Risk Management Policy
1. Introduction its authority from the Football NSW Board. The Policy 1.1. Document Review Timetable is effective from the date of the Board approval (displayed on the cover of the Policy). This document will be reviewed and updated annually or earlier as required. 1.4. Risk Management - Background Updates to this document will follow requests The focus of good risk management is the from the business, as a result of legal, statutory or identification and effective management of risks. industry changes, or, in response to changes in the Its objective is to add maximum sustainable value to Football NSW strategy. all the activities of the organisation. It marshals the 1.2. Policy Background understanding of the potential upside and downside of all those factors which can affect the organisation. Football NSW (FNSW) is the governing body for It increases the probability of success, and reduces association football (soccer) and Futsal in the both the probability of failure and the uncertainty of Australian state of New South Wales, with the achieving the organisation’s overall objectives. exception of the northern regions of NSW (the governing body for which is Northern New South Risk management should be a continuous and Wales Football). Football NSW is a member of developing process which runs throughout the the national governing body, Football Federation organisation’s strategy and the implementation Australia (FFA). of that strategy. It should address all the risks surrounding the organisation’s activities past, Prior to 1 April 2007 Football NSW was known as present and in particular, future. Soccer NSW. Risk Management must be integrated into the FNSW operates in a regulated environment, further culture of the organisation with an effective as the governing body is responsible for setting and policy and a programme led by the most senior enforcing of regulations. FNSW needs to be seen as management. It needs to translate the strategy a best practice organisation by our stakeholders. The into tactical and operational objectives, assigning aim of this policy is not to eliminate all risks, but to responsibility throughout the organisation with identify and manage known risks. each manager and employee responsible for the FNSW has sought to foster a strong corporate management of risk as part of their job description. It governance focus, through an independent Board supports accountability, performance measurement of Directors with a broad skill set, an Audit & Risk and reward, thus promoting operational efficiency at Committee who have appointed an independent all levels. risk expert, and a Legal & Regulatory Committee. Risk management protects and adds value to the The Committees act as subcommittees of the Board organisation and its stakeholders through supporting and comprise Directors with specific skills and senior the organisation’s objectives by: management with complementing responsibilities. Committee responsibilities are documented in • Providing a framework for an organisation Charters as approved by the Board. that enables future activity to take place in a consistent and controlled manner All employees / contractors of Football NSW are required to consistently adhere to the Risk • Improving decision making, planning and Management Policy. Non-compliance with prioritisation this requirement by any employee shall be • Contributing to more efficient use/ treated as serious misconduct under their allocation of capital and resources within the employee agreement. organisation 1.3. Authority • Protecting and enhancing assets and The Policy applies to FNSW and its branches company image (Riverina, Southern and Western) and derives • Developing and supporting people and the
Football NSW Risk Management Policy Page 1 Updated 19 September 2013 organisation’s knowledge base Strategic decisions by the Board are to fall in line with the Board charter mandates, the consideration of • Optimising operational efficiency the best interests of the company and the evaluation 1.5. Risk Management Oversight - Governance of the risk management framework. Particularly risk Football NSW will adopt a structured and disciplined management evaluation is made on the effect approach to risk management, which includes: of the Board’s decision on the company with particular reference to financial, reputational and Role Function regulatory risk. The Board Approval, oversight The Board has also delegated to the Audit and and support of the risk Risk Management Committee the responsibility management program for oversight of both the internal and external Chief Executive Officer Provide direction, audit functions and for all audit reports to provide maintain, manage and an assessment and a statement regarding the report organisational effectiveness of the control environment. risks Refer to section 4, the role of the Board associated Executive/ Business Unit Manage, identify, with risk management. Managers address and report risks 2.2. Risk Appetite Audit and Risk Oversight Committee The risk appetite is the level and type of risk an organisation is able and willing to assume in its External Audit Assurance exposures and business activities, given its business Staff Adherence to risk policy objectives and obligations to stakeholders. The roles and responsibilities of each area are The risk appetite is implicitly included within the detailed in section 3 of this policy. Football NSW Risk register. The register maintains An effective Risk Management Framework is a key various risks and control assessment scores which requirement for good Corporate Governance. The are constructed through multiplying the likelihood accountabilities, roles, responsibilities and decision and impact to allow a comparison of making rights for the Board and each Committee are the relative levels of different risks and their included in their respective charters. mitigating outcomes. The tolerance levels of Football NSW vary dependent 2. Corporate Governance upon the nature of the risk and this stretches from The identification, assessment, mitigation and risk averse to risk acceptance. As a result a single risk monitoring of risks provides relevant information appetite statement alone will not be as beneficial as to the Football NSW Board to enable decisions recognising and understanding the organisations regarding the future direction of Football NSW to be tolerance levels across each identified risk which made based on an understanding of opportunities has been assessed in the Risk Management and threats. A transparent reporting framework document register. supports the accuracy, completeness and timeliness In determining the Risk Appetite the Board, ARC, of risk information. CEO, Head of Finance may consider: 2.1. Football NSW Board • Current financial statements The Football NSW Board is responsible for reviewing • Management experience and approving the Risk Management Policy, the Risk Appetite and providing management with the • Stakeholder expectations appropriate direction. The Board delegates to the • Expected performance (return on capital) CEO the responsibility to maintain a sound risk management framework based on this policy. • Existing capital to support risk taking • The culture of the organisation
Football NSW Risk Management Policy Page 2 Updated 19 September 2013 • Longer term strategic priorities training and the development of an enhanced risk awareness by all stakeholders. • The effectiveness of the control environment. Risk management operates at various levels within The determination of the Risk Appetite is reviewed Football NSW. Various tasks have beenallocated, so and approved by the Football NSW Board at least that risks are managed by the appropriate position. annually. 3.1. Role of the Football NSW Board 2.3. Risk Classifications The Board has responsibility for determining the The Football NSW Risk Management Policy has been strategic direction of the organisation andfor developed taking into account the creating the environment and the structures for risk Australian Standards, Industry good practice, policies management to operate effectively. and procedures. The Board should, as a minimum, consider, in Operational risks are acceptable within the business evaluating its system of internal control: as long as they are known, registered, • The nature and extent of downside risks managed and monitored. acceptable for the company to bear 2.4. Mandate for the Risk Management Functions • The likelihood of such risks becoming a reality The Risk Management function exists to support the • How unacceptable risks should be managed achievement of business objectives in • The company’s ability to minimise the line with the Board approved strategic plan. The probability and impact on the business mandate of the policy is to: • The costs and benefits of the risk and control • Support management with raising of risk activity undertaken awareness and insight. • The effectiveness of the risk management • Increase transparency. process • Improve early warning information. • The risk implications of board decisions • Follow-up on identified control weaknesses. 3.2. Role of the Chief Executive Officer • Allocate risk ownership and responsibilities. The Chief Executive Officer has overall responsibility • Support management to implement the for ensuring implementation and compliance approved Risk Management Policy. with the Risk Management Policy. The CEO has responsibility for reporting to the Board on any Risk management reflects a commitment that is significant risk issues. Significant risk is deemed practised by the CEO, the Board, Executive managers to be: and staff. • An item for which the overall risk assessment 3. Roles and Responsibilities as per Table 3 of this policy, escalates to “significant” or greater; or An organisation’s risk management policy should set out responsibilities for risk management throughout • If a risk event occurs and its consequence as the organisation. To work effectively, the risk per Table 2 is category 3 (moderate)0 management process requires: or greater • Commitment from the chief executive and Any actual or potential legal or criminal proceedings executive management of the organisation are to be reported to the Board. • Assignment of responsibilities within the In the event of any uncertainty regarding the organisation appropriate classification of a risk or event, the event should be classified as falling within the higher risk • Allocation of appropriate resources for or event category.
Football NSW Risk Management Policy Page 3 Updated 19 September 2013 The CEO’s responsibility includes: • Co-ordinating the various functional activities which advise on risk management issues • Conducting an annual review of this Policy within the organisation to maintain its currency with legislative and organisational requirements • Developing risk response processes, including contingency and business continuity • Developing and maintaining a communication programmes strategy and training plan to enable ongoing awareness of this Policy • Preparing reports on risk for the board and the stakeholders • Monitoring of the processes, procedures and controls which facilitate compliance with 3.5. Role of the Audit and Risk Committee this Policy The role of the Audit and Risk Committee is to 3.3. Role of the Business Units/Executive undertake the following: Managers • Oversee the program with a focus on the Business Unit Managers or Executive Managers play significant risks, as identified by management a critical role in the risk management program. This • Provide advice and feedback to the Board on includes the following: the management of risk • The business units have primary responsibility • Provide active support and involvement in the for managing risk on a day-to-day basis risk management process • Business unit management is responsible • Co-ordinate risk reporting to the board, audit for promoting risk awareness within their committee, etc operations; they should introduce risk management objectives into their business 3.6. Role of External Audit • Risk management should be a regular External Auditors provide regular and independent management-meeting item to allow assurance on the effectiveness of the internal consideration of exposures and to reprioritise control environment and provide management work in the light of effective risk analysis with insight regarding the overall effectiveness of their risk management processes and risk profiles. • Business unit management should ensure The audit function plays a vital role within the Risk that risk management is incorporated at Management Framework as independent assessors the conceptual stage of projects as well as of its effectiveness. throughout a project Audit reports are provided to the Audit and Risk 3.4. Role of the Risk Management Function Committee (ARC) and the Board. The risk champion for Football NSW is the In House 3.7. Role of Football NSW Staff Legal Counsel, in collaboration with the Head of Finance. The role of the Risk Management function It is the responsibility of all staff to understand, includes the following: identify and effectively manage risk within Football NSW. Identified risks or improvements to controls • Testing controls need to be brought to the attention of the Executive • Primary champion of risk management at Management. both the strategic and operational level It is the responsibility of Executive Management to • Building a risk aware culture within the make staff aware of, and to comply with the Risk organisation including appropriate education Management Policy and supporting framework. Non-compliance with obligations under the Risk • Establishing internal risk policy and structures Management Policy by an employee will be treated for business units as serious misconduct. • Designing and reviewing processes for risk management
Football NSW Risk Management Policy Page 4 Updated 19 September 2013 All staff are responsible to ensure that the Football • Understand how they can enable continuous NSW risk management policy is adhered to at improvement of risk management response all times. • Understand that risk management and risk awareness are a key part of the organisation’s 4. Internal Reporting and Communication culture The communication of risks and reporting of risks • Report systematically and promptly to senior forms an integral part of the risk management management any potential new risks or framework. Different levels within an organisation failures of existing control measures need different information from the risk management process. 5. Risk Management Framework 4.1. The Board of Directors need to: Risk management takes place in the context of • Know about the most significant risks facing the wider goals, objectives and strategies of the the organisation organisation and drills down to basic processes and procedures. The objective of the Framework is to • Know the possible effects on stakeholder facilitate the identification, assessment, mitigation value of deviations to expected performance and monitoring of risks across the organisation, ranges ensuring enterprise wide risk management is • Ensure appropriate levels of awareness achieved. throughout the organisation The management of risk is an integral part • Know how the organisation will manage a of Football NSW’s management process. Risk crisis management is a multifaceted process, the aspects • Know how to manage communications with of which are often best carried out by a multi- the community where applicable disciplinary team utilising the various skills available across the organisation. • Be assured that the risk management process is working effectively 5.1. Risk Analysis & Evaluation • Publish a clear risk management policy Analysis of risks will be based on a combination of covering risk management philosophy and the impact on the organisation (consequences) and responsibilities the likelihood of those consequences occurring. This will be considered in context with the activity, 4.2. Business Units need to: the organisation, and any existing controls or other • Be aware of risks which fall into their area of factors that may modify the consequences or responsibility, the possible impacts these may likelihood. have on other areas and the consequences 5.2. Consequence Ratings other areas may have on them A risk consequence is defined as the outcome • Have performance indicators which allow or impact of an event expressed qualitatively or them to monitor the key business and quantitatively. Table 1 on page 6 provides broad financial activities, progress towards descriptions used to support risk consequence objectives and identify developments which ratings: require intervention (e.g. forecasts and budgets) • Report systematically and promptly to senior management any potential new risks or failures of existing control measures 4.3. Individuals need to: • Understand their accountability for individual risks
Football NSW Risk Management Policy Page 5 Updated 19 September 2013 TABLE 1: Consequence 1 2 3 4 5 Financial $0 $10,000 $20,000 $100,000 $500,000 $9,999 $19,999 $99,999 $499,999 + Insignificant Minor Moderate Major Catastrophic Regulatory Little or no impact Routine regulatory Targeted regulator Sustained Suspension or loss finding scrutiny or regulator scrutiny of license investigation and/or significant fines and/or formal undertaking
Reputation Unsubstantiated, Substantiated, low Substantiated, Substantiated, Substantiated, public low impact, low impact, low news public public embarrassment, profile or no news profile embarrassment, embarrassment, very high multiple litem moderate impact, high impact, high impacts, high Item of profile to moderate news news profile, third widespread multiple FNSW stakeholders profile party actions news profile, third party actions
5.3. Likelihood Ratings 5.4. Mitigating Practices and Controls Table 2 below provides broad descriptions used to Mitigating practices and controls include the existing support risk likelihood ratings: policies, procedures, practices and processes which aim to provide reasonable assurance over TABLE 2: the management of FNSW’s activities. Following Likelihood Description Rating evaluation, these practices and controls may reduce the likelihood or consequence of a risk. Where More than once The event is 5 mitigating practices and controls exist, but are not per month expected to occur in being followed or monitored, adequate control does most circumstances not exist. Once a quarter The event will 4 5.5. Level of Risk probably occur in some circumstances The level of risk that remains after consideration of all existing mitigating practices and controls is Once a year The event will is 3 the agreed risk rating and determines the level of likely to occur at management action and treatment required. The some time diagram below indicates how the combination of risk likelihood and risk consequence ratings are Once every 5 The event could 2 used to establish the level of risk and subsequent years occur at some time management actions and treatment required. Once every 10 The event may 1 years occur in exceptional circumstances
Football NSW Risk Management Policy Page 6 Updated 19 September 2013 FOOTBALL NSW RISK MANAGEMENT POLICY Version: 19 Sep 2013
Table 3 – Risk Assessment Matrix
A – Unacceptable TABLE 3: Risk Assessment Matrix
B - Very High A – Unacceptable C – High
D – SignificantB - Very High
E – ModerateC – High
F - Low D – Significant
E – Moderate
F - Low Consequence Likelihood
TABLE 3: Management Action and Treatment
5.6. Effective Management of Risks change, as may the factors that affect the suitability or cost of the various treatment options. Review is an DocumentEffective utilises risk risktreatment analysis tools involves outlined identifying in the Standards the Australia ‘Guidelines for Managing Risk in Sport ‘(HB 246-2010) integral part of the risk management plan. range of options for effectively managing the risk, evaluating those options, preparing the risk Periodic review of the FNSW Risk Register is to be treatment plans and implementing those plans managed by senior management in consultation with in accordance5.6. Effective with the Management Risk Register. Itof is Risks about the Audit and Risk Committee. considering the options for effective management The Risk Register will be presented at each Audit and and selecting the most appropriate method to Effective risk treatment involves identifying the rangeRisk of Committee options for meeting effectively for consideration. managing Thethe Risk achieve the desired outcome. FNSW will report on risk, evaluating those options, preparing the risk treatmentRegister will plans be presented and implementing to the Board periodically, those risk management to the ARC periodically through as a minimum in conjunction with the Audit and planspresentation in accordance of the updated with Risk the Register Risk Register at . It is about considering the options for effective Risk Committee updates provided to the Board managementscheduled meetings. and selecting the most appropriate method to achieve the desired outcome. FNSW will report on risk management to the ARCwhenever periodically there through is an update presentation to the Board of following the updated5.7. Monitoring Risk Register and Review at scheduled meetings. an ARC meeting. Few risks remain static. Factors that may affect the likelihood and consequences of an outcome may
Football NSW Risk Management Policy Page 7 Updated 19 September 2013
11 | Page