This guide is designed to meet the following objectives:
Risk Appetite and Risk Tolerance
Risk appetite is the amount of risk that BNJCA is willing to accept to achieve its objectives. It also describes our attitude towards risk taking.
The BNJCA risk appetite involves effectively managing uncertainty rather than not avoiding or eliminating risk completely. Risk appetite also considers opportunities that involve the acceptance of risk. BNJCA is prepared to retain or accept risk that has been thoroughly considered and is managed appropriately. This is done in an open and transparent manner to protect the player and volunteers of BNJCA and also to seize opportunities for the benefit of BNJCA.
We recognise that it is not possible or necessarily desirable to eliminate some of the risks inherent in our other activities. This is particularly important in regard to the nature of the game that administer. To realize our vision of delivering successful development we need to achieve innovation within our practices and in doing so we recognize that the acceptance of some risk is necessary to enable innovation and achieve benefits.
Risk tolerance is the levels of short-term risk taking that are acceptable in order to achieve a specific objective or manage a category of risk.
BNJCA’s risk tolerance levels are determined based on a matrix system that defines the levels of tolerance in qualitative terms that can be monitored and used to effectively evaluate if the risk outcome is acceptable or unacceptable. It provides for a range of deviation from appetite with the requirement for the risk to be managed to appetite within a given timeframe.
Our goals for the ongoing management of risk
To achieve our objectives BNJCA will:
Assessing the Consequence
For each risk assessment the consequence to be recorded is the realistic worst case scenario. The scenario must be considered to happen at the time when it could have the greatest impact on the association or an individual. Extreme scenarios which are dependent on a number of other continuous or simultaneous events happening should be ignored. The consequence definitions and various classes of consequence are defined in the following table.
Assessing the Likelihood
Likelihood is a measure of the probability of a risk or benefit being realised.
Factors considered when assessing Likelihood include:
The likelihood definitions used for risk assessments are outlined in the following table.
Rating the Risk
The following table is the rating calculation matrix. This uses the definitions of Consequence and Likelihood given above to derive the rating for both risks and benefits.
<Risk and Benefit Matrix>
The following guidance can be used to determine the magnitude of the risk and the typical action required.
Extreme: Immediate action and enhanced countermeasures required
High: Management attention needed, enhanced countermeasures recommended
Medium: Manage by routine procedures and good practice
Low: No requirement for specific considerations.
Treating the Risk
When considering the appropriate countermeasures for treatment of the identified vulnerabilities, there are several strategies that can be adopted. In some cases the overall strategy will be a combination of strategies:
The selection of the countermeasures must also consider:
Effectiveness of Controls
The effectiveness of each control should be assessed and recorded in the risk register. The measures of effectiveness and their descriptions are provided below.
The sections above provide all the information that is required to record and manage risks. A risk register is maintained that includes the following information:
The date that the risk is first assessed or recorded in this register.
The full description of the risk including what is at risk, the loss or benefit and the reason this outcome may occur.
e.g. Reputation may be damaged because bullying is ignored.
The likelihood of the risk being realised.
The consequence should the risk be realised.
Inherent Risk Rating
The rating of the risk prior to any controls being applied.
The form of risk treatment that has been selected. Treat, Tolerate, Transfer, Terminate
The date the control is applied
A description of the control being applied to mitigate the risk. There may be more than one control required to mitigate the risk.
A measure of the effectiveness of the control in mitigating the risk.
The likelihood of the risk being realised with the control in place.
The consequence should the risk be realised while the control is in place.
Residual Risk Rating
The rating of the risk with controls in place.