Risk & Compliance Management System Audit

Information

Document No.
Audit Title
Client / Site
Conducted on
Prepared by
Location
Audit Team Names:
Company Representative(s):
Employees Interviewed:

Scope of Audit

Audit Objectives:
Out of Scope:

Terms & Definitions

CMS - Compliance Management System
RMS - Risk Management System
RCMS - Risk & Compliance Management System
Risk - effect of uncertainty on objectives
Risk management - coordinated activities to direct and control an organization with regard to risk
Risk management framework - set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.
Risk management policy - management policy statement of the overall intentions and direction of an organization related to risk management
Risk attitude - organization's approach to assess and eventually pursue, retain, take or turn away from risk
Risk management plan - scheme within the risk management framework (2.3) specifying the approach, the management components and resources to be applied to the management of risk
Risk owner - person or entity with the accountability and authority to manage a risk
Risk management process - establishing the context -defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy
Establishing the Context - defining the external and internal parameters to be taken into account when managing risk, and setting the
scope and risk criteria for the risk management policy

Risk & Compliance Process Schematics

Relationship between Risk Management Principles, Framework & Process
Compliance Management System Flowchart

AUDIT

The success of risk and compliance management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels.

The framework assists in managing risks and compliance effectively through the application of the risk and compliance management process at varying levels and within specific contexts of the organization. The framework ensures that information about risk and compliance derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels.

1. AUDIT PREPARATION

Review corrective actions for previous Internal Audit findings
Review corrective actions for previous External Audit findings
Review corrective actions for any customer complaints
Review corrective actions for any customer audit findings

2. ORGANISATIONAL CONTEXT..........(Clause 4.1 / 4.3, 5.3)

Before starting the design and implementation of the framework for managing risk and compliance, it is important to evaluate and understand both the external and internal context of the organization, since these can significantly influence the design of the framework.
Has the organization established, documented, implemented and maintained a Risk Management System?
Has the organization established, documented, implemented and maintained a Compliance Management System?
Has the organisation determined external issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its risk and compliance management system?
Has the organisation determined internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its risk and compliance management systems?
Note:
External context includes the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; Key external drivers and trends having impact on the organisation and relationships with external stakeholders.

Internal context may include , but is not limited to: ⎯ governance, organizational structure, roles and accountabilities; ⎯ policies, objectives, and the strategies that are in place to achieve them; ⎯ capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); ⎯ information systems, information flows and decision making processes (both formal and informal); ⎯ relationships with, and perceptions and values of, internal stakeholders; ⎯ the organization's culture; ⎯ standards, guidelines and models adopted by the organization; and ⎯ the form and extent of contractual relationships.

3. UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES..........(Clause 4.2 / 5.2)

Has the organization determined the interested parties that are relevant to the compliance management system?
Has the organization determined the requirements of these interested parties.
Has top management endorsed and defined the risk management policy?
Has top management ensured that the organization's culture and risk management policy are aligned?
Has risk management objectives and performance indicators that align with objectives and performance indicators of the organization been determined?
Has accountabilities & responsibilities for managing risk been assigned at appropriate levels?
Have the necessary resources been allocated to managing risk?
Has the organisation communicated the benefits of risk management to all stakeholders?
Does the framework for managing risk continue to remain appropriate?

4. DETERMINING THE SCOPE OF THE RISK & COMPLIANCE MANAGEMENT SYSTEM.........(Clause 4.3, 4.4 / 4.3)

NOTE: The scope of the risk and compliance management system specifies the geographical and/or organizational boundaries as well as the business, compliance and operational risks to which the risk & compliance management system will apply.
Has the organization determined the geographical boundaries of the risk & compliance management system as part of the scope?
Has the organisational boundaries of the risk & compliance management system been determined as part of the scope?
Has the organization determined the compliance risks that the risk & compliance management system will apply to as part of the scope?
Has the scope of the risk & compliance management system been documented for geographical, organisational and risk boundaries?
Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organization's practices and processes. The risk management plan can be integrated into other organizational plans, such as a strategic plan.

5. PRINCIPLES OF COMPLIANCE………(Clause 4.4 / 3)

Does the risk & compliance management system give direct access of the compliance function to the governing body? (ie - Direct reporting lines / nominated employee or role)
Does the risk & compliance management system provide independence of the compliance function?
Does the risk & compliance management system delegate appropriate authority and adequate resources to the compliance function?
Does risk and compliance management create and protect value?
Is risk and compliance management an integral part of all organizational processes?
Is risk and compliance management part of decision making?
Does risk and compliance management explicitly address uncertainty?
Is risk and compliance management systematic, structured and timely?
Is risk and compliance management based on the best available information?
Is risk and compliance management tailored to the organisation?
Does risk and compliance management take human and cultural factors into account?
Is risk and compliance management transparent and inclusive?
Is risk and compliance management dynamic, iterative and responsive to change?
Does risk and compliance management facilitate continual improvement of the organization?

6. COMPLIANCE OBLIGATIONS……….(Clause 4.5)

Has the organisation systematically identified its risk & compliance obligations and their implications for its activities? (Calendar/obligations/activities)
Has the organisation documented its risk & compliance obligations? (ie Compliance Register & Risk Register)
Are there processes in place to identify new and changed laws, regulations, codes and other compliance obligations?
Are there processes in place to evaluate the impact of the identified changes and implement any necessary changes in the way obligations are managed? (Provide example)

7. IDENTIFICATION, ANALYSIS AND EVALUATION OF COMPLIANCE RISKS……….(Clause 4.6 /5.4)

Has the organisation identified and evaluated its compliance risks by relating its compliance obligations to its activities, products, services and relevant aspects of its operations? (Register - activity/service/product against obligation against risk against control) Example required.
Has the organisation analysed its compliance risks by considering causes and sources of noncompliance and the severity of their consequences, as well as the likelihood that noncompliance and associated consequences can occur. (ie Risk Assessment)
Are compliance risks reassessed periodically?
Are compliance risks reassessed whenever there are new or changed activities, products or services?
Are compliance risks reassessed whenever there are changes to the structure or strategy of the organization?
Are compliance risks reassessed whenever there are significant external changes?
Are compliance risks reassessed whenever there are changes to compliance obligations?
Are compliance risks reassessed whenever there is a non-compliance? (Is this in a procedure of policy?)
Is there a register for recording non-compliances with obligations?

8. LEADERSHIP AND COMMITMENT……….(Clause 5.1 /4.2)

Have top management established the core values of the organisation?
How do top management uphold the core values of the organisation?
Has top management communicated the importance of an effective compliance management system?
Has top management communicated the importance of conforming to the compliance management system requirements?

9. RISK & COMPLIANCE POLICIES……….(Clause 5.2 / 4.3.2)

Risk & Compliance is managed through:
- A Compliance Policy
- A Risk Policy
- A Combined Risk & Compliance Policy
Does the policy include the scope of the Compliance Management System (CMS)?
Does the policy include the application and context of the CMS?
Does the policy include responsibilities for managing and reporting compliance issues?
Does the policy include the organisations rationale for managing risk?
Does the policy address the way in which conflicting interests are dealt with?
Is the organisations rationale for managing risk documented in the policy?
Does the policy include links between organisational objectives, policies and the risk management policy?
Does the policy include the standard of conduct and accountability?
Does the policy include a commitment to make the necessary resources available for managing risk?
Does the policy address the way that risk management performance will be measured, reported, reviewed and improved (including in the event of change in circumstances, response to an event or periodically)?
Does the policy include the consequences of non-compliance?
Is the Policy available in a documented format?
Is the Policy clearly communicated within the organisation and readily available to employees?
Is the Policy updated as required?
How do top management know the Policy is understood by employees?

10. ORGANIZATIONAL ROLES, RESPONSIBILITIES, AUTHORITIES AND ACCOUNTABILITY……….(Clause 5.3 / 4.3.3)

Are risk & compliance responsibilities included in position statements of top managers? (ie - responsibility for WHS or Environmental incident reporting)
Has risk owners that have the accountability and authority to manage risks been identified?
Has a Compliance function (role, position, employee) been appointed? ie accountable for the development, implementation and maintenance of the framework
Provide information relating to the Compliance Function: ie, individual, resourcing, appointment, position, team, location etc.
Has a Risk function (role, position, employee) been appointed? ie accountable for the development, implementation and maintenance of the framework
Provide information relating to the Risk Function: ie, individual, resourcing, appointment, position, team, location etc.
Are adequate and appropriate resources are allocated to the compliance management system?
Has responsibilities and authorities for relevant risk & compliance roles been assigned communicated within the organization? (ie appointment of WHS Advisor or risk advisoretc)
Has the organisation considered the risk management resource requirements?
Note: Resource consideration includes ⎯ people, skills, experience and competence; ⎯ resources needed for each step of the risk management process; ⎯ the organization's processes, methods and tools to be used for managing risk; ⎯ documented processes and procedures; ⎯ information and knowledge management systems; and ⎯ training programmes.
Is top management measured against risk & compliance key performance measures, objectives or outcomes?
Does the Risk or Compliance Function have authority and responsibility for the risk and compliance management system?
Does the Risk or Compliance Function have authority to act independently?
Is there a potential for the Risk or Compliance Function to have a conflict of interest? (ie. Operations Manager also Compliance Function)
Has the Risk & Compliance Functions demonstrated effective communication and influencing skills?
Has the Risk & Compliance Function(s) demonstrated relevant competence?
Does the Risk & Compliance Functions have support from and direct access to the governing body and top management?
Does the Risk & Compliance Functions have access to senior decision-makers and the opportunity to contribute early in the decision-making processes?
Does the Risk & Compliance Functions have access to all levels of the organization?
Does the Risk & Compliance Functions have access to all information and data needed to perform the compliance tasks?
Does the Risk & Compliance Functions have access to expert advice on relevant laws, regulations, codes and organizational standards?
Does the Risk & Compliance Function have responsibility for establishing performance indicators and monitoring and measuring compliance performance? (If not, who does)
Are line managers responsible for compliance within their area of responsibility?
Do employees fulfill their obligations in the CMS?
Has responsibilities of people at all levels in the organization for the risk management process been identified?

11. ACTIONS TO ADDRESS COMPLIANCE RISKS (PLANNING)……….(Clause 6.1)

How is planning undertaken to assure the compliance management system achieves its intended outcome(s)?
How is planning undertaken to prevent, detect and reduce undesired effects?
How is planning undertaken to achieve continual improvement?
Does the organisation have a documented Action Plan to address compliance risks?
Does the Action Plan address how to integrate and implement the actions into the CMS processes?
Does the Action Plan address how to evaluate the effectiveness of the actions once implemented?

12. COMPLIANCE OBJECTIVES……….(Clause 6.2)

Has Compliance Objectives been established at relevant functions and levels of the business?
Compliance objectives are consistent with the compliance policy?
Compliance objectives are measurable (if practicable)?
Compliance objectives take into account applicable requirements?
Compliance objectives are monitored?
Compliance objectives are communicated?
Compliance objectives are updated and or revised as appropriate?

13. COMPETENCE & TRAINING……….(Clause 7.2 /4.3.5)

Has the organisation determined the necessary competence of person(s) doing work under its control that affects its compliance management system performance?
Has the organisation ensured that these persons are competent on the basis of appropriate education, training, and/or work experience?
Does the organisation retain appropriate documented information including evidence of competence?
Is education and training of employees tailored to the obligations and compliance risks related to the roles and responsibilities of the employee?
Education and training of employees is undertaken at commencement with the organization and on-going?
Education and training of employees is assessed for effectiveness?
Education and training of employees is updated as required?
Education and training of employees is recorded?
Compliance retraining is considered when there is a change of position, responsibilities, internal processes, policies, procedures, structures, compliance obligations, activities, products, services or issues arising from monitoring, auditing, reviews, complaints or non-compliances?
Does the organisation hold information and training sessions about the risk and compliance framework?

14. AWARENESS……….(Clause 7.3)

Are persons undertaking work under the organisations control aware of the risk and compliance policy(ies)?
Are persons undertaking work under the organisations control aware of their role and contribution to the effectiveness of the risk & compliance management system performance?
Are persons undertaking work under the organisations control aware of the implications of not conforming with the compliance management system requirements?
Has top management assumed responsibility for ensuring that operational objectives and targets do not compromise compliance behaviour
Has top management assumed responsibility for encouraging all employees to accept the importance of achieving the compliance objectives;
Has top management assumed responsibility for encouraging employees to make suggestions that facilitate continual improvement in compliance performance

15. COMMUNICATION & CONSULTATION……….(Clause 7.4 / 5.2,4.3.6, 4.3.7)

Communication and consultation with external and internal stakeholders should take place during all stages of the risk and compliance management process.
Therefore, plans for communication and consultation should be developed at an early stage. These should address issues relating to the risk itself, its causes, its consequences (if known), and the measures being taken to treat it. Effective external and internal communication and consultation should take place to ensure
that those accountable for implementing the risk management process and stakeholders understand the basis on which decisions are made, and the reasons why particular actions are required.

A consultative approach may:
⎯ help establish the context appropriately;
⎯ ensure that the interests of stakeholders are understood and considered;
⎯ help ensure that risks and compliance obligations are adequately identified;
⎯ bring different areas of expertise together for analyzing risks and obligations;
⎯ ensure that different views are appropriately considered when defining risk criteria and in evaluating risks;
⎯ secure endorsement and support for a risk and compliance treatment plan;
⎯ enhance appropriate change management during the risk and compliance management processes; and
⎯ develop an appropriate external and internal communication and consultation plan.
Communication and consultation with stakeholders is important as they make judgements about risk and compliance based on their perceptions of risk and obligations. These perceptions can vary due to differences in values, needs, assumptions, concepts and concerns of stakeholders. As their views can have a significant impact on the decisions made, the stakeholders' perceptions should be identified, recorded, and taken into account in the decision making process.
Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.
Has the organisation adopted appropriate methods of communication to ensure the risk & compliance message is heard and understood by all employees on an on-going basis?
If yes, how is this undertaken?
Does the communication set out the organisations expectations of employees?
Is there an approach to external communication, for all interested parties, been adopted? (ie - compliance policy on website)
Are key components of the risk management framework, and any subsequent modifications communicated appropriately?
Is there adequate internal reporting on the risk and compliance framework, its effectiveness and the outcomes?
Is relevant information derived from the application of risk management available at appropriate levels and times? ie - Worker access to risk assessments
Does the organisation have adequate consultation arrangements with internal stakeholders to ensure the effectiveness and appropriateness of the risk and compliance systems?
Does the organisation have a mechanism and processes to consolidate risk information from a variety of sources whilst considering the sensitivity of information? (ie - Risk Management Information System / Governance Risk & Compliance System / WHS Information Management System / Project Information Management System etc)
Have external communication plans been developed and implemented for:
Engaging appropriate external stakeholders and ensuring an effective exchange of information?
External reporting to comply with legal, regulatory, and governance requirements;
Providing feedback and reporting on communication and consultation?
Using communication to build confidence in the organization?
Communicating with stakeholders in the event of a crisis or contingency?

16. DOCUMENTED INFORMATION……….(Clause 7.5 /5.7)

When creating and updating documented information has the organisation ensured appropriate identification and description?
When creating and updating documented information has the organisation ensured appropriate format and media?
When creating and updating documented information has the organisation ensured appropriate
When creating and updating documented information has the organisation ensured appropriate review and approval for suitability and adequacy?
Is documented information controlled to ensure it is adequately protected?
Is documented information controlled to ensure it is available, accessible and suitable for use?

17. OPERATIONAL PLANNING AND CONTROL……….(Clause 8.1 / 5, 4.3.4, 4.4.2, 4.4.1, 4.4)

Has processes been implemented and controlled to meet compliance obligations by defining the objectives of the processes?
Has processes been implemented and controlled to meet compliance obligations by establishing criteria for the processes?
Has processes been implemented and controlled to meet compliance obligations by implementing control of the processes in accordance with the criteria?
Has processes been implemented and controlled to meet compliance obligations by keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned?

18. ESTABLISHING CONTROLS AND PROCEDURES……….(Clause 8.2 / 5, 5.1)

Is there controls in place to manage the compliance obligations and associated compliance risks?
Are controls periodically evaluated and tested to ensure their continuing effectiveness? (how)
Has the organisation defined the appropriate timing and strategy for implementing the framework?
Has the organisation applied the risk management policy and process to the organizational processes?
Has the organisation ensured that decision making, including the development and setting of objectives, is aligned with the outcomes of risk management processes?

19. RISK MANAGEMENT CONTEXT & CRITERIA……….(Clause - / 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5)

The risk management process should be
⎯ an integral part of management,
⎯ embedded in the culture and practices, and
⎯ tailored to the business processes of the organization.
Are the goals and objectives of the risk management activities defined?
Are responsibilities for and within the risk management process defined?
Is the scope, as well as the depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions defined?
Is the risk activity, process, function, project, product, service or asset in terms of time and location defined?
Is the risk context relationship between a particular project, process or activity and other projects, processes or activities of the organization defined?
Are the risk assessment methodologies defined?
Is the way evaluation of performance and effectiveness in the management of risk defined?
Does the risk process identify and specify the decisions that have to be made?
Does the risk process identify scoping or framing studies needed, their extent and objectives, and the resources required for such studies?
Risk Criteria:
The organization should define criteria to be used to evaluate the significance of risk. The criteria should reflect the organization's values, objectives and resources. Some criteria can be imposed by, or derived from,
legal and regulatory requirements and other requirements to which the organization subscribes. Risk criteria
should be consistent with the organization's risk management policy, be defined at the beginning of any risk management process and be continually reviewed.

When defining risk criteria, has the organisation considered:
Nature and type of causes and consequences that can occur and how they will be measured?
How likelihood will be defined?
The timeframe(s) of the likelihood and/or consequence(s)?
How the level of risk is to be determined?
The views of stakeholders?
The level at which risk becomes acceptable or tolerable (based on organisational risk appetite)?
Whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered?

20. RISK IDENTIFICATION, ANALYSIS & EVALUATION……….(Clause - / 5.4. 5.4.1, 5.4.2, 5.4.3, 5.4.4)

Risk Identification:
The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences. The aim of this step is to generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. It is important to identify the risks associated with not pursuing an opportunity. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis. Identification should include risks whether or not their source is under the control of the organization, even
though the risk source or cause may not be evident. Risk identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects. It should also consider a wide range of consequences even if the risk source or cause may not be evident. As well as identifying what might happen, it is necessary to consider possible causes and scenarios that show what consequences can occur. All significant causes and consequences should be considered. The organization should apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. Relevant and up-to-date information is important in identifying risks. This should include appropriate background information where possible. People with appropriate knowledge should be involved in identifying risks.
Does the organisation have a risk register for the identification of various risks classes? (ie legal, business, financial, safety, environment etc)
Is the risk register hierarchical? (ie Corporate risks cascade down to department risks or operational risk registers down to plant, equipment & site risks)
Has identified risks been considered in terms of impact (consequence), defined events and causal factors?
Do identified risks include those risks not under the direct control of the organisation? (ie legislative, political or environmental risks)
Is the cumulative, cascading or knock-on effect of risks considered by the organisation?
Are suitable risk identification tools used by the organisation which may be based upon complexity of risk, category of risk (ie safety) or level with the organisation that risks are being identified?
Are people with appropriate knowledge involved in the identification of risks? ie workers, specialists etc
Risk Analysis:
Risk analysis involves developing an understanding of the risk. Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions where choices must be made and the options involve different types and levels of risk. Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihood should be identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness and efficiency should also be taken into account. The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used. These should all be consistent with the risk criteria. It is also important to consider the interdependence of different risks and their sources. The confidence in determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis, and communicated effectively to decision makers and, as appropriate, other
stakeholders. Factors such as divergence of opinion among experts, uncertainty, availability, quality, quantity and ongoing relevance of information, or limitations on modelling should be stated and can be highlighted. Risk analysis can be undertaken with varying degrees of detail, depending on the risk, the purpose of the analysis, and the information, data and resources available. Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances. Consequences and their likelihood can be determined by modelling the outcomes of an event or set of events, or by extrapolation from experimental studies or from available data. Consequences can be expressed in terms of tangible and intangible impacts. In some cases, more than one numerical value or descriptor is required to specify consequences and their likelihood for different times, places, groups or situations.
Does the organisation consider the causes and sources of risk when undertaking risk analysis?
Does the organisation consider both positive and negative consequences of risk during the risk analysis process?
During risk analysis, does the organisation consider the likelihood of the consequences occurring?
Are other attributes of the risk analysed other than likelihood and consequence (ie - Frequency, multiple impacts, existing controls, effectiveness, efficiency, cost)?
Does the way consequence and likelihood are expressed together with risk scoring or risk level reflect the type of risk, information available and purpose?
Does the organisation consider the level of confidence, sensitivity to preconditions and assumptions during risk analysis?
Are these levels of confidence, sensitivity, preconditions and assumptions made available to decision makers and stakeholders?
Has the risk analysis methodology been determined based on type of risk, circumstances etc (including qualitative, semi-quantitative or quantitative, or a combination of these)?
Are the consequences and their likelihood determined through modelling the outcomes of a defined event, studies or data? (ie flood impact data and extrapolation)
Risk Evaluation:
The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered. Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk. Decisions should be made in accordance with legal, regulatory and other requirements. In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls. This decision will be influenced by the organization's risk attitude and the risk criteria that have been established.
Does the organisation rely on the evaluation of risks to assist in making decisions for treatment of risks and their priority?
When evaluating risks, does the organisation consider the wider business risk tolerance context in terms of strategic objectives, legal, regulatory or other requirements?
Is there a documented process or instruction relating to circumstances when a risk assessment need not be conducted or a risk not needing treatment, based on risk appetite or regulatory requirements?

21. RISK TREATMENT……….(Clause - / 5.5, 5.5.1, 5.5.2, 5.5.3, 4.3.6, 4.3.7)

Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls.
Risk treatment involves a cyclical process of:
⎯ assessing a risk treatment;
⎯ deciding whether residual risk levels are tolerable;
⎯ if not tolerable, generating a new risk treatment; and
⎯ assessing the effectiveness of that treatment.

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:
a) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
b) taking or increasing the risk in order to pursue an opportunity;
c) removing the risk source;
d) changing the likelihood;
e) changing the consequences;
f) sharing the risk with another party or parties (including contracts and risk financing); and
g) retaining the risk by informed decision.

Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks. A number of treatment options can be considered and applied either individually or in combination. The organization can normally benefit from the adoption of a combination of treatment options. When selecting risk treatment options, the organization should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Where risk treatment options can impact on risk elsewhere in the organization or with stakeholders, these should be involved in the decision.
Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented. Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective. Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed. These secondary risks should be incorporated into the same treatment plan as the original risk and not treated as a new risk. The link between the two risks should be identified and maintained.
Does the organisation have a documented risk treatment process?
Does this process provide guidance on how to assess a risk treatment whether residual risk levels are tolerable and how the effectiveness of a risk treatment can be assessed?
Do risk treatment options include any of the following components?:
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk?
Taking or increasing the risk in order to pursue an opportunity?
Removing the risk source?
Changing the likelihood?
Changing the consequences?
Sharing the risk with another party or parties (including contracts, risk financing, insurance etc)?
Retaining the risk by informed decision?
When selecting risk treatment options, does the organisation balance treatment costs and implementation effort against the benefits regarding legal, regulatory, social responsibility, protection of natural environment etc?
Do risk treatment options take into account economic grounds? (ie severe consequence but low likelihood)
When selecting treatment options does the organisation consider values and perceptions of stakeholders and are they involved in the decision process?
Is there a Treatment Plan applied to each risk identified for treatment?
Is the introduction of new risks considered as part of risk treatment options?
Do risk treatment plans include the priority order in which risks should be treated?
Is the risk treatment plan monitored regularly and responsibility assigned for individual risk treatments?
Do risk Treatment Plans provide the following information:
The reasons for selection of treatment options, including expected benefits to be gained?
Those who are accountable for approving the plan and those responsible for implementing the plan?
Proposed actions?
Resource requirements including contingencies?
Performance measures and constraints?
Reporting and monitoring requirements?
Timing and schedule?
Are treatment plans integrated into business management processes and communicated with appropriate stakeholders?
Are decision makers and other stakeholders aware of the nature and extent of the residual risk after risk treatment?
Is the residual risk documented and subjected to monitoring, review and if appropriate further treatment?

22. RISK MONITORING & REVIEW……….(Clause - / 5.6)

Does the organisation have a documented monitoring and review program that is planned as part of the risk management process?
Does the organisation monitoring and review process involve regular checking or surveillance that is both periodic and ad hoc?
Are responsibilities for monitoring and review clearly defined?
Do the monitoring and review processes provide consideration for:
Ensuring that controls are effective and efficient in both design and operation?
Obtaining further information to improve risk assessment?
Analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures?
Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities?
Identifying emerging risks?

23. RISK MANAGEMENT RECORDING……….(Clause - / 5.7)

Risk management activities should be traceable. In the risk management process, records provide the foundation for improvement in methods and tools, as well as in the overall process.

Do decisions concerning the creation of records take into account the following:
The organisation's needs for continuous learning?
Benefits of re-using information for management purposes?
Costs and efforts involved in creating and maintaining records?
Legal, regulatory and operational needs for records?
Method of access, ease of retrievability and storage media?
Retention period?
Sensitivity of information?

24. OUTSOURCED PROCESSES……….(Clause 8.3)

Are outsourced processes controlled and monitored? (if yes, how?)
If there is any outsourcing of activities, does the organization undertake due diligence to ensure that its standards and commitment to compliance will not be lowered? (if yes, how?)
Does the organisation consider compliance risks related to other third-party related processes, such as supply of goods and services and distribution of products, and put controls in place as necessary? (if yes, how?)

25. MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION……….(Clause 9.1/5.6, 4.5)

Is the compliance management system monitored to ensure compliance performance is achieved? (if yes, how?)
Has a plan for continual monitoring of compliance been established?
Does the organisation retain appropriate documented information as evidence of the results of monitoring?
Are procedures implemented for seeking and receiving feedback on the compliance performance from a range of sources?
Are measureable indicators in place to quantify the compliance performance of the organisation? (ie objectives & targets)
Does the organisation ensure that the governing body, management and the compliance function are informed on the performance of the compliance management system and of its continuing adequacy? (if yes, how?)
Do the internal reporting arrangements ensure that appropriate criteria and obligations for reporting are set out?
Do the internal reporting arrangements ensure that timelines for regular reporting are established?
Do the internal reporting arrangements ensure that an exception reporting system is in place which facilitates ad hoc reporting of emerging noncompliance?
Do the internal reporting arrangements ensure that systems and processes are in place to ensure the accuracy and completeness of information?
Do the internal reporting arrangements ensure that information is provided to the correct functions or areas of the organization to enable preventative, corrective and remedial action to be taken?
Do the internal reporting arrangements ensure that there is sign-off on the accuracy of reports to the governing body, including by the compliance function?
Are all non-compliances appropriately reported?
Are employees encouraged to respond to and report non-compliances? (if yes, how)
Are records of the organization’s compliance activities maintained? (Record-keeping include recording and classifying complaints, disputes and alleged noncompliance and the steps taken to resolve them.)
Are records stored in a manner that ensures they remain legible, readily identifiable and retrievable?
Are records protected against any addition, deletion, modification, unauthorized use or concealment?

26. AUDIT……….(Clause 9.2/5.6)

Does the organization conduct audits at planned intervals?
Does the audit provide information on whether the CMS conforms to its own criteria and to the criteria of ISO 19600?
Does the audit provide information on whether the CMS is effectively implemented and maintained?
Has the organisation implemented an audit programme?
Has the organisation defined audit criteria and scope for each audit?
Does the organisation selects auditors and conduct audits to ensure objectivity and the impartiality of the audit process?
Does the organisation ensure that the results of the audits are reported to relevant management?
Does the organisation retain documented information on the audit results?

27. MANAGEMENT REVIEW……….(Clause 9.3/5.6)

Does top management review the compliance management system, at planned intervals?
Is documented information as evidence of the results of management reviews retained?

28. IMPROVEMENT……….(Clause 10 / 4.6)

Based on results of monitoring and reviews, decisions should be made on how the risk and compliance management frameworks, policy and plans can be improved. These decisions should lead to improvements in the organization's management of risk and compliance and its risk management culture.
When a non-compliance occurs does the organisation react to the noncompliance?
When a non-compliance occurs does the organisation evaluate the need for action to eliminate the root causes of the noncompliance?
When a non-compliance occurs does the organisation implement any action needed?
When a non-compliance occurs does the organisation review the effectiveness of any corrective action taken?
When a non-compliance occurs does the organisation makes changes to the compliance management system, if necessary?
Is documented information retained as evidence of the nature of the noncompliances and any subsequent actions taken?
Is documented information retained as evidence of the results of any corrective action?
Is there an escalation process in place that has been be adopted and communicated to ensure all noncompliances are raised, reported and eventually escalated to relevant management and that the compliance function is informed?
Is there a mechanism in place for employees and/or others to report suspected or actual misconduct or violations of the compliance obligations on a confidential basis and without fear of retaliation? (Whistleblowers policy?)

29. ENHANCED RISK & COMPLIANCE MANAGEMENT……….(ANNEX A)

All organizations should aim at the appropriate level of performance of their risk management framework in line with the criticality of the decisions that are to be made. The list of attributes below represents a high level of performance in managing risk. To assist organizations in measuring their own performance against these
criteria, some tangible indicators are given for each attribute.
Does the organisation fully accept accountability for their risks and develop comprehensive controls and treatment strategies?
Does the organisation place an increased emphasis on continuous improvement in risk management? Organisations should set its performance goals, its measures, and then review and modify processes as required. An organisation should also review and modify its systems, resources and capability/skills to ensure continuous improvement.
Have individuals with accountability for risk management been identified and are they appropriately skilled, have adequate resources to check and improve controls, monitor risks, and the ability to communicate effectively with all stakeholders?
Does decision making within the organisation, whatever the level of importance and significance, include consideration of risks and the application of the risk management process as appropriate?
Is frequent reporting to all stakeholders of the organisations risk management performance included in governance processes? This reporting should be ongoing and highly visible.

30. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR HEALTH & SAFETY

It is the duty of an officer (CEO for example) of a business (PCBU) to exercise due diligence to ensure the PCBU complies with its health and safety duties and obligations. Do officers of the organisation demonstrate compliance by:
Ensuring the reporting of notifiable incidents?
Consulting with workers?
Ensuring compliance with notices issued under this Act?
Ensuring the provision of training and instruction to workers about work health and safety?
Ensuring that health and safety representatives (if elected) receive their entitlements to training?
Do those in control of workplaces ensure their workers:
Take reasonable care for their own health and safety?
Ensure their acts or omissions do not affect other people?
Comply with any reasonable instruction given to them by their employer?
Cooperate with policies and procedures issued by the employer (ie – wearing PPE)?
Does the organisation ensure it has the primary duty of care for the health and safety of all workers who are engaged by them or under their direction?
Does the organisation ensure their activities and those of their workers do not put other people’s health and safety at risk too?
Does the organisation provide and maintain a safe work environment, safe plant, safe structures, safe systems of work and the safe use, handling and storage of plant, structures and substances?
Are adequate facilities for workers welfare are provided as well as access to those facilities?
Does the organisation provide their workers with information, training, instruction and supervision to a necessary level that will protect persons from risk to their health and safety?
Does the organisation monitor the health of workers and workplace conditions to prevent illness or injury.
Does the organisation consult with their workers: • When identifying hazards and assessing risks to health and safety? • When making decisions about ways to eliminate or minimise risks? • When making decisions about the adequacy of facilities for the welfare of workers? • When proposing changes that may affect the health and safety of workers? • When making decisions about procedures for consulting, resolving issues and monitoring the health of workers or workplace conditions? • When providing information and training to workers?
Does the organisation have a health and safety Issue Resolution Process iaw section 80-82 of the Act and section 22 of the Regulation?
How are WHS objectives and targets identified and set?

31. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR ENVIRONMENTAL MANAGEMENT

Has the organisation identified it's environmental Aspects & Impacts and recorded them?
Has the organisation identified it's 'Duty to Notify of Environmental Harm' obligations?
Do these include the duty to notify owners and occupiers of affected land as well as the regulatory?
Does the organisation notify the regulator within 24 hours of becoming aware of an incident that may give rise to environmental harm?
Has the organisation documented what is environmental harm and how it is relevant to the organisations activities?
Has the 'duty to notify of environmental harm' been communicated to all workers and levels of the organisation?
Has the organisation identified it's Environmentally Relevant Activities - Prescribed or otherwise iaw Schedule 2 of the Regulation?
Has the organisation identified any Notifiable Activities it undertakes iaw Schedule 3 of the Act?
Has the organisation undertaken an Environmental Impact Assessment relating to its primary service or product?
Has the organisation implemented environmental monitoring processes relating to air quality, dust management, water quality, noise management, contaminated land, waste disposal and asbestos removal?
How are Environmental objectives and targets identified and set?
Has the organisation identified it's General Environmental Duty?

32. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR CORPORATE GOVERNANCE

Do the Board and management understand the importance of achieving both business profits and social outcomes for clients?
Does the organisation have a Strategic Plan and is it supported by a Risk Management Plan?
Is there appropriate involvement of the Board, senior management and staff in the development of the Strategic Plan?
Are clearly definable performance measures (operational and financial) and accountabilities incorporated into the Strategic Plan?
Does the organisation have systems and processes in place to monitor performance against the Strategic Plan?
Does the organisation review the Strategic Plan on a regular basis?
Are there appropriate links between the Strategic Plan and planning at the Board, senior management and individual levels?
Does the organisation develop an annual Business Plan which is linked to the Strategic Plan and outlines what it will be undertaking in the year ahead and which is endorsed and monitored by the Board?
Does the Board and each Board Member understand that, individually and collectively, that they are responsible for governing the organisation?
Does each Board Member know the legal governance framework under which its organisation operates?
Is there a clear identification of the powers, roles, responsibilities and accountabilities between the Board and the Chief Executive Officer or equivalent?
Is there a sound system of procedures and financial delegations in place approved by the Board?
Are there processes in place governing policy development, implementation and review, and which ensures that the Board approves new policies?
Has the Board established an Audit and/or Risk Board Sub-Committee?
Does the organisation have an Executive Management Group or equivalent, comprising its senior managers, which meets on a regular basis?
Does the organisation have regular staff meetings to ensure that employees are aware of current issues facing the organisation and to encourage feedback to management?
Is the Board aware of its legislative compliance obligations and does it have processes in place to monitor compliance?
Is the Board aware of the relevant statutory reporting requirements and does it have processes in place to monitor compliance?
Has the Board approved an appropriate contract management framework for the organisation which has been developed with appropriate legal advice?
Has the Board agreed the operating policies and procedures for the organisation, covering such matters as: Complaint handling; Delegation of authority; Environmental and social obligations; Ethical behaviour; Financial delegations; Financial management, including financial transactions and reporting; Tendering, contracts and procurement; Fraud control; Governance arrangements; Human resource management; Information Technology management; Media and public relations; Occupational Health and Safety; Risk Management; and Stakeholder management and relations?
Is the Board aware of its contractual compliance obligations and are processes in place to monitor compliance?
Is there a Code of Conduct outlining standards of personal behaviour and the requirements for ethical conduct on the part of all Board Members, other Officers, management and staff and which outlines the processes for dealing with these issues?
Are mechanisms in place to gain assurance that decision making processes are not subject to prejudice or bias?
Does the organisation maintain a Register of Conflicts of Interest?
Does the organisation have risk management policies and procedures and a framework to ensure risk is considered at all levels of the organisation – strategic, operational, project and single issue levels?
Are there Disaster Recovery and Business Continuity Plans in place?
Does the organisation have in place the required levels of insurance including Public Liability and Directors’ and Officers’ Liability Insurance?
Does the organisation have appropriate plans in place to protect the physical security of its people, information and assets?
Has the Chief Executive Officer or equivalent, or the Board established appropriate mechanisms and processes for budget development and financial planning for the organisation?
Does budgeting documentation include operational and capital budgets for the medium to long term, and do these budgets link to the Strategic and Business Plans?
Are there appropriate performance measures, financial and operational (non-financial), which enable the efficiency, effectiveness and economy of the organisation to be assessed?
Do financial reports show, at a minimum, a comparison between year to date, budget, last year to date, and full year data and provide information on the cash position of the organisation?
Are financial reports supported with appropriate financial and operational analysis – ratios, service delivery benchmarks and other performance indicators?
Are financial reports derived directly from the underlying accounting systems and is there a quality assurance process over the compilation of the reports?
Does the Board receive timely reports on human resource management issues on a monthly basis covering such matters as: Recruitment; Departures; Training and development; Occupational Health and Safety; Equal Employment Opportunity; Staff complaints and harassment; and Succession planning?
Is there an appropriate performance management system in place for the Board, Board Members, other Officers, management and other employees that is aligned to the organisation’s Strategic Plan and includes a formal review of the performance of the Chief Executive Officer or equivalent by the Board?
Does the organisation include fraud risks as part of its Risk Management Plan?
Does the organisation have in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures?
Does the organisation have an agreed project management framework in place?
Are all relevant projects being undertaken in accordance with the mandated project management framework?
Do the Board and management monitor project planning and implementation on a regular basis?
Does the organisation provide project management training and support to its staff?

33. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR BUILDING & CONSTRUCTION INDUSTRY

Summary Grading

Score %
SUPERIOR - Has well exceeded all requirements.
ADVANCED - Has exceeded some minimum requirements.
ACCEPTABLE - Has met all minimum requirements.
BELOW MINIMUM - Has not met all minimum requirements.
NOT ACCEPTABLE - System has major non-conformances.
AUDITORS COMMENT(S):
Initial Findings & Recommendations of Auditor:

AUDIT CLOSURE

Enter date audit was commenced.
Enter date audit was completed.
Enter date audit report was submitted.
Signature of Auditor:
Name of Auditor
Signature of Company Representative:
Name & Position of Company Representative

Risk & Compliance Management System Audit

Free Risk & Compliance Management System Audit Checklist

Go digital today!

Convert your paper checklists into digital forms

Scope of Audit

Terms & Definitions

Risk & Compliance Process Schematics

AUDIT

1. AUDIT PREPARATION

2. ORGANISATIONAL CONTEXT..........(Clause 4.1 / 4.3, 5.3)

3. UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES..........(Clause 4.2 / 5.2)

4. DETERMINING THE SCOPE OF THE RISK & COMPLIANCE MANAGEMENT SYSTEM.........(Clause 4.3, 4.4 / 4.3)

5. PRINCIPLES OF COMPLIANCE………(Clause 4.4 / 3)

6. COMPLIANCE OBLIGATIONS……….(Clause 4.5)

7. IDENTIFICATION, ANALYSIS AND EVALUATION OF COMPLIANCE RISKS……….(Clause 4.6 /5.4)

8. LEADERSHIP AND COMMITMENT……….(Clause 5.1 /4.2)

9. RISK & COMPLIANCE POLICIES……….(Clause 5.2 / 4.3.2)

10. ORGANIZATIONAL ROLES, RESPONSIBILITIES, AUTHORITIES AND ACCOUNTABILITY……….(Clause 5.3 / 4.3.3)

11. ACTIONS TO ADDRESS COMPLIANCE RISKS (PLANNING)……….(Clause 6.1)

12. COMPLIANCE OBJECTIVES……….(Clause 6.2)

13. COMPETENCE & TRAINING……….(Clause 7.2 /4.3.5)

14. AWARENESS……….(Clause 7.3)

15. COMMUNICATION & CONSULTATION……….(Clause 7.4 / 5.2,4.3.6, 4.3.7)

16. DOCUMENTED INFORMATION……….(Clause 7.5 /5.7)

17. OPERATIONAL PLANNING AND CONTROL……….(Clause 8.1 / 5, 4.3.4, 4.4.2, 4.4.1, 4.4)

18. ESTABLISHING CONTROLS AND PROCEDURES……….(Clause 8.2 / 5, 5.1)

19. RISK MANAGEMENT CONTEXT & CRITERIA……….(Clause - / 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5)

20. RISK IDENTIFICATION, ANALYSIS & EVALUATION……….(Clause - / 5.4. 5.4.1, 5.4.2, 5.4.3, 5.4.4)

21. RISK TREATMENT……….(Clause - / 5.5, 5.5.1, 5.5.2, 5.5.3, 4.3.6, 4.3.7)

22. RISK MONITORING & REVIEW……….(Clause - / 5.6)

23. RISK MANAGEMENT RECORDING……….(Clause - / 5.7)

24. OUTSOURCED PROCESSES……….(Clause 8.3)

25. MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION……….(Clause 9.1/5.6, 4.5)

26. AUDIT……….(Clause 9.2/5.6)

27. MANAGEMENT REVIEW……….(Clause 9.3/5.6)

28. IMPROVEMENT……….(Clause 10 / 4.6)

29. ENHANCED RISK & COMPLIANCE MANAGEMENT……….(ANNEX A)

30. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR HEALTH & SAFETY

31. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR ENVIRONMENTAL MANAGEMENT

32. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR CORPORATE GOVERNANCE

33. SPECIFIC RISK AND COMPLIANCE OBLIGATIONS FOR BUILDING & CONSTRUCTION INDUSTRY

Summary Grading

AUDIT CLOSURE

Related checklists