Element 7: Emerging Risks

Entities must implement arrangements for identifying, managing and escalating emerging risks.

Information Sheets

Audience

This information sheet is intended to assist Commonwealth officials at the Foundation, Generalist, Specialist and Executive levels to understand:

  • risk reporting and its role in good management and decision-making
  • formalising risk communication requirements in a risk communication plan
  • practical steps for developing a risk communication plan.
At a glance

A positive risk culture is one where staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Such a culture supports an open discussion about uncertainties and opportunities, encourages staff to express concerns and propose solutions, and maintains processes to elevate matters to appropriate levels.

Risk reporting

Risk reporting is a key method of communicating risk across business units and between multiple layers of an  entity. Risk reporting generally informs stakeholders of the following:

  • Risk events which have occurred and near misses. This can include an analysis of the cause of risk events and near misses and, where appropriate, identify expected versus unexpected risk events or losses.
  • The current status of the risk profile. This type of reporting is the most common and includes information about the entity’s risks and how they are being managed. It is important to consider who this information will be reported to (i.e. who needs to know).
  • The current risk exposure. This is a succinct analysis of how much risk you are exposed to. Reporting risk exposure generally involves Key Risk Indicators (KRIs) across all categories of risk. KRIs are a mix of qualitative and quantitative measures that provide insight into how the underlying risk profile of the entity might be changing before the risk occurs.
  • Emerging and future risks. This type of reporting is forward looking and often involves scanning the external environment. Scenarios may also be used to demonstrate the potential consequence should emerging risks occur and drive discussion about the entity’s strategic options. This reporting may also include existing risks which are potentially impacted by emerging or future risks.

These approaches to communicating risk will enable the entity to understand if it is operating within its risk appetite and tolerances as well as providing a greater understanding of potential threats and opportunities.

Risk reporting will be most effective where it is embedded in management level discussions and linked to broader management reporting. However, formal risk reporting regimes are only one form of risk communication and, while they are important, they cannot be relied upon alone. It is also important to continually communicate what you’re doing in relationship to risk management and why you’re doing it.

Communication channels for risk

There are a number of channels to communicate risk in your entity, both formal and informal. Some common channels are outlined below.

Risk forums and committees

Risk forums provide oversight of risk through discussion of key issues by a group with appropriate representation. Whilst multiple risk committees can exist, most commonly there is a primary risk and/or audit committee which has oversight of risk, compliance and audit matters. The nature and type of forums and committees will depend on the  underlying nature of an entity’s responsibilities and operations.

When considering additional risk forums, consider whether internal communication is required to more effectively manage shared risk. Additionally, where the entity is exposed to specialised risks, consider establishing a separate risk forum or committee to enable a more robust discussion on that particular area of risk. Common specialised risk forums include project and program risk; safety and environmental risk; security risk management; and technology risk.

Face-to-face meetings

Where possible, meeting with key officials is the best way to start the risk management process and to communicate key risks. Informal meetings can also give officials the opportunity to ask questions and can make them feel more involved in the risk process.

Internal reporting channels

Where sensible, consider embedding the risk conversation into your entity’s existing communication channels. This can be through newsletters, intranet pages, emails or even flyers and posters. This can help to inform officials about the risk management program as well as communicating key risks.

Practical steps for developing a risk communication plan

Risk communication and consultation plans are a way of identifying and formalising the approach the entity will take to communicate risk issues both internally and externally. It details the key stakeholders involved and the approach to be taken to communicate risk information, changes and concerns with each party. When developing a risk communication plan, consider the stakeholders involved, communication method, purpose, content, timing and required frequency of communication.

Step 1 - Identify and understand stakeholders

Consider the ‘RACI’ approach – Responsible, Accountable, Consulted and Informed – to identify key stakeholders and what their roles will be throughout the process. Once established, these may be incorporated into the risk management plans of the entity, division and/or specific risk owner, as appropriate. This discipline is particularly useful for shared and complex risk where stakeholders may be distributed and not immediately apparent.

The RACI concept is highlighted below.

 
R

Responsible

A

Accountable

C

Consulted

I

Informed

Who is it?

The person assigned to deliver/execute a particular activity

The ultimate decision-maker and owner of the activity and its associated outcomes

The party/parties who expertise and/or opinions must be sought and clarified prior to undertaking the activity of making decisions

The party/parties who are required to know that the particular activity or decision has been undertaken.

Example

Program/policy risk management

  • Program/policy owner
  • Accountable Authority
  • Audit or Risk Committee
  • Accountable Authority
  • Audit or Risk Committee
  • Senior Executive Committee(s)
  • Staff
  • Functional management
  • Parliament/relevant minister(s)
  • Other Commonwealth departments/entities/cross-jurisdictional departments
  • Media/Community interest groups/general public

Step 2 - Determine communication type and method

Once stakeholders have been identified, their expectations and information needs can be determined. Think about what each stakeholder needs to know in order to assist with implementing decisions, and what is the best method to communicate this with them?

The manner in which risk information is exchanged will vary depending on the role of stakeholders in managing risk.

Step 3 - Establish a common language

It is common for large entities to operate multiple risk activities or programs, each tailored for specialist types of risk  within different areas of the entity. However, a single overarching risk framework provides the basis for a  common risk management approach, language and terminology to encourage consistency in the understanding and communication of risk.

Step 4 - Define the specific purpose of the communication

Stakeholder consultation can be used to raise the awareness and perceptions of risk management. Engagement with stakeholders allows for a greater understanding of the diversity of stakeholder needs as well as perceived gaps in existing communications approach. This will enable communication to be increasingly targeted and increase the value of risk discussions.

Step 5 - Determine the frequency of communication

For each stakeholder and type of communication, an appropriate frequency needs to be determined depending on the nature and impact of the content. This should take into consideration the status of the risk in the context of risk appetite, threat to objectives, the severity of risk and when the risk is expected to occur.

Consider the availability of relevant information when determining the appropriate frequency of communication. Ideally, information communicated will raise awareness and provide sufficient time to drive both proactive and corrective actions.

Step 6 - Assign responsibility for communication

For each stakeholder and communication channel, consider who the most suitable person(s) is for providing the communication in a timely manner, as per the risk communication plan.

An example of the structure of a basic communication plan can be found below.
 

Stakeholder

Communication type and method

Communication purpose

Communication frequency

Prepare/owner

Internal

 

External

 

When developing a risk communication plan, it is important that subject matter experts are engaged. They may bring expertise in the risk being considered, the stakeholders and environment concerned, or in the discipline of risk management itself. Relevant risk management subject matter experts may include enterprise governance, risk and compliance specialists but also experts within specialised areas of risk e.g. technology, security, privacy, safety etc.

When should risk information be communicated upwards

Mandatory reporting as part of your entity’s governance arrangements

It is common for regular upward reporting of risk to take place as part of entity processes, including during committees or as part of regular reporting requirements. This reporting helps to ensure senior leadership has sufficient oversight over key issues.

Reporting may be part of (but not limited to):

  • an Executive (Sub/)Committee, primarily dealing with risk management
  • a steering Committee of a major project or program where risk management is an ong oing agenda topic
  • a business case approvals process where risk is a decision input
  • regular Executive meetings where key strategic risks are reviewed as part of BAU
  • branch level forums on risks
  • daily/weekly/fortnightly stand up meetings where updates on risks are relevant
  • any other meeting where risk features as an agenda item.

Ad hoc responses to changes in the risk environment

In addition to regular reporting, changes to the risk environment risks should also be communicated. These events can happen at any time and it is important that officers communicate these risks in a timely manner, even if this is outside the normal reporting timeframe.

Possible events that may change the risk environment include:

  • A material control failure – if a control designed to mitigate a risk breaks down, this could leave an entity exposed to uncontrolled risk. This may become evident through upward trends in incidents, key process failures or key deliverables slipping in terms of time or quality.
  • A material change in your entity’s operating environment – changes in an entity’s internal or external operating environments may alter its risk profile. Senior Executive should be aware of this to assist with their decision making around managing the risk or the activity (project/program/business as usual) the risk sits within. Internal changes could include restructure of an entity or a change in strategic strategy. External events could include changes to how the entity is regulated or structural changes to key partner entities.
  • A change in a risk’s likelihood and/ or consequence rating – if there is a significant change in a risk’s likelihood and/or consequence rating it may result in a risk approaching or exceeding appetite or tolerance limits, and Senior Executives should be briefed so they can plan a potential risk response strategy. The point at which the likelihood of approaching or exceeding appetite or tolerance depends on your entity’s appetite or tolerance statement and will be different for each entity.
Strategies to use in communicating risk upwards

Communicate with impact

Be bold in you communication, without being afraid to deliver bad news. Risk owners and senior stakeholders need to know about changes in a risk’s profile as soon as possible to enable an effective response. Being familiar with your entity’s risk escalation points and designated lines of communication will allow you to communicate risk information in an impactful and timely manner.

Link to corporate plan

Risk information that is aligned to the achievement of objectives in your entity’s Corporate Plan will carry the most weight. When senior stakeholders recognise that a change in the risk landscape has the potential to threaten the achievement of strategy, their interest will be captured and your message noticed.

Be succinct

Risk information should be clearly articulated and presented in a simple manner. Incorporating an executive summary at the beginning of your risk documents or infographics to explain complex concepts helps to engage the audience. While detailed information is important to support your summary findings, be aware that senior stakeholders are often short of time.

Fit-for-purpose

Communicating should be tailored for you audience. Before formulating your communication, consider who you are presenting a risk update to, the type of information they require and the manner in which it should be presented. For example, your manager may require more detail than a Minister who is looking for a brief snapshot.

Involve the risk owner

The risk owner should have oversight of the management of their risk. While a small change to the risk’s profile may seem insignificant on the face of it, when aggregated with similar events it may lead to a material change in how the risk needs to be managed. For the risk owner to effectively perform their role, they require regular communication of such information from all areas of the entity.

Audience

This information sheet is intended to assist Commonwealth officials at the Generalist and Specialist levels understand how to identify key entity risks using strategic documents and risk workshops.

At a glance

Risk management requires leaders to focus on risks that threaten the achievement of strategic objectives. It helps to consider things that “must go right” to achieve the objectives, and the uncertainties that exist around those things that can jeopardise achievement of the objectives. Identifying risks to strategic objectives are a valuable investment of time and effort in support of achieving entity objectives. This information sheet provides general guidance to enable entities to identify key entity risks to communicate upward to Senior Executive Staff (SES).

Triggers to identifying key risks

Possible triggers to identify risks can be broadly divided into two categories:

  • Regular triggers including annual updates to your risk framework, the beginning of a new project or a review of your entity’s operations.
  • Ad hoc triggers including the realisation of a significant risk, an increase in near miss events or a major change in your internal or external operating environment.

The annual review of objectives in your entity’s Corporate Plan is an ideal opportunity to identify and monitor uncertainties (risks) that could cause a deviation from your expected or preferred outcome. It is also an appropriate time to identify any emerging or trending risks that might require additional focus.

Key changes such as those arising from a change in risk owners, project sponsors, structure, funding or regulation can also be an opportune time to review current and newly emerging risks.

Utilising strategic documents

This process involves identifying your entity’s goals and subsequently the dependencies or uncertainties standing in the way of their achievement. Risks are the uncertainties associated with the achievement of objectives. The approach below describes the process to identify the key strategic objectives, to reverse-engineer them into risk statements.

 

alt text here

Risk workshops

Risk workshops are an effective way to bring stakeholders together to brainstorm risks and to challenge thinking. Effort should be taken to ensure risk workshops are engaging and focussed on participant involvement to ensure robust discussion on the identification of risks within the entity.

Workshops provide the opportunity to share learnings, discuss perspectives and agree on ownership of risks. To generate buy in and accountability from key stakeholders it is important to circulate the agreed outcomes as soon as practicable.

The following steps will help you to plan and run an effective risk identification workshop.

1. Identify relevant stakeholders

The key to a successful workshop is having the right mix of stakeholders in attendance. These stakeholders could be relevant executives and key decision makers, subject matter experts, and people in operational roles likely to be involved with day to day management of the risks. It is important to have initial contact with identified stakeholders prior to the workshop to gain their input on any additional personnel required to attend. Below are some examples of the types of stakeholders that may be considered:

  • Executive leadership group or committee
  • Subject matter experts for each risk category or risk owners (e.g. HR Manager for a “people” risk category or Chief Information Officer for a “technology” risk category)
  • Anyone likely to be flagged as a risk or control owner or may have an informed view on potential risks and consequences
  • Representatives of any operational areas that may impact or be impacted by the realisation of objectives to be considered in the workshops

2. Conduct preliminary discussions

Initial discussions with select key stakeholders should be conducted to set up an agreed process to run the workshops. These discussions should explore the interests of each stakeholder at the workshop, and ensure a variety of perspectives will be present. The discussions will also potentially provide an early understanding of the risks that will be developed in the workshop and inform any additional resources that may be distributed prior to workshops.

These preliminary discussions will:

  • provide participants context before attending
  • familiarise stakeholders with the risk identification process
  • establish the interests of workshop attendees
  • identify risk themes to be discussed at the workshop
  • build relationships and rapport prior to the workshop

3. Identify and review the strategic context

Following on from the preliminary discussions, the strategic context of the workshop should be established. First, determine what the objectives are for the project or business area. This can involve a review of corporate plans or project aim statements. It is often also advisable to review the Key Performance Indicators (KPIs) as these can clarify how success is being measured.

Next it is important to review the risk framework and supporting documents that apply to these risks. These can include the entity’s risk appetite and tolerance statements, risk category definitions, and risk likelihood and consequence descriptors. This guidance must be understood prior to the workshop, so that the risks can be articulated in a way that is consistent with the framework.

The final preparation for the workshop is to collect and review any pre-existing documents that have reviewed risks relevant to the workshop objectives. Relevant documents may include risk assessments regarding shared activities from partner entities, risk registers from other areas of your entity or risk assessments from previous years. Once all documents have been collated a selection of key documents should be distributed to workshop attendees prior to the meeting to assist with their preparation.

Workshop preparation steps include:

  • Identify the objectives of the project/business area/entity (context)
  • Determine the measures of success (KPIs)
  • Review the risk framework
  • Collect and review risk artefacts that from the context, including organisational plans, risk assessments from partner entities, or risk registers from previous years
  • Circulate key documents as reading prior to the workshop

4. Run Workshop

On the day of the workshop, it is ideal that the stakeholders would have read the context material and have an understanding of the objectives to be considered. It important to note that the role of the facilitator is to guide and direct the group through the risk management process, while remaining impartial. This may include challenging ideas and drawing out risks.

The facilitator should clarify the scope of the assessment that is being undertaken. For example, a particular category of risks (i.e. risks to our people) or the top five operational risks facing the entity. In addition, the facilitator should provide some principles on what makes a good risk statement and why it matters. A good risk statement should outline an uncertainty that could happen, what could cause it and why it would affect objectives.

See practical tips to run a workshop below for further instruction.

5. Risk Outputs

At the end of the workshop, you should have some identified risks and notes on the discussions. This register should include the key elements of each risk as raised in the workshop including the risk owner, sources and consequences, rating based on likelihood of the consequence, current controls and proposed treatments. After the workshop the risk register may need to be refined to ensure that each risk is clearly articulated and all relevant elements of the risk have been explored. This step may involve some extrapolation to fill identified gaps, but any information conceived at this stage will be confirmed in the next step.

Drafts of the risk registers will need to be sent to the stakeholders for review. This is also an opportunity to include some suggestions to cover topics raised in the workshop which are outside the general scope. After the risk register is agreed, the final stage is to monitor the implementation of the risk treatments and to determine the timeframe for the next review of these risks.

Practical tips to run a risk workshop

Provide pre-reading

Give participants information on what to expect in the workshop, what the process will be and what to bring with them. If the participants risk management experience is limited, provide some pre-reading on the basic concepts that will be discussed and the entity’s risk management framework and supporting documents.

Be clear about the scope of the assessment

For instance let the participants know what risks you are specifically assessing. Is it a particular category of risks (i.e. risks to our people) or is it the top five operational/strategic risks? Don’t forget to assess high consequence/low likelihood risks.

Be impartial

When facilitating workshops, your role is to guide and direct the group through the risk management process while remaining impartial.

Understand the objective of the workshop

Having a clear understanding about the objective will assist in developing the most effective approach to the workshop. For example, the approach to a workshop for an entity’s key strategic risks will be different from a workshop for a new project.

Have some additional support in the workshop

Having additional support at the workshop will enable you to concentrate on running the workshop. Have someone assist with taking notes and documenting the risk information in a register.

Try not to spend too much time on any one risk

If you find that a risk requires a detailed discussion, consider discussing this separately with the person responsible to keep the momentum of the workshop moving.

Park any issues

Explain the difference between a risk (an uncertainty) and an issue (a current problem) and record any issues in a separate issues register for later discussion.

Provide guidance on defining a risk

Provide some principles on what makes a good risk statement and why it matters. A good risk statement generally outlines an uncertainty that could arise, what could cause it and why it would impact objectives.


Did you find this content useful?