Entities must implement arrangements for identifying, managing and escalating emerging risks.
This information sheet is intended to assist Commonwealth officials at all levels to understand:
- The nature of emerging risks
- The benefits of effectively managing emerging risks
- Different approaches to identifying emerging risks
- Practicals steps for managing emerging risks, and
- Practical steps for escalating and communicating emerging risks.
Emerging risks are newly developing or evolving risks on the horizon that can affect the achievement of an organisation’s strategic objectives. It may be difficult to fully articulate or assess their likelihood or consequence, given they are newly developing and may not yet have a track record to analyse. Identifying, communicating and managing emerging risks is crucial in order for an organisation to achieve its strategic objectives.
After an emerging risk has been identified, it is important that it is effectively escalated and communicated throughout the organisation. In conjunction with this escalation process, appropriate and considered mitigation activities may be planned and implemented that are commensurate with the materiality and proximity of the risk and the entity’s risk appetite and priorities.
Emerging risks can be conditions, situations or trends that may be observed in the wider community or internally. They may be complex in nature and can be rapidly changing or evolving. Due to the inherent level of uncertainty associated with emerging risks, they can be hard to anticipate and even more difficult to measure. They should be supported by indications and reasonable information that justifies the emerging risks as being material and needing further assessment.
What makes a risk an “emerging” risk can be related to a series of factors, including:
- Novelty – it is not a risk previously considered or expected
- Source – change and disruption in the external environment creates new sources of risk not previously considered
- Uncertainty – there is a greater degree of uncertainty associated with them
- Timing – the risk would materialise beyond the immediate strategic risk horizon.
As a result, emerging risks tend to:
An example of an emerging risk could include the following:
- An increase in extreme weather events.
- A potential change in regulations and legislation.
- The emergence of new technologies.
It is important for an entity to pay attention to global trends and Key Risk Indicators (KRI’s). This forward-thinking mindset helps prepare decision-makers for emerging risks that may threaten the achievement of strategic objectives. There are a number of mechanisms that can be used in order to identify emerging risks:
Figure 1: Mechanisms for Identifying Emerging risks
- Horizon Scanning/Risk Sensing: This involves examining all of the information and data available to detect any early indicators of an emerging risk in your entity’s operating environment. This works towards enhancing your situational awareness and supports your understanding of your internal and external operating environments. Some of the methodologies involved in risk sensing include:
- SWOT analysis: This is a methodical examination of Strengths, Weaknesses, Opportunities and Threats. It is a useful approach for identifying any external or internal trends and factors that give rise to risk.
- PESTLEE analysis: This stands for Political, Economic, Social, Technological, Environmental and Ethical. This provides a useful framework to guide thinking in identifying risks that are on the horizon, by providing consistent categories to consider these risks. This analysis should enable entities to understand the events that could occur or are occurring in their external context that can make a difference to an entity’s ability to carry out functions and activities and reach strategic outcomes.
- Risk Sensing Technology: Cognitive risk sensing helps organisations analyse large samples of available data to better anticipate emerging events and gain the intelligence to predict risks. This process allows entities to detect emerging threats and opportunities more effectively, understand the potential impact to them, enhance the quality of its insight and make better informed decisions.
- Utilising strategic documents: This involves identifying your entity’s goals and subsequently the future dependencies or uncertainties that could stand in the way of achieving these objectives. Through reviewing your entity’s corporate plan and identifying drivers of success, you may be able to identify more clearly what must go right if you are to achieve these objectives and consider any potential roadblocks and barriers that may prevent the fulfilment of these objectives.
- Traditional methods: These are more common approaches that involve consultation with both internal and external stakeholders that facilitate a discussion and awareness about any potential emerging risks. Some of these include:
- Risk Workshops: These are an effective way to bring stakeholders together to brainstorm risks that are on the horizon and to challenge the thinking within an entity.
- Risk bow-tie analysis: This is a process that works towards identifying where new or enhanced controls may be worthwhile when dealing with an emerging risk. It is a graphical depiction of pathways from the causes of an event or emerging risk to its consequences in a simple qualitative cause-consequence diagram. This visual approach can be undertaken through a brainstorming session with stakeholders that first of all looks to identify any new or evolving pressures. Attention is then directed towards examining and extrapolating the causes, consequences and controls.
Figure 2: Risk Bow-tie Analysis
Once an entity has identified potential emerging risks, these risks should be prioritised to create greater focus and clarity, and appropriately monitored and managed. An example of a process for managing emerging risks, including responsibilities of the business and risk function, is outlined below:
Figure 3: Process for managing emerging risks
Emerging risks need to be communicated regularly and escalated appropriately in order for them to inform decision-making. The following are a number of channels which may be useful to escalate and communicate emerging risks:
- Risk watchlists: Risk watchlists provide an opportunity to monitor and draw attention to any pertinent emerging risks on the horizon. They provide an opportunity for active assessment and communication in relation to their nature, consequence and likelihood of materialising. Through inspection of these risk and communication of these watchlists, the messaging provided to the executive can be tailored around the severity of the threat and consequence presented by any emerging risks.
- Formal quarterly risk reports: These can provide detailed information on the entity’s top emerging risks and allow for greater visibility over any new or evolving risks that have the potential to affect business operations in the future. Scenarios may also be used to demonstrate the potential consequence should emerging risks occur and drive discussion about the entity’s strategic options. This reporting may also include existing risks which are potentially impacted by emerging or future risks.
- Regular reporting to the Executive Committee: This can include informal and formal upwards communication as part of the regular internal reporting This can work towards embedding emerging risks into the risk conversation in the entity’s existing reporting channels. This can also help inform the executive about the potential challenges the entity may face in the future.
- Risk workshops: A broad, diverse and robust risk dialogue at these workshops with an emphasis on emerging risks can help to overcome blind spots, foster risk awareness and support any kind of Strategic Risk Assessment. It is necessary to broaden the dialogue in these workshops to involve different stakeholders and platforms, such as Chief Risk Officers and Chief Operating Officers.
- Risk committees: Consideration of emerging risks at these meetings helps provide a level of oversight. Focusing on emerging risks at these committees can help the entity turn their attention towards putting in place measures to combat emerging risks that threaten the achievement of business objectives in the future.
These approaches to escalating emerging risks will enable the entity to understand if the future consequence of the risk would be within its risk appetite and tolerances as well as providing a greater understanding of potential threats and opportunities.
This information sheet is intended to assist Commonwealth officials at the Foundation, Generalist, Specialist and Executive levels to understand:
- risk reporting and its role in good management and decision-making
- formalising risk communication requirements in a risk communication plan
- practical steps for developing a risk communication plan.
A positive risk culture is one where staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Such a culture supports an open discussion about uncertainties and opportunities, encourages staff to express concerns and propose solutions, and maintains processes to elevate matters to appropriate levels.
Risk reporting is a key method of communicating risk across business units and between multiple layers of an entity. Risk reporting generally informs stakeholders of the following:
- Risk events which have occurred and near misses. This can include an analysis of the cause of risk events and near misses and, where appropriate, identify expected versus unexpected risk events or losses.
- The current status of the risk profile. This type of reporting is the most common and includes information about the entity’s risks and how they are being managed. It is important to consider who this information will be reported to (that is, who needs to know).
- The current risk exposure. This is a succinct analysis of how much risk you are exposed to. Reporting risk exposure generally involves Key Risk Indicators (KRIs) across all categories of risk. KRIs are a mix of qualitative and quantitative measures that provide insight into how the underlying risk profile of the entity might be changing before the risk occurs.
- Emerging and future risks. This type of reporting is forward looking and often involves scanning the external environment. Scenarios may also be used to demonstrate the potential consequence should emerging risks occur and drive discussion about the entity’s strategic options. This reporting may also include existing risks which are potentially impacted by emerging or future risks.
These approaches to communicating risk will enable the entity to understand if it is operating within its risk appetite and tolerances as well as providing a greater understanding of potential threats and opportunities.
Risk reporting will be most effective where it is embedded in management level discussions and linked to broader management reporting. However, formal risk reporting regimes are only one form of risk communication and, while they are important, they cannot be relied upon alone. It is also important to continually communicate what you’re doing in relationship to risk management and why you’re doing it.
There are a number of channels to communicate risk in your entity, both formal and informal. Some common channels are outlined below.Risk forums and committees
Risk forums provide oversight of risk through discussion of key issues by a group with appropriate representation. Whilst multiple risk committees can exist, most commonly there is a primary risk and/or audit committee which has oversight of risk, compliance and audit matters. The nature and type of forums and committees will depend on the underlying nature of an entity’s responsibilities and operations.
When considering additional risk forums, consider whether internal communication is required to more effectively manage shared risk. Additionally, where the entity is exposed to specialised risks, consider establishing a separate risk forum or committee to enable a more robust discussion on that particular area of risk. Common specialised risk forums include project and program risk; safety and environmental risk; security risk management; and technology risk.Face-to-face meetings
Where possible, meeting with key officials is the best way to start the risk management process and to communicate key risks. Informal meetings can also give officials the opportunity to ask questions and can make them feel more involved in the risk process.Internal reporting channels
Where sensible, consider embedding the risk conversation into your entity’s existing communication channels. This can be through newsletters, intranet pages, emails or even flyers and posters. This can help to inform officials about the risk management program as well as communicating key risks.
Risk communication and consultation plans are a way of identifying and formalising the approach the entity will take to communicate risk issues both internally and externally. It details the key stakeholders involved and the approach to be taken to communicate risk information, changes and concerns with each party. When developing a risk communication plan, consider the stakeholders involved, communication method, purpose, content, timing and required frequency of communication.
Step 1 - Identify and understand stakeholders
Consider the ‘RACI’ approach – Responsible, Accountable, Consulted and Informed – to identify key stakeholders and what their roles will be throughout the process. Once established, these may be incorporated into the risk management plans of the entity, division and/or specific risk owner, as appropriate. This discipline is particularly useful for shared and complex risk where stakeholders may be distributed and not immediately apparent.
The RACI concept is highlighted below.
Who is it?
The person assigned to deliver/execute a particular activity
The ultimate decision-maker and owner of the activity and its associated outcomes
The party/parties who expertise and/or opinions must be sought and clarified prior to undertaking the activity of making decisions
The party/parties who are required to know that the particular activity or decision has been undertaken.
Program/policy risk management
Step 2 - Determine communication type and method
Once stakeholders have been identified, their expectations and information needs can be determined. Think about what each stakeholder needs to know in order to assist with implementing decisions, and what is the best method to communicate this with them?
The manner in which risk information is exchanged will vary depending on the role of stakeholders in managing risk.
Step 3 - Establish a common language
It is common for large entities to operate multiple risk activities or programs, each tailored for specialist types of risk within different areas of the entity. However, a single overarching risk framework provides the basis for a common risk management approach, language and terminology to encourage consistency in the understanding and communication of risk.
Step 4 - Define the specific purpose of the communication
Stakeholder consultation can be used to raise the awareness and perceptions of risk management. Engagement with stakeholders allows for a greater understanding of the diversity of stakeholder needs as well as perceived gaps in existing communications approach. This will enable communication to be increasingly targeted and increase the value of risk discussions.
Step 5 - Determine the frequency of communication
For each stakeholder and type of communication, an appropriate frequency needs to be determined depending on the nature and impact of the content. This should take into consideration the status of the risk in the context of risk appetite, threat to objectives, the severity of risk and when the risk is expected to occur.
Consider the availability of relevant information when determining the appropriate frequency of communication. Ideally, information communicated will raise awareness and provide sufficient time to drive both proactive and corrective actions.
Step 6 - Assign responsibility for communication
For each stakeholder and communication channel, consider who the most suitable person(s) is for providing the communication in a timely manner, as per the risk communication plan.
An example of the structure of a basic communication plan can be found below.
Communication type and method
When developing a risk communication plan, it is important that subject matter experts are engaged. They may bring expertise in the risk being considered, the stakeholders and environment concerned, or in the discipline of risk management itself. Relevant risk management subject matter experts may include enterprise governance, risk and compliance specialists but also experts within specialised areas of risk for example, technology, security, privacy, safety etc.
Mandatory reporting as part of your entity’s governance arrangements
It is common for regular upward reporting of risk to take place as part of entity processes, including during committees or as part of regular reporting requirements. This reporting helps to ensure senior leadership has sufficient oversight over key issues.
Reporting may be part of (but not limited to):
- an Executive (Sub/)Committee, primarily dealing with risk management
- a steering Committee of a major project or program where risk management is an on going agenda topic
- a business case approvals process where risk is a decision input
- regular Executive meetings where key strategic risks are reviewed as part of BAU
- branch level forums on risks
- daily/weekly/fortnightly stand up meetings where updates on risks are relevant
- any other meeting where risk features as an agenda item.
Ad hoc responses to changes in the risk environment
In addition to regular reporting, changes to the risk environment risks should also be communicated. These events can happen at any time and it is important that officers communicate these risks in a timely manner, even if this is outside the normal reporting timeframe.
Possible events that may change the risk environment include:
- A material control failure – if a control designed to mitigate a risk breaks down, this could leave an entity exposed to uncontrolled risk. This may become evident through upward trends in incidents, key process failures or key deliverables slipping in terms of time or quality.
- A material change in your entity’s operating environment – changes in an entity’s internal or external operating environments may alter its risk profile. Senior Executive should be aware of this to assist with their decision making around managing the risk or the activity (project/program/business as usual) the risk sits within. Internal changes could include restructure of an entity or a change in strategic strategy. External events could include changes to how the entity is regulated or structural changes to key partner entities.
- A change in a risk’s likelihood and/or consequence rating – if there is a significant change in a risk’s likelihood and/or consequence rating it may result in a risk approaching or exceeding appetite or tolerance limits, and Senior Executives should be briefed so they can plan a potential risk response strategy. The point at which the likelihood of approaching or exceeding appetite or tolerance depends on your entity’s appetite or tolerance statement and will be different for each entity.
Communicate with impact
Be bold in you communication, without being afraid to deliver bad news. Risk owners and senior stakeholders need to know about changes in a risk’s profile as soon as possible to enable an effective response. Being familiar with your entity’s risk escalation points and designated lines of communication will allow you to communicate risk information in an impactful and timely manner.
Link to corporate plan
Risk information that is aligned to the achievement of objectives in your entity’s Corporate Plan will carry the most weight. When senior stakeholders recognise that a change in the risk landscape has the potential to threaten the achievement of strategy, their interest will be captured and your message noticed.
Risk information should be clearly articulated and presented in a simple manner. Incorporating an executive summary at the beginning of your risk documents or infographics to explain complex concepts helps to engage the audience. While detailed information is important to support your summary findings, be aware that senior stakeholders are often short of time.
Communicating should be tailored for you audience. Before formulating your communication, consider who you are presenting a risk update to, the type of information they require and the manner in which it should be presented. For example, your manager may require more detail than a Minister who is looking for a brief snapshot.
Involve the risk owner
The risk owner should have oversight of the management of their risk. While a small change to the risk’s profile may seem insignificant on the face of it, when aggregated with similar events it may lead to a material change in how the risk needs to be managed. For the risk owner to effectively perform their role, they require regular communication of such information from all areas of the entity.
This information sheet is intended to assist Commonwealth officials at the Generalist and Specialist levels understand how to identify key entity risks using strategic documents and risk workshops.
Risk management requires leaders to focus on risks that threaten the achievement of strategic objectives. It helps to consider things that “must go right” to achieve the objectives, and the uncertainties that exist around those things that can jeopardise achievement of the objectives. Identifying risks to strategic objectives are a valuable investment of time and effort in support of achieving entity objectives. This information sheet provides general guidance to enable entities to identify key entity risks to communicate upward to Senior Executive Staff (SES).
Possible triggers to identify risks can be broadly divided into 2 categories:
- Regular triggers including annual updates to your risk framework, the beginning of a new project or a review of your entity’s operations.
- Ad hoc triggers including the realisation of a significant risk, an increase in near miss events or a major change in your internal or external operating environment.
The annual review of objectives in your entity’s Corporate Plan is an ideal opportunity to identify and monitor uncertainties (risks) that could cause a deviation from your expected or preferred outcome. It is also an appropriate time to identify any emerging or trending risks that might require additional focus.
Key changes such as those arising from a change in risk owners, project sponsors, structure, funding or regulation can also be an opportune time to review current and newly emerging risks.
This process involves identifying your entity’s goals and subsequently the dependencies or uncertainties standing in the way of their achievement. Risks are the uncertainties associated with the achievement of objectives. The approach below describes the process to identify the key strategic objectives, to reverse-engineer them into risk statements.
Risk workshops are an effective way to bring stakeholders together to brainstorm risks and to challenge thinking. Effort should be taken to ensure risk workshops are engaging and focussed on participant involvement to ensure robust discussion on the identification of risks within the entity.
Workshops provide the opportunity to share learnings, discuss perspectives and agree on ownership of risks. To generate buy in and accountability from key stakeholders it is important to circulate the agreed outcomes as soon as practicable.
The following steps will help you to plan and run an effective risk identification workshop.
1. Identify relevant stakeholders
The key to a successful workshop is having the right mix of stakeholders in attendance. These stakeholders could be relevant executives and key decision makers, subject matter experts, and people in operational roles likely to be involved with day to day management of the risks. It is important to have initial contact with identified stakeholders prior to the workshop to gain their input on any additional personnel required to attend. Below are some examples of the types of stakeholders that may be considered:
- Executive leadership group or committee
- Subject matter experts for each risk category or risk owners (for example, HR Manager for a “people” risk category or Chief Information Officer for a “technology” risk category)
- Anyone likely to be flagged as a risk or control owner or may have an informed view on potential risks and consequences
- Representatives of any operational areas that may impact or be impacted by the realisation of objectives to be considered in the workshops
2. Conduct preliminary discussions
Initial discussions with select key stakeholders should be conducted to set up an agreed process to run the workshops. These discussions should explore the interests of each stakeholder at the workshop, and ensure a variety of perspectives will be present. The discussions will also potentially provide an early understanding of the risks that will be developed in the workshop and inform any additional resources that may be distributed prior to workshops.
These preliminary discussions will:
- provide participants context before attending
- familiarise stakeholders with the risk identification process
- establish the interests of workshop attendees
- identify risk themes to be discussed at the workshop
- build relationships and rapport prior to the workshop
3. Identify and review the strategic context
Following on from the preliminary discussions, the strategic context of the workshop should be established. First, determine what the objectives are for the project or business area. This can involve a review of corporate plans or project aim statements. It is often also advisable to review the Key Performance Indicators (KPIs) as these can clarify how success is being measured.
Next it is important to review the risk framework and supporting documents that apply to these risks. These can include the entity’s risk appetite and tolerance statements, risk category definitions, and risk likelihood and consequence descriptors. This guidance must be understood prior to the workshop, so that the risks can be articulated in a way that is consistent with the framework.
The final preparation for the workshop is to collect and review any pre-existing documents that have reviewed risks relevant to the workshop objectives. Relevant documents may include risk assessments regarding shared activities from partner entities, risk registers from other areas of your entity or risk assessments from previous years. Once all documents have been collated a selection of key documents should be distributed to workshop attendees prior to the meeting to assist with their preparation.
Workshop preparation steps include:
- Identify the objectives of the project/business area/entity (context)
- Determine the measures of success (KPIs)
- Review the risk framework
- Collect and review risk artefacts that from the context, including organisational plans, risk assessments from partner entities, or risk registers from previous years
- Circulate key documents as reading prior to the workshop
4. Run Workshop
On the day of the workshop, it is ideal that the stakeholders would have read the context material and have an understanding of the objectives to be considered. It important to note that the role of the facilitator is to guide and direct the group through the risk management process, while remaining impartial. This may include challenging ideas and drawing out risks.
The facilitator should clarify the scope of the assessment that is being undertaken. For example, a particular category of risks (that is, risks to our people) or the top 5 operational risks facing the entity. In addition, the facilitator should provide some principles on what makes a good risk statement and why it matters. A good risk statement should outline an uncertainty that could happen, what could cause it and why it would affect objectives.
5. Risk Outputs
At the end of the workshop, you should have some identified risks and notes on the discussions. This register should include the key elements of each risk as raised in the workshop including the risk owner, sources and consequences, rating based on likelihood of the consequence, current controls and proposed treatments. After the workshop the risk register may need to be refined to ensure that each risk is clearly articulated and all relevant elements of the risk have been explored. This step may involve some extrapolation to fill identified gaps, but any information conceived at this stage will be confirmed in the next step.
Drafts of the risk registers will need to be sent to the stakeholders for review. This is also an opportunity to include some suggestions to cover topics raised in the workshop which are outside the general scope. After the risk register is agreed, the final stage is to monitor the implementation of the risk treatments and to determine the timeframe for the next review of these risks.
Give participants information on what to expect in the workshop, what the process will be and what to bring with them. If the participants risk management experience is limited, provide some pre-reading on the basic concepts that will be discussed and the entity’s risk management framework and supporting documents.
Be clear about the scope of the assessment
For instance let the participants know what risks you are specifically assessing. Is it a particular category of risks (that is, risks to our people) or is it the top 5 operational/strategic risks? Don’t forget to assess high consequence/low likelihood risks.
When facilitating workshops, your role is to guide and direct the group through the risk management process while remaining impartial.
Understand the objective of the workshop
Having a clear understanding about the objective will assist in developing the most effective approach to the workshop. For example, the approach to a workshop for an entity’s key strategic risks will be different from a workshop for a new project.
Have some additional support in the workshop
Having additional support at the workshop will enable you to concentrate on running the workshop. Have someone assist with taking notes and documenting the risk information in a register.
Try not to spend too much time on any one risk
If you find that a risk requires a detailed discussion, consider discussing this separately with the person responsible to keep the momentum of the workshop moving.
Park any issues
Explain the difference between a risk (an uncertainty) and an issue (a current problem) and record any issues in a separate issues register for later discussion.
Provide guidance on defining a risk
Provide some principles on what makes a good risk statement and why it matters. A good risk statement generally outlines an uncertainty that could arise, what could cause it and why it would impact objectives.