A risk management plan provides a systematic approach to identifying, assessing, evaluating and treating risks that are associated with your contract. You will have assessed these risks in the first step at section 0.1 (page 19).
A risk management plan specifies the approach, the activities and resources to be applied to managing the risks and will typically include:
• a summary description of the risks
• an assessment of the controls that are already in place to manage each risk
• an assessment of the likelihood of each risk occurring and the consequence if the risk occurs
• an evaluation of the overall level of risk, which can then be compared with entity guidelines to determine whether the risk is acceptable, and whether the risk needs further treatment
• a description of any risk treatments that will be applied, including a sequence of activities
• process for reporting and escalation
• assignment of responsibilities
• timeframes for activities and reviews.
While transactional and routine contracts may not require a formal written risk management plan, you should still consider and document any risks.
Complete risk management plans in accordance with your entity's risk management framework using any entity specific templates.
Key steps in this activity include: | |
a. | Identify risks (see step 0.1 Assess risk page 19). |
b. | Analyse risks (likelihood and consequence) to determine the severity of each risk (extreme, high, medium, low). |
c. | Evaluate risks including: • identification of current controls and their effectiveness • if any additional controls or treatments are required • assess the tolerability of each risk to determine which risks need treatment and the relative |
d. | Planning and documenting risk controls, treatments and mitigation strategies and assigning responsibilities. |
e. | Documenting the timeframe or circumstances when you will need to do a risk review (eg bi-annually or before issuing any contract variation) and any process for reporting and escalation. |