risk management plan education queensland

Please refrain from sharing this website's link as this website is a work in progress.

Risk management

Understand risk management and the risk management process.

Risk management needs to be documented as part of all formal decision-making processes, planning, change management, project management, and business continuity management processes. On this page you will find resources to promote awareness of responsibilities in proactively identifying, reporting and managing risks and opportunities.

 (QHEPS) arrow_outward links can only be accessed from a QH-networked computer.

Online courses

Risk Management Essentials

This training will give you an introductory level understanding of the risk management processes of Metro North Health. This course is designed for the Health staff working in clinical and non clinical areas. It is a basic course to help you identify and report risks.

Audience: Metro North Health

Risk Management Essentials for Managers

This training provides a comprehensive understanding of risk management processes at Metro North Hospital and Health Services. Designed for health managers working in clinical and non-clinical areas.

Risk Management Essentials for Executives

This training will give you an introductory level understanding of the risk management processes of Metro North Health. This course is designed for executives.

Facilitated virtual courses

(eHealth-C) Risk Management Training

This facilitated virtual course covers general risk theory and practical application of key risk management processes and designed for Department of Health (DoH) staff. Covers the general navigation of the DoH risk management system (RiskMan) and the eHealth Queensland Risk Dashboard which reports on key risk indicators.

Audience: Queensland Health

Guides and other tools

Risk and Compliance  (QHEPS) arrow_outward

This website outlines Metro North Health's risk management policies, procedures and resources.

Riskman Guide to Entering and Reviewing Risks  (QHEPS) arrow_outward

Metro North Health's checklist guide for entering risks into Riskman application.

Queensland Health Corporate Services Division toolkits  (QHEPS) arrow_outward

This page is a series of quick guides for the Department of Health that provides you with practical advice on implementing the requirements of the Risk Policy and Enterprise Risk Management Implementation standard.

Is this page useful?

Please help us improve this website and write feedback .

Please help us improve this website.

Changes will be lost

We aim to provide resources in an accessible format. If you are having problems using a document with your accessibility tools, please contact us for help.

Last updated: 11 Aug 2023

Publication type: Collection

Audience: Metro North Health , Queensland Health

A Guide to Risk Management

A Guide to Risk Management has been prepared as an information reference and contains the minimum principles and procedures of a basic risk management process.

The guide is not mandatory; however, application of the guide will encourage better practice.

The guide supports the requirements of the Financial Accountability Act 2009 and the Financial and Performance Management Standard 2019 and is consistent with the principles set out in AS/NZS ISO 31000:2018 Risk management – Principles and Guidelines.

Fiscal Management Governance Government agency resources

For students

• Current Students website
• Email web access
• Make a payment
• iExeter (students)
• Programme and module information
• Current staff website
• Room Bookings
• iExeter (staff)
• Finance Helpdesk
• IT Service Desk

Popular links

• Accommodation
• Job vacancies
• Temporary workers
• Future Leaders & Innovators Graduate Scheme

New and returning students

• New students website
• Returning Students Guide

Wellbeing, Inclusion and Culture

• Wellbeing services for students
• Wellbeing services for staff
• Equality, Diversity and Inclusion
• Israel, Palestine, and the Middle East

Study information

• Study Information
• Module Information

Economics and Risk Management - 2024 entry

This module introduces the fundamentals of project management and mining economics, including project evaluation and economic decision-making techniques.

Principals of project management are introduced, giving you the ability to use standard management tools and the context in which they are applied. The focus is on the management of large, multi-disciplined construction projects, examining the various components and inputs to successful project development.

The mineral economics section of the module examines supply and demand drivers in the metal, bulk commodity and energy mineral sectors and illustrates key cost inputs and productivity issues. The financial appraisal of mines and the economic and risk analysis of project alternatives are considered; together with an overview of broader mining business risks.    

This module aims to allow you to master skills and attain thorough knowledge and understanding of project management techniques including appropriate systems-based tools. Furthermore, you will get the chance to develop your understanding of the way people work as a route to effective management. In addition, the module emphasises the value of experience, whilst ensuring you understand the concepts that underlie successful project management.

This module aims to provide you with a broad understanding both the macro-economic and the industry specific economic and business risk environments in which mines and projects operate and are evaluated. It introduces you to financial analysis and explores how technical and operational parameters influence the revenue stream and cost structure at mines.

Finally, we will examine the application of economic analysis techniques within spreadsheet software with specific reference to case studies and scenarios considering engineering alternatives.

On successful completion of this module  you should be familiar with these Knowledge and Skills as specified in the Mine Management Apprenticeship Standard (ST1309):

K12: The influence and requirements of legislation on the principles of risk management and the methods that are used to deal with major and occupational hazards, operational, safety, health, financial and environmental risks.

K16: The different stages of projects including the principles of planning, scheduling, and sequencing to ensure effective life of mine plans. The ways of managing, influencing, and controlling outcomes through the application of project management techniques

K21: Financial and economic strategies, including budgets, financial management and accounting. The influence of commodity prices, feasibility studies, financial reports incorporating cash flow, capital, profit and loss

K22: Approaches to costing and procurement, contracting, sales, marketing, and the route to market including consideration of any legal requirements.

K23: Communication techniques, including written, verbal, non-verbal and digital and different types of interpersonal skills including questioning and listening

K25: Approaches to stakeholder, customer, and supplier management.

K26: Time management, how to set SMART targets, prioritise activities and undertake forward planning in a business environment

K27: Data analysis techniques used to examine complex and interactive issues, to assist in developing appropriate solutions solving and support the decision-making process

S6: Use project management and planning techniques. Allocate resource requirements. Monitor progress towards project goals and identify corrective action

S11: Manage and adapt budgets and control expenditure. Review and produce financial reports that provide analysis and draw conclusions on financial risk and evaluation of short and long term mine strategies.

S18: Plan and manage own time.

S19: Use evidence-based tools, qualitative and quantitative analysis techniques to demonstrate an ethical approach to problem solving and making decisions that improve the safety, operational and environmental performance of the underground operation

On successful completion of this module you should be able to :

Module Specific Skills and Knowledge

Discipline Specific Skills and Knowledge

Personal and Key Transferable / Employment Skills and Knowledge

Syallabus is taught initially in two strands, project management and mineral economics, before bringing these topics together to discuss financial analysis and risk management.

Project Management

• Project definition, scope of work and budget, planning and control activity;
• Project evaluation, decision-making, project monitoring and reporting, project risk;
• Technical risk, contractual/commercial risk;
• Project activity, cost control, progress reporting, quality control and logistics;
• Contract management;
• Project finance and feasibility assessment.

Mineral Economics

Industry fundamentals and macro-economic environment. The effects of supply and demand in mineral markets and key price drivers that affect mineral commodity prices. Development of price forecasts and metal market studies. Introduction to capital expenditure, operating costs and unit/cash cost curves. Role of cash flow modelling and financial analysis evaluation of mining projects and operations. Coverage of the main components of such analysis and of risk/sensitivity analysis. Main technical and engineering factors to be considered in project evaluation and the most common sources of business risk in the mining industry.

All passed components of the module will be rolled forward and will not be reassessed in the event of module failure.

Basic reading:

• Lock, Dennis Project Management 9th Edition Gower Publishing Limited
• Barker, R Short Introduction to Accounting (Euro Edition) Cambridge University Press
• Rudenno, V. Mining Valuation Handbook - Mining and Energy Valuation for Investors and Management 3rd Edition John Wiley & Sons

Reading list for this module:

There are currently no reading list entries found for this module.

Please note that all modules are subject to change, please get in touch if you have any questions about this module.

Connect with us

Information for:

• Current students
• New students
• Alumni and supporters

Quick links

Streatham Campus

St Luke's Campus

Penryn Campus

Truro Campus

• Using our site
• Accessibility
• Freedom of Information
• Modern Slavery Act Statement
• Data Protection
• Copyright & disclaimer
• Privacy & cookies

BreachSight

Vendor risk, trust exchange, product features, vendor risk assessments, security questionnaires.

• Security Ratings

Data Leaks Detection

• Integrations

AI Autofill

• Financial Services

eBooks, Reports, & more

11 third-party risk management best practices in 2024.

Nicholas Sollitto

The simultaneous proliferation of outsourcing and increased interconnectedness of modern businesses has caused the third-party risk management (TPRM) landscape to evolve significantly over the last few years. Establishing a robust TPRM program is no longer just about managing risk across your organization’s third-party ecosystem or gaining an edge over your competitors. Third-party risk management is now a required component of many compliance regulations and the foundation of maintaining trust with stakeholders and customers. 

Whether you’re looking to comply with industry regulations such as the EU’s General Data Protection Regulation (GDPR) or the Health Insurance Portability & Accountability Act (HIPAA) or reduce your organization’s overall cyber resilience to third-party security risks, calibrating your TPRM program is essential to your organization’s success. This article outlines 11 best practices your organization can follow to ensure its TPRM program is fit to tackle the security, compliance, and reputational risks of 2024. 

Eliminate manual work from TPRM with UpGuard Vendor Risk >

1. Align board with third-party risk management plans

Third-party risk management requires a comprehensive approach, starting with an organization’s C-suite and board of directors. Since the security risks presented by third-party partnerships can impact all parts of an organization, an organization’s executive team must understand the importance of third-party risk management and how particular strategies help prevent third-party data breaches and mitigate other potential risks.

If your organization employs a chief risk officer (CRO), educating the executive team on TPRM should be their responsibility. However, if your organization does not employ a CRO, this task will likely fall to the chief information security officer (CISO). Your organization’s CISO should walk the executive team through the TPRM process, highlighting the need for robust risk intelligence and how third-party security risks can lead to poor business continuity, regulatory fines, and reputational damage.  

2. Ensure your third-party inventory is accurate

An organization needs visibility over all third-party vendors and partnerships to identify and manage all third-party risks effectively. After all, third parties may have different security controls or standards than the primary organization. While these sentiments may seem obvious, developing and maintaining an accurate third-party inventory can be challenging, even for large organizations with expansive security budgets. 

Ensuring your organization’s third-party inventory is accurate involves two main steps: reviewing contractual agreements and financial statements to identify partnerships that have not been added to your inventory risk and deploying a third-party risk management software , like UpGuard Vendor Risk , to track changes in a third-party’s security posture through their lifecycle. 

UpGuard Vendor Risk uses quantitative security ratings to assess a third party’s security posture, providing an aggregate view of vendor performance and the critical risks shared across your vendor portfolio. 

3. Create effective, efficient risk assessment processes

Third-party risk assessments are an essential TPRM process, and the best risk assessment workflows will involve three stages: due diligence , conducting periodic cybersecurity risk assessments , and refining risk assessment strategy. 

Here are the steps your organization should follow to establish an effective, efficient risk assessment process: 

• Establish a due diligence workflow to evaluate the security risks of prospective third-party vendors before onboarding or forming a partnership.
• Choose a criticality rating system to distinguish between third parties and prioritize risk assessments for high-risk vendors. 
• Set up a third-party risk assessment management system to track risk assessment progress and catalog security questionnaires.
• Choose a risk management framework to support efficient remediation efforts and waive detected risks that do not apply to your objectives or concerns.
• Develop a robust risk assessment review process to design risk management strategies for specific vendors and provide visibility to stakeholders.

UpGuard Vendor Risk provides security teams with a complete risk assessment toolkit, including comprehensive security ratings, in-depth risk assessments, a library of editable questionnaire templates, and vendor tiering and criticality functions. 

Related reading: Implementing A Vendor Risk Assessment Process in 2024

4. Combine point-in-time assessments with continuous attack surface monitoring

While risk assessments and continuous monitoring are great tools organizations utilize to appraise the health of their third-party attack surface, security teams must coordinate these mechanisms to provide comprehensive attack surface awareness. Security ratings and vulnerability monitoring tools can provide visibility between scheduled assessments. In contrast, point-in-time risk assessments offer in-depth insights, exposing additional security flaws and providing more context to known risks and vulnerabilities.

UpGuard has helped many organizations, including Built Technologies , improve their attack surface visibility by streamlining risk assessment processes and introducing continuous monitoring strategies.

Built Technologies conducts holistic reviews of all current and prospective vendors using UpGuard. In addition to the risks surfaced by UpGuard’s scans, the Built team also uses the platform to add their own insights, supplementing vendor ratings with additional evidence and personal notes and documents provided by vendors. The Built team also schedules and calibrates third-party risk assessments based on UpGuard’s Vendor Tiering feature. 

UpGuard’s security ratings, continuous scans, and risk assessments help Built Technologies comprehensively appraise its third-party attack surface. 

“Our vendor security risk assessments are now a well-oiled machine from where we started using UpGuard.” - Adam Vanscoy, Senior Security Analyst at Built Technologies

5. Ensure organizational-wide adoption of your TPRM strategy

An organization’s TPRM program can only be truly effective when all departments and employees adopt prevention strategies and abide by best practices. When all employees buy into an organization’s TPRM strategies and practice preventative measures, it can quickly nullify phishing attempts and other cyber attacks. 

Here’s how various departments in your organization can adopt TPRM strategies to improve your TPRM program’s overall effectiveness: 

• Information technology: Collaborate with internal employees and external third parties to establish security protocols, protect sensitive data , and prevent unauthorized access.  
• Compliance and legal: Include clauses in third-party contracts that address compliance, liability, and risk mitigation and ensure all vendors are offboarded safely after contract expiration.  
• Procurement: Ensure vendor selection criteria are based on rigorous assessments, compliance checks, and alignment with business needs.  
• Operations: Identify and mitigate supply chain risks and ensure continuity during a third-party disruption.
• Finance: Incorporate TPRM costs into budgeting and forecasting to accurately assess a third-party vendor's net financial impact on the business. 

By breaking down TPRM responsibilities and obligations by departmental functions, your organization will have an easier time ensuring each area of the business is efficiently calibrated and preventing visibility gaps from arising. 

6. Adopt a continuous improvement mindset

Modern third-party risk management takes a proactive approach to risk identification and mitigation rather than relying on reactive remediation procedures after a security incident. To pursue proactive TPRM, security teams need to stay up-to-date on best practices and evolving threats. The best methods for staying updated include continuous education and TPRM training programs, industry-specific networks, and communication channels with regulatory agencies. 

Your organization should establish an information-sharing system to foster a culture of consistent feedback and process improvement and ensure that all departments and employees are informed about TPRM trends and risks. In this system, the security team evaluates the information and then shares it with department heads and executive leadership. These leaders should then disseminate the information throughout their teams and departments. When introducing new TPRM processes or preventative measures, your security team should provide periodic adoption updates and progress reports. 

7. Define TPRM performance metrics

Tracking key performance indicators (KPIs) is essential for assessing and enhancing your organization's third-party risk management program. By monitoring specific metrics consistently, your risk management team can gauge your TPRM program's overall health and identify areas for improvement.

Calibrating your program with KPIs to measure four specific areas—third-party risk, threat intelligence, compliance management, and overall TPRM coverage—provides a comprehensive approach to evaluating all phases of effective TPRM. Here’s an example of a few KPIs that organizations can track to assess each area: 

• KPIs to measure third-party risk: Percentage of vendors categorized by tier, average security rating, percent of third parties who fail initial assessment
• KPIs to measure threat intelligence: Mean time to action after risk trigger, number of incidents reported, number of false positives reported
• KPIs to measure compliance management: Number of third parties under regulatory scope (by regulation), number of outstanding regulatory requirements
• KPIs to measure overall TPRM coverage: Mean time to onboard, percent of third parties not monitored 

By aligning KPIs with these four specific areas of TPRM, your organization can gain valuable insights into the effectiveness of its risk management efforts, identify areas for improvement, and ensure comprehensive coverage of third-party risks across its supply chain.

Related Reading: 15 KPIs & Metrics to Measure the Success of Your TPRM Program

8. Monitor fourth-party service providers

Since modern business is synonymous with interconnected organizations and services, the risk of data breaches and severe cyber attacks extends to an organization’s fourth-party attack surface. Fourth-party risk management (FPRM) is just as vital as TPRM because a compromised fourth-party vendor could also result in a data breach. 

To understand how a fourth party could expose your organization, imagine this scenario. Your company partners with an online transaction processor. This processor then shares customer payment information with a third-party credit card processor (your fourth party). If cybercriminals infiltrate this credit card processor, your customer’s data could be compromised, resulting in financial and reputation consequences for your organization. 

Built Technologies and other UpGuard customers use Vendor Risk’s built-in fourth-party analysis feature to drill down into their fourth-party attack surface. This feature allows UpGuard users to learn which solutions and services each third-party vendor uses and further contextualize their third-party risk assessment process.

“We now have a lot more visibility to what we couldn't see before, including fourth-party vendors, which is excellent for our overall security posture.”  - Adam Vanscoy, Senior Security Analyst at Built Technologies

9. Form a dedicated TPRM committee

A TPRM committee is crucial to developing a culture of security awareness and effectively identifying, assessing, and mitigating risks associated with third-party relationships. By convening experts from various departments, such as risk management, procurement, legal, and compliance, the committee ensures a comprehensive approach to third-party risk oversight and holistically safeguards the organizations from third-party security risks. 

Key roles on a TPRM committee may include:

• Executive sponsor or chairperson: Provides leadership and direction to the committee, ensuring alignment with organizational objectives
• Chief risk officer or chief compliance officer: Offers expertise in risk management and compliance and guides the development of policies and procedures.
• Chief information security officer (CISO): Focuses on cybersecurity risks, evaluating vendor security controls, and safeguarding sensitive data
• Chief procurement officer: Manages vendor relationships, oversees procurement processes, and ensures vendor performance meets organizational standards

Your organization’s TPRM committee should provide governance, oversight, and strategic direction to effectively manage third-party risks and integrate them into your overall risk management framework.

10. Establish a streamlined TPRM performance communication pathway with stakeholders

While an organization’s TPRM committee will likely create a communication pathway between its risk management team and the board, the organization’s CISO should help disseminate information upwards to the board and down throughout departmental stakeholders and employees. 

To establish a straightforward TPRM communication process in your organization, your board must understand your third-party risk landscape, including all categories of inherent risks your organization’s third-party partnerships present. Security ratings are an excellent metric for simplifying security posture and risk exposure. Consider providing cybersecurity reports and graphical representations of your security posture (such as your security rating over time) to your board to help members quickly identify and understand TPRM concepts and procedures. 

A comprehensive cybersecurity solution like UpGuard is a great way to remove the manual work of drafting third-party risk management reports. Risk management teams can instantly generate cybersecurity reports through the UpGuard platform, pulling risk insights about specific vendors and holistic third-party risk data that reveal the overall status of your organization’s TPRM program and health. 

“The management report from the UpGuard platform was very useful during my quarterly reporting to the executive team. They see it as a good external validation of how our organization is going and how we rank against our competitors.” - Martin Heiland, CISO at Open-Xchange

Another benefit of UpGuard’s reporting features is the ability to quickly customize the design and style of cybersecurity reports to meet the unique needs of your stakeholders. Once generated, your reports can be easily exported to Microsoft PowerPoint, significantly reducing preparation time. 

11. Implement scalable TPRM workflows 

Automating processes and workflows is vital when scaling your TPRM program to align with business growth. It’s commonplace for security teams to become overwhelmed and inundated with manual third-party risk management tasks and initiatives, but this manual work is no longer necessary. 

The UpGuard platform includes automation tools to streamline several essential TPRM processes, including risk monitoring and identification, evidence gathering, security questionnaires, risk assessments, reporting, and more. UpGuard designed these automation tools to eliminate the hassle of manual work and make robust TPRM attainable for security teams of all sizes. Here’s how UpGuard’s automation tools help security teams with specific tasks: 

• Risk identification: UpGuard’s automated cyber risk scanning and mapping features automatically detect security risks and vulnerabilities in real-time across a user’s third—and fourth-party ecosystem. 
• Evidence gathering: In addition to UpGuard’s automatic attack surface scanning feature, the platform also automatically assigns public trust and security pages to vendors, collects known certifications, and searches for completed questionnaires.
• Security questionnaires: The UpGuard platform helps security teams scale their security questionnaire process by 10x through its industry-leading questionnaire library and flexible questionnaire templates. 
• Risk assessments: UpGuard’s automated risk assessments help security teams eliminate their use of lengthy, error-prone, spreadsheet-based manual risk assessments and reduce the time it takes to assess a new or existing vendor by more than half.

“UpGuard has saved us significant time with its automation process. I would say it saves us a few personnel days per month. For example, initial research that would have taken me 1-2 hours, I can get that answer in 5-10 minutes.” - Juris Smits, IT Security Manager at Rimi Baltic ‍

Automate your TPRM program with UpGuard Vendor Risk

UpGuard Vendor Risk is an industry-leading third-party and supplier risk management solution ranked #1 by G2 for seven consecutive quarters. The UpGuard platform monitors over 10 million companies daily and has helped 1,000s of customers streamline and improve the efficiency of their TPRM programs. 

• “In terms of pure security improvement across our company, we now complete hundreds of maintenance tickets, which is a massive advancement we couldn’t have achieved without UpGuard. We previously wouldn’t have detected at least 10% of those tickets, so UpGuard has enabled us to work faster by detecting issues quickly and providing detailed information to remediate these issues.” - iDeals
• “One of the platform's best features is bringing all our vendors into one risk profile and managing it from there. We can also set reassessment dates, which means we don’t have to manage individual calendar reminders for each vendor.” - Wesley Queensland Mission
• “The questionnaire side is very powerful and crucial to our processes. It has saved me a lot of time. I can’t imagine manually sending out a spreadsheet questionnaire and then trying to put together a remediation plan.” - ALI Group

Join iDeals, the Wesley Queensland Mission, the ALI Group, and 1,000s other customers and harness the power of UpGuard Vendor Risk’s automated TPRM solutions today.

Reviewed by

Kaushik Sen

Ready to see upguard in action, ready to save time and streamline your trust management process, scale your tprm.

Join 27,000+ cybersecurity newsletter subscribers

A complete guide to third-party risk management.

Related posts

What are security ratings cyber performance scoring explained.

How to Manage Third-Party Risk in a World of Breaches

What is third-party risk management (tprm) 2024 guide, introducing upguard's new sig lite questionnaire.

Scaling Third-Party Risk Management Despite the Odds

9 ways to prevent third-party data breaches in 2024.

• UpGuard Vendor Risk
• UpGuard BreachSight
• Product Video
• Release notes
• SecurityScorecard
• All comparisons
• Security Reports
• Instant Security Score
• Third-Party Risk Management
• Attack Surface Management
• Cybersecurity