⦁ Understand the components of a risk management framework including a defined process and guidance on how risks must be managed.
⦁ Awareness of implementation considerations and challenges.
Slides 42 – 65
Activities Activity Five – Define Areas of Risk
Activity Six– Establishing Context
Activity Seven– Define Risk Analysis Criteria
Activity Eight – Continuity Planning

SECTION Five PLAN – Enterrise Risk management Framework
Timing Action Outline Resources

5 minutes TOPIC: INTRODUCTION
Review the topics that will be covered in Section Five:
⦁ Understand the factors that must be considered when designing a framework.
⦁ Understand the need to ensure the context of operations is fully understood to ensure the framework is fit for purpose.
⦁ Understand the components of a risk management framework including a defined process and guidance on how risks must be managed.
⦁ Awareness of implementation considerations and challenges.

10 minutes TOPIC: ERM FRAMEWORK CONSIDERATIONS
Review the terms relating to Governance and Compliance and their relationship to risk. Governance represents voluntary boundaries and compliance represents mandatory boundaries.
Governance, compliance and risk should co-operate with each other and share relevant information to manage risk at an organisational or enterprise level.
Discuss what an organisation needs to incorporate into a ERM framework:
⦁ ERM Objectives: Objectives must relate and contribute to organisational objectives
⦁ ERM Boundaries: Identify the boundaries that must be considered and incorporated into the framework
⦁ Risk Management Process: Develop a process that incorporates the key steps that must be followed to manage risk.
⦁ Evaluation Protocols: to determine if the ERM process is working
⦁ Continual Improvement: Using the evaluation outcomes improve the program to ensure its ongoing suitability and effectiveness.
⦁ Communication: Ensure all stakeholders have the information they need to make informed decisions and report to the appropriate authorities (ASX; Regulators etc.)

5 minutes TOPIC: FRAMEWORK DESIGN AND DEVELOPMENT
Discuss with participants that when designing, developing and implementing an Enterprise Risk Management framework these factors are the drivers for how the system will operate.
There are two aspects to managing risks across the organisation:
⦁ The method used to manage risks at an operational or functional level; and
⦁ The method used to oversee the risk management framework at an enterprise or organisational level.
Both aspects need to operate in a cohesive manner to ensure the organisation is managing risks in an effective and efficient manner, within the boundaries of governance and compliance constraints.

5 minutes TOPIC: ERM FRAMEWORK
Enterprise Risk Management requires an effective and relational risk framework that permeates the whole organisation.
To develop a robust Enterprise Risk Management framework the organisation must ensure the range, scope and appetite for risk is reflected in the framework
Using the approach outlined in the Risk Management Standard ISO 31000 we need a framework that incorporates the following elements:
⦁ Management Commitment
⦁ Suitable Risk Management Process
⦁ Communication Protocols
⦁ Review and Improvement
These elements will be reviewed in further detail in the subsequent pages

10 minutes TOPIC: MANAGEMENT COMMITMENT – ERM POLICY
Usually articulated in a statement of intent communicated through policy documents.
ERM Policy communicates the overall intent, scope and type of risks the organisation intends to manage, through the application of the risk management framework.
Participant question: Ask participants if their organisation has a risk policy in place, and does it contain these key elements.
Discuss the relevance of the policy to their organisation’s range of operations i.e. scope of work, revenue, client base.
TOPIC: MANAGEMENT COMMITMENT – AREAS OF RISK
Discuss the need to establish the scope of the ERM framework through defining the areas of risk covered by the framework. The areas usually relate to functions and not the physical scope of business.
Discuss with participants the difference between strategic and operational areas of risk.
Strategic areas of risk are those areas that critical to the long term success of the organisation as they facilitate achievement of goals and objectives.
Operational areas of risk are those areas that have an impact on the ability to provide the product or service.

30 minutes ACTIVITY 5: DETERMINE AREAS OF RISK
Timing: Approximately 30 minutes
Facilitator Notes:
Instruct participants to refer to the case study information about areas of risk. If participants believe there are additional areas not included on the list they include additional areas.

Participant Instructions
Working in your team, using the definitions of Strategic Areas and Operational Areas of risk provided in your course notes, review the list of Risk Areas provided in the case study and determine if each area of risk should be considered a strategic or operational area of risk.

Debrief:
Suggested answers below with additional areas highlighted in red text:
Strategic Areas of Risk Operational Areas of Risk
Finance People (staff and contractors)
Regulatory & Legal Compliance Technology (including information management)
Governance Facilities/Property
Client Relationship Management Workplace Health & Safety
Environmental Management
Food Safety Management
Day surgery services
Rehabilitation services

15 – 20 minutes DAY 1 – CLOSING ACTIVITY ZIP LOCK (OPTIONAL)
Objective:
This closing activity is to help participants summarise and comprehend main points and concepts covered during the day.
Participant instructions:
⦁ Ask each group to select a section of the day’s program (it doesn’t matter if groups select the same section) and summarise or zip up into 6 (or a number of your choice) key points.
⦁ Have a spokesperson for each group share their points and have the group comment or question their summary.
Debrief:
Explain that you will leave the pages displayed on the wall throughout the remainder of the course to help participants lock in the details. At this point also highlight or discuss any key points.
END OF DAY ONE

DAY 2 INTRODUCTION
Timing Action Outline Resource

10 minutes INTRODUCTION TO DAY 2
EXPLAIN:
By the end of the day you should be able to:
⦁ Enterprise Risk Management Framework considerations (within Section Five) including:
⦁ Establishing the context within which risk will be managed
⦁ Determine the risk identification criteria
⦁ Define the risk assessment matrix
⦁ Understand the importance of risk treatment guidelines
⦁ Implementation considerations
⦁ ERM Assurance requirements
DISCUSS:
Above points and ask for input or questions. None

10 minutes TOPIC: UNDERSTAND THE CONTEXT
Review the information with participants and discuss the need to understand the context of the organisation to ensure the framework is fit for purpose.
The definition of risk tolerance should reflect the context of the organisation, with the risk criteria used to identify and assess risk based on this information.
Discuss the concept of conducting an environmental scan to understand the context.

5 minutes TOPIC: UNDERSTAND THE CONTEXT – TOOLS AND TECHNIQUES
Discuss the use of tools and techniques used to conduct an environmental scan to understand the context.
Review the suggested types used for understanding the internal and external context.
Direct participants to Section Seven for further explanation for the tools and techniques noted.

30 minutes ACTIVITY 6: ESTABLISH THE CONTEXT
Timing: Approximately 30 minutes
Facilitator Notes:
Highlight the objective of the activity. By understanding the context of the organisation this will facilitate the development of a Risk Management process that reflects the needs of the organisation.
By understanding the risks inherent in the organisation this will enable the development of risk identification and analysis criteria that reflect the risk appetite the organisation is willing to peruse or tolerate.

Participant Instructions
Using the instructional information and template provided on the following pages, undertake a SWOT analysis of the case study organisation

Debrief:
Answers will be broad and varied. Some sample answers have been provided below:
Strengths
Range of services offered ensures the ongoing viability of the business. Weaknesses
The various operating sites have stand-alone systems for clinical care and this approach will make the introduction of additional requirements of new Health Care Standards costly and time consuming.
Opportunities
Growing market in the provision of day surgical services in the elective surgery market such as cosmetic procedures. Threats
Reduction in the rebate for private health care may impact on the volume of work as patients may elect to have surgery as a public patient due to increased fees.
Ensure you remind participants that understanding the context will enable an organisation to develop an ERM process that reflects these factors.

10 minutes TOPIC: ERM PROCESS
The RM process used by the organisation should reflect the steps outlined in ISO 31000 as follows:
⦁ Identify risks: Identification criteria
⦁ Analyse risks: risk assessment matrix (likelihood and consequence)
⦁ Evaluate risks: reflecting the defined risk appetite or tolerance
⦁ Treat risks: treatment option guidelines
⦁ Monitor risks: review protocols to verify controls
A set of instructional guidelines need to be developed to implement a risk management process across the organisation and this will be the focus for the remainder of the course.
We will work through what needs to be considered when developing the framework.
MORNING BREAK – 15 MINUTES

10 minutes TOPIC: ERM RISK IDENTIFICATION CRITERIA
Discuss the value of an Identification Criteria to ensure all risks are identified in a systematic manner.
Review the options noted in the PG on which to base the criteria.
The identification criteria should have some relevance to the goals and objectives of the organisation, and the needs and expectations of the stakeholders.

10 minutes TOPIC: ERM RISK ANALYSIS CRITERIA
Discuss the components of a Risk Analysis Criteria that should clearly explain:
⦁ Nature and type of consequence;
⦁ Likelihood definitions including timeframe;
⦁ Significance of risk (combination of consequence and likelihood); and
⦁ Level at which risk becomes unacceptable or outside defined tolerance levels.
Review the examples provided in the PG and discuss the various sources of business information that can used to develop the various components of the criteria including:
⦁ Volume of work can be used to develop the definition of likelihood
⦁ Financial information can be used to develop the definition of financial consequence
⦁ Compliance obligation and regulatory expectations can be used to develop the definition of legal consequence.
Highlight the importance of engaging stakeholders when developing this criteria as the criteria may be affected by the perceptions of stakeholders and by legal or regulatory requirements

45 minutes ACTIVITY 7: DEFINE RISK ANALYSIS CRITERIA
Timing: Approximately 45 minutes
Facilitator Notes:
The information provided in the case study should form the basis for discussion regarding the development of the Risk Analysis criteria.

Participant Instructions
Using the following information provided about the case study organisation develop a Risk Analysis Matrix that can used to assign a level of likelihood and consequence to identified risks.
⦁ Range of products and services offered
⦁ Volume of work over the last 12 months
⦁ Financial results for the last 12 months
⦁ Summary of Stakeholder Expectations

Debrief:
Ensure the draft Risk Analysis Matrix reflects the context of the organisation. Where participants decide to provide specific descriptors for consequence relating to financial or WHS these need to be relevant to those factors i.e. Insignificant financial loss is quantified as $1,000 or less whereas catastrophic loss could be defined as > 100% of annual net profit
The final answer must represent the appetite for risk as defined by the organisation.

5 minutes TOPIC: RISK TREATMENT GUIDELINES
Review the information relating to treatment of risks that are outside the defined tolerance levels.

10 minutes TOPIC: RISK TREATMENT OPTIONS
Discuss the various treatment options and when these may be used.
Discuss the use of treatment options designed to facilitate recovery, and where this may be an option. Review the recovery process diagram in the PG highlighting the elements that would be incorporated in the various plans required.

30 minutes ACTIVITY 8: CONTINUITY PLANNING
Timing: Approximately 30 minutes
Facilitator Notes:
Unplanned extreme events require a strategy in place to manage these extreme events. To do so effectively you need to think outside the square and ask what is needed if such an event occurs.
Encourage participants to consider the context of the organisation and what would be considered critical in the first 24 hours, week, month, and 3 month periods.

Participant Instructions
Background Information:
The case study organisations insurance provider has requested the organisation develop and submit a Business Continuity Plan for the Head Office facility to demonstrate that the organisation would still be able to operate in some capacity should a disaster occur that render the head office facilities inoperable for a period of up to 3 months.
⦁ Consider the background information provided
⦁ Brainstorm what needs to be considered in the Business Continuity Plan needed to demonstrate preparedness to a disaster that would render the corporate office unable to operate.
⦁ When brainstorming consider the following key resources needed to ensure some level of operations can be achieved:
⦁ Staffing
⦁ Work facilities
⦁ Information
⦁ Technology
Debrief:
Ensure the answers contain some information relating to the following topics:
⦁ Staffing: contact information for key staff; access to temporary staffing resources
⦁ Work facilities: alternative work arrangements including remote work; agreement with another private hospital to use their facilities for urgent cases
⦁ Information: off-site storage of information that can be accessed remotely
⦁ Technology: alternative systems as a short term substitute
LUNCH BREAK – 45 MINUTES

10 minutes TOPIC: RISK MONITORING
Discuss the intent of monitoring and review to assess the effectiveness of risk control protocols in place, and reassess their relevance from time to time.
Discuss the different approaches to monitoring and provide examples:
⦁ Regular checking and continuous monitoring: supervision, mandatory fields in a computer system to ensure the correct information is logged
⦁ Line Management Review: KPI results; operational review and reporting
⦁ Third Party Audit: Strategic review method

10 minutes TOPIC: COMMUNICATION PROTOCOLS
Review the reasons for communication noted in the PG.
Ensure you reinforce the main driver to ensure stakeholders (internal and external) are provided with the appropriate information to make an informed decision in a timely manner.
Discuss the communication protocols needed to meet external compliance obligations such as those imposed by regulators.

10 minutes TOPIC: REVIEW AND IMPROVEMENT
Discuss the value of review of the enterprise risk management framework and process.
Review is conducted to ensure the framework is effective in managing risks, and the defined approach still meets the needs in relation to the context of the organisation.

10 minutes TOPIC: ADDITIONAL FRAMEWORK CONSIDERATIONS
Reviews the lists of additional considerations noted in the PG and ask participants if they can add to the list.
Highlight the lessons learnt from the BAC, and highlight some of the following points where appropriate:
⦁ Make use of other activities to get input from the business – Barry used Business Continuity Plan to identify a range of governance issues at the same time. Ran BIA (assuming this is business impact analysis ) workshops with the assistance of Deloittes – these were then fed into the risk framework (can’t read my own shorthand scribble –but think this is correct)
⦁ If you are bringing in external people – choose third parties who can add real value and who can complement your own skill sets
⦁ Structure the elements of the GRC program in ways that the business should be able to recognise: define each business line (in this case: Airport Operations & BNE Property)and tailor the GRC framework to each business

10 minutes TOPIC: IMPLEMENTATION CONSIDERATIONS
Reviews the lists of additional considerations noted in the PG and ask participants if they can add to the list.
Highlight the lessons learnt from the BAC, and highlight some of the following points where appropriate:
⦁ When deploying the framework – make it whole of company and then work down to individual business focus. Barry dealt with it by examining skill set by area
⦁ Once the GRC framework is created and implemented find ways to keep it alive in the business. People need to feel that they are contributing.
⦁ Make sure the continuous improvement process is maintained and updated
⦁ Did not take the approach of formal training programs – instead had people working in the business (sitting with teams) and communicating what was required in the workplace
⦁ Once you create reporting – the priority is to keep improving the data and the reporting and the continuous improvement process

5 minutes TOPIC: SECTION FIVE EXTENSION AND ASSESSMENT: ENTERPRISE RISK MANAGEMENT FRAMEWORK
Direct participants to the review information in their PG. Advise it is intended to ensure the key learning from the section are reinforced through a small number of questions.

SECTION Six INTRODUCTION – Enterprise Risk Management Assurance Requirements
Time Approximately 1 ¼ hours
Background information Assurance is an important element of Enterprise Risk Management as it provides evidence to key stakeholders (internal and external) that the stated Risk Management performance of the organisation is accurate.
There are number of different approaches to building an assurance model within an organisation
Section objectives ⦁ Understand what activities provide assurance
⦁ Know why assurance is important in exercising diligence
Slides 66-69
Activities No activities for the section

SECTION Six PLAN – Enterprise Risk Management Assurance Requirements
Timing Action Outline Resources

10 minutes TOPIC: SECTION INTRODUCTION
Provide participants with an overview of what will be covered in this section.
⦁ Understand what activities provide assurance
⦁ Know why assurance is important in exercising diligence

10 minutes TOPIC: DRIVERS FOR ASSSURANCE
Review the drivers for assurance noted in the PG. Highlight the key driver for boards of listed companies who are required by the stock exchange to submit a report containing a declaration from senior management that the organisation has a sound risk management framework.
Discuss the merits and challenges of the methods noted in the PG including:
⦁ External audit – third party certification body, independent audit
⦁ External scrutiny – ombudsman, parliamentary or council committee, appeal tribunals, courts, commissions of inquiry
⦁ Regulatory reviews (e.g. mandatory reports or disclosure to government departments or other regulatory authorities, corporations act compliance)
⦁ Internal audit
⦁ Program evaluation
AFTERNOON BREAK – 15 MINUTES

10 minutes TOPIC: ASSURANCE METHODS
Review the different types of assurance including:
⦁ Primary assurance
⦁ Secondary assurance
⦁ Tertiary assurance

15 minutes TOPIC: INTERNAL AUDIT PROGRAM
Review the internal audit program as an effective method of assurance, highlighting that some large organisations have a global or national audit team who are tasked with ensuring the Enterprise Risk Management framework is effective and efficient.
Note this approach is termed as Risk-Based auditing.

5 minutes TOPIC: SECTION SIX EXTENSION AND ASSESSMENT: ENTERPRISE RISK MANAGEMENT ASSURANCE REQUIREMENTS
Direct participants to the review information in their PG. Advise it is intended to ensure the key learning from the section are reinforced through a small number of questions.

5 minutes TOPIC: BRISBANE AIRPORT CASE STUDY REVIEW
Review the slides relating to the case study organisation used throughout the course to highlight the key aspects of designing, developing and implementing an Integrated GRC.
⦁ Slide 70: Current situation
⦁ Slide 71: Approach to incorporate IGRC
⦁ Slide 72: Lessons Learnt

5 minutes TOPIC: COURSE CLOSE-OUT
Summarise the contents covered over the last two days including:
⦁ Integrated GRC Concept
⦁ Governance Fundamentals
⦁ Compliance Fundamentals
⦁ Enterprise Risk Management (ERM)
⦁ ERM Framework
⦁ ERM Assurance

10 minutes TOPIC: POST COURSE ASSESSMENT
Work through the PCA document and review each of the tasks required. Seek confirmation that all participants understand what is required to complete the PCA.
Provide participants with the opportunity to ask questions and seek clarification on what they are expected to provide.

APPENDIX ONE: Participant Pre-Course Research Work

INTEGRATED GOVERNANCE, RISK & COMPLIANCE (GRC) PRE-COURSE WORK
To ensure you achieve the best learning outcome from the upcoming Integrated Governance, Risk, and Compliance course we suggest the complete the following pre-course research.
The estimated time is probably 1-2 hours and involves researching your organisations approach to Enterprise Risk Management.
Please complete the following tasks.
⦁ RISK MANAGEMENT FRAMEWORK RESEARCH OBJECTIVE
This is a pre-course research activity designed to encourage you to gain an understanding of your organisations existing risk management approach.
TASK
⦁ Conduct research to determine the defined process used by your organisation to manage risk. Your research may identify a number of documents such as:
⦁ Risk Management Policy
⦁ Risk Management Process including:
⦁ Risk Identification method;
⦁ Risk Assessment matrix (designed to assist with assigning a level of likelihood and consequence);
⦁ Risk Treatment guidelines including levels of authority and record guidelines;
⦁ Risk monitoring guidelines.
⦁ Risk Register

⦁ Read through the documents to gain a basic understanding of the process and if able, bring copies of the Risk Management framework to the course.

⦁ RISK MANAGEMENT FRAMEWORK SELF- ASSESSMENT
OBJECTIVE
This is a pre-course self-assessment activity designed to encourage you to consider and evaluate the current status of your organisations governance, risk, and compliance management practices.

TASK
⦁ Consider your organisation’s current governance, risk and compliance management practices against the items noted in the evaluation table on the next age
⦁ Give each item a rating from 1(not good) to 5 (great!).
Please note this is not an exhaustive list.
INSTRUCTION
⦁ There are five columns under the heading ‘score’ on the far right of the page. Colour in the number of columns that correspond to the score for that item. (So, for a score of 1 colour in the first column only, for a score of 3 colours in the first, second and third column etc.)
⦁ Complete this process for each of the items.
⦁ Tally the score of each individual section (Senior Management, Our Framework and Our People) and record this number in the space provided.
⦁ Add the three individual section scores together and record in the space provided at the very bottom of the table.
⦁ Turn the page 90 degrees to the left. This will allow you to see a ‘picture’ (similar to a bar graph) that helps you consider each individual item and how it relates to the ‘big picture’.

CONSIDER
⦁ What components of your governance, risk, and compliance approach are missing or need improvement?
⦁ How might you begin to address the “gaps”?
⦁ What possible opportunities/barriers should you consider if you want to achieve an integrated governance, risk, and compliance framework?
⦁ Who else should be included in the context of your risk framework?


Governance, Risk, and Compliance Management Self-Assessment Tool
ITEM SCORE
1 2 3 4 5
SENIOR MANAGEMENT 1. Have been/are visibly involved in the development and endorsement of the governance, risk and compliance management policies (i.e. participate in communication/consultation about risks relating to governance, compliance other and related issues).
2. Review the policies on a regular basis (i.e. 12-18 months) and update as appropriate.
3. State in the policies that the organisation will not tolerate deliberate or negligent breaches of laws and regulations and support policy via action.
4. Ensure the person responsible for reporting compliance have sufficient seniority and authority and have direct access to the Board and the CEO
5. Regularly communicate the benefits of risk management and compliance to all stakeholders.
6. Have defined measures for risk effectiveness in terms of impact on/ contribution to goals and objectives.
7. Align risk management objectives with organisation-wide business strategies.
8. Ensure compliance is independent of operational and business drivers and achievement of compliance is not compromised.
9. Have considered our risk profile when allocating resources, reviewing budgets.
10. Have identified legal, regulatory and compliance issues that may impact on our risk profile (i.e. external stakeholders/external context); and have processes/resources in place to monitor and address these.
11. Look forward (when considering risk), vs. making decisions on historic data only.
12. Have documented and support a whistle-blower protection program that staff trust and feel comfortable using.
Maximum possible score = 60
(Fantastic Visible Management Understanding, Commitment and Support)
ITEM
1 2 3 4 5
OUR FRAMEWORK 1. Was developed considering external stakeholders as well as internal culture, structure, language, tools, systems and processes that are already in place.
2. Defines risk appetite, which is aligned to the risk culture and is clearly communicated across the organisation.
3. Includes a common language and set of metrics for assessing likelihood and severity to allow comparability across functions and levels.
4. Is understood, and can be applied by different parts of the organisation (i.e. everyone who needs to have adequate understanding/skills to apply the process).
5. Facilitates reporting to management on the status/effectiveness of our enterprise-wide risk profile (as well as subsets/components of it).
6. Explains responsibilities, authorities and accountabilities for components of the framework.
7. Identifies the relationships and dependencies between different areas of the organisation (and components of risk), or the impact different parts of the organisation may have on the same/similar risks.
8. Includes audits and other reviews as part of its compliance, monitoring and improvement processes to test and report on effectiveness of risk controls.
9. Includes well-tested, well-maintained and well-communicated contingency plans in the event an identified risk is not prevented.
10. Includes a reporting system that is likely to give an early warning of a pending catastrophe.
Maximum possible score = 50 (Great System)

ITEM
1 2 3 4 5
OUR PEOPLE 1. Can apply risk tools to opportunities as well as potential problems.
2. Take ownership of the risks in their local area.
3. Work together to ensure their risk profile is accurate (i.e. reflects true risk), and to implement any identified treatments/controls as prioritised/resourced.
4. Consider their “local” operational risk profile (and any treatments/actions) in the context of the enterprise-wide profile.
5. Can identify how application of the risk framework contributes to overall goals/objectives of the organisation.
6. Regularly Communicate and consult with others when assessing risks/opportunities (i.e. internal/external context/impact, benchmarking).
Maximum possible score = 30 (Great People and culture)
MAXIMUM POSSIBLE TOTAL = 140

APPENDIX Two: Brisbane Airport Corporation Benchmarking Report
Background
Barry Peach was a consultant to BAC, before he became an employee of the organisation, so he already understood the business well.
In his role as a consultant he looked at how GRC was conducted across the business. His findings were that: ERM was robust, good systems were in place but they weren’t integrated into the business.
BAC had previously engaged with other firms, mostly legal firms, but wanted to take a more pragmatic and commercially focused approach to leading and managing GRC.
When appointed to the role of Risk & Compliance Manager role Barry commenced a GRC improvement process (including integrating systems), around 2 years ago. He engaged Clayton Utz and an external lawyer to work with him in this process. The approach was not to look at it as a project but rather as an ongoing business activity.
Barry got the activity up and running very quickly as it was a lean team. This approach worked as it was difficult to justify the additional cost of resources to the business. The other aspect that assisted rolling out this initiative was in identifying a set of goals/ deliverables early and focussing on quick wins. This reinforced the impact and importance of the process to the business and ensured their continued support.

Stakeholders
Reporting lines were largely into the CEO. Business structure is as shown below.

Key stakeholders were:
⦁ CEO
⦁ Risk & Compliance Management Committee
⦁ GMs
⦁ (Reporting to Board)


Existing Systems/Process
BAC had received lots of differing legal advice over the years and there were a range of compliance systems that had /or had never been implemented.
Hard lessons for the business were recognising that what had been implemented wasn’t working as well as it could.

Key Actions required
⦁ Needed a reporting framework to the board
⦁ Framework – no real /proper policies in place – these were rebuilt
⦁ Deploying the Framework – whole of company approach, individual business requirements were determined by understanding skills sets by individual areas
⦁ Two years in to this continual improvement process – the focus is on information /knowledge management area. No governance structures exist within IT

Reporting
⦁ Monthly reporting to Risk and Compliance committee
⦁ Quarterly reporting to CEO and Board
⦁ Note: commercial organisations generally don’t want a lot of reporting – look at what already exists and look for gaps. Determine what level of information the Board wants to receive- this is likely to change over time as new board members are appointed. Be prepared to be flexible
⦁ Reporting from a governance perspective – understand what level of information is required/the Board wants, keep it at a high level, make sure it is from a reliable source, tailor the information to the organisation

Systems
⦁ Were manual =- now rolling out CURA GRC solution http://www.curasoftware.com/
This is a recent initiative.

Challenges
⦁ Took a lot longer than anticipated (Barry’s advice is that it will take longer than you think to implement, depending on where the organisation is at)
⦁ Industry still has a distinct separation of Risk Managers and Compliance Managers, not to mention Governance. Though there are more people with GRC in their titles, there are not many in the industry who have strengths in all areas
⦁ Difficult to do if you don’t have a deep understanding of your business

Tips /Lessons Learned
⦁ Make use of other activities to get input from the business – Barry used Business Continuity Plan to identify a range of governance issues at the same time. Ran BIA (assuming this is business impact analysis) workshops with the assistance of Deloittes – these were then fed into the risk framework.
⦁ If you are bringing in external people – choose third parties who can add real value and who can complement your own skill sets
⦁ When deploying the framework – make it whole of company and then work down to individual business focus. Barry dealt with it by examining skill set by area
⦁ Structure the elements of the GRC program in ways that the business should be able to recognise: define each business line (in this case: Airport Operations & BNE Property)and tailor the GRC framework to each business
⦁ Once the GRC framework is created and implemented find ways to keep it alive in the business. People need to feel that they are contributing.
⦁ Make sure the continuous improvement process is maintained and updated
⦁ Did not take the approach of formal training programs – instead had people working in the business (sitting with teams) and communicating what was required in the workplace
⦁ Once you create reporting – the priority is to keep improving the data and the reporting and the continuous improvement process

APPENDIX Three: RESOURCES
REFERENCES
NOTE: This list is intended to be indicative only and is not mandatory or an endorsement, recommendation or an exclusive list of resources on this subject. It is up to the user to satisfy themselves of the applicability of these materials for their purposes.

Risk Management
ISO 31000: Risk management – Principles and Guidelines, 2009, Standards Australia
ISO 31010: Risk management – Risk assessment techniques, 2009, Standards Australia
HB 89: Risk Management – Guidelines on Risk Assessment Techniques

Governance
AS 8000: Good Governance Principles, 2003, Standards Australia
AS 8001: Fraud and Corruption Control, 2008, Standards Australia
AS 8002: Organisational Code of Conduct, 2003, Standards Australia
AS 8003: Corporate Governance – Corporate Social Responsibility, 2003, Standards Australia
AS 8004: Whistle-blower Protection Program for Entities, 2003, Standards Australia
ISO 26000: Guidance on Corporate Social Responsibility, 2010, Standards Australia

Compliance
AS 3806: Compliance Programs, 2006, Standards Australia

Online Resources:
Open Compliance and Ethics Group (OCEG) http://www.oceg.org
Australasian Compliance Institute (ACI) http://www.compliance.org.au
SAI Global Assurance Services, http://www.saiglobal.com.
Standards Australia, http://www.standards.com.au.

APPENDIX Three:
ADDITIONAL INFORMATION
ENERGISER ACTIVITIES
ACTIVITY 1
Play YouTube clip: Medieval helpdesk with English subtitles http://www.youtube.com/watch?v=pQHX-SjgQvQ
This clip cleverly addresses the importance of setting up systems carefully and communicating well with all stakeholders.
ACTIVITY 2
Play YouTube clip: Sasquatch music festival 2009 – Guy starts dance party http://www.youtube.com/watch?v=GA8z7f7a2Pk&feature=player_embedded#!
This clip shows how people have an instinct to herd or swarm as people generally like to belong. It shows how adopters or pioneers are risk takers but how their efforts can be quickly rewarded when others follow. This can be loosely translated into how adoption of a system within an organisation can accelerate with good management techniques.
ACTIVITY 3
One Car – Two Siblings (Mark Collard, Feb 17, 2011)
⦁ Ask participants to pair up with someone they do not know
⦁ Ask everyone to briefly make an introduction to each other
⦁ Explain that the object of the game is to search out all the things they have in common in a ‘numbered fashion’. For example, they both have ONE car, TWO siblings, THREE children, FOUR letters in their first names, and so on.
⦁ At the conclusion, invite pairs to share how high their numbered commonalities went, with the highest pair reading to the group.
Allow 10 minutes for this activity
ACTIVITY 4
Clumps (Mark Collard, Jan 16, 2010)
Enough space is required so everyone can stand in small groups
⦁ Ask everyone to move into an open space
⦁ Explain that the object of the game is to form groups in the number you call out.
⦁ Ensure you call a group of ONE at some stage during the game.
The intention is to form and reform groups fairly quickly so that the participants are moving and becoming reenergized. It doesn’t matter if participants are ‘leftovers’ as the next group number should be called once each group has been formed.
ACTIVTY 5
Categories (Mark Collard, Oct 16, 2009)
Enough space is required so everyone can stand in small groups
Explain that the object of the game is form groups according to the category you call out.
The intention is to form and reform groups fairly quickly, so that the group is moving and becoming reenergized. It doesn’t matter if people are ‘leftovers’ as the next category should be called once each group has been formed.
Examples of categories may include:
⦁ Simple half-half splits:
⦁ Arm that ends up crossed over the top of the other, when folded on your chest.
⦁ Leg you put into your pants, shorts, underwear, etc. first when dressing.
⦁ Preference for cooking or cleaning up.
⦁ Preference for washing or drying dishes.
⦁ Position of your thumbs that is left or right on top, when you clasp your hands together so that your fingers interlock.
⦁ Last digit of your home telephone number. All the odd numbers – 1, 3, 5, 7 or 9 – get together, and the even numbers do the same.
⦁ When presented with a ‘good news / bad news story,’ which do you, prefer to hear first?
⦁ Preference for the way toilet paper spills off the roll – like a waterfall, over the top and forward, or against the back towards the wall.
⦁ Number of street you live at – odds and evens.
Simple multi-group splits:
⦁ Month / zodiac sign in which you were born.
⦁ Number of continents you have visited.
⦁ Number of siblings in your family, including yourself.
⦁ Colour of your eyes, hair, socks, etc.
⦁ Type of shoes you are wearing (not necessarily their brand).
⦁ Which shoulder(s) you hold a carry-bag – right, left or both shoulders.
⦁ How often you shave each week?
⦁ Distance you have travelled to get here (use clumps of distances, such as 0-5 km, 5-10 km, etc.
⦁ Number of items you recycle at home, e.g., plastic, glass, tin, paper, etc.

NOTES

%d bloggers like this: