Implementing the Commonwealth Risk Management Policy (RMG 211)

Purpose of this Guide

This Guide provides practical advice to assist Commonwealth officials in implementing the requirements of the Commonwealth Risk Management Policy.1

The Guide is designed to be used as a learning resource and is not mandatory. It is important that entities develop risk management frameworks and systems that are tailored to the needs of their organisation. Entities may elect to adapt the concepts contained in this Guide to suit their specific needs or use alternative methodologies.

The mandatory elements of the Commonwealth Risk Management Policy are repeated in this Guide in the boxes at the beginning of each element.

What is risk management?

Risk is the effect of uncertainty on objectives. Risk is the possibility of an event or activity preventing an organisation from achieving its outcomes or objectives.

Risk management is the activities and actions taken to ensure that an organisation is conscious of the risks it faces, makes coordinated and informed decisions in managing those risks and identifies potential opportunities.

What are the benefits of risk management?

• improved accountability and better governance
• better management of complex and shared risks
• improved financial management
• improved organisational performance and resilience
• confidence to make difficult decisions
• decreased potential for unacceptable or undesirable behaviours such as fraud and harassment.

The key elements of an entity’s risk management policy

Overview of the approach to risk management

Entities are encouraged to include in their risk management policy a statement of intent to embed risk management into their decision making and performance management processes. The inclusion of a risk philosophy statement or key principles can be useful in conveying to officials the tone for risk management in the entity.

Risk appetite and tolerance

Risk tolerance is the specific level of risk taking that is acceptable in order to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite and will be most effective when it is easily understood by all officials.

A risk appetite and tolerance statement provides officials with an understanding of the entity’s acceptable risk levels for all significant risk categories. In cases where risk appetite is low, this statement provides guidance to officials on what decisions they cannot make. Where the entity is prepared to take increased levels of risk, a statement reflecting this empowers officials to make acceptable risk-based decisions.

Risk tolerance statements often include quantitative measures to enable monitoring and review. For example an entity with a low risk appetite for IT system outages may define their risk tolerance as no more than five days of system outages per annum.

While the inclusion of a risk appetite and tolerance statement in a risk management policy can be useful in setting the tone for risk taking in the entity, this may not always be practical due to the level of detail required. In such circumstances, it may be more practical to refer to it or link to other document/s detailing the entity’s risk appetite and tolerance.

Key accountabilities and responsibilities

While the accountable authority is ultimately responsible for maintaining systems of risk oversight, management and internal control, an entity’s risk management policy can be a useful means of communicating more specific risk management responsibilities to officials. Aside from those requirements set out in element

three of the Commonwealth Risk Management Policy, think about what additional responsibilities and accountabilities you would like to communicate.

A statement noting that all officials in the entity are responsible for managing risk can be a useful way of communicating to staff that it is not just the risk management area that is responsible for managing risk.

Accountable authority endorsement

A key role of the policy is to provide a clear and meaningful mandate for the entity’s risk management framework. It is critical that the accountable authority understands and endorses the policy as this signifies to all officials the expectation that the policy is an essential part of their day-to-day work.

A written statement or personal message from the accountable authority (or senior leadership) that summarises the entity’s risk management policy can also effectively and clearly express the intentions and requirements of the organisation. The way displays in corridors and lifts and making it available externally via the internet.

Designing a risk management framework

A risk management framework is a set of components that support the consistent and systematic management of risk in an entity. Each entity needs to determine its own risk management framework that is the best fit for the entity’s purpose, structure and size.

An entity’s risk management framework is most effective when it is aligned with other business processes. Key amongst these include the entity’s:

• corporate plan
• management and decision making
• governance and assurance arrangements
• change and business improvement programs
• operational program planning, management, and reporting requirements.

While a risk management framework sets the foundation for risk management, it is the entity’s risk culture that will ultimately determine how effective it is in changing the behaviour of officials.

The key attributes of a good risk management framework

• It is fit-for-purpose and tailored to the needs of the entity.
• It is well understood, consistently applied, integrated and centralised across the entity.
• It details the required actions for designing, implementing, monitoring, and reviewing risk management in the entity.
• It is used by officials as part of their day-to-day decision making.

There is no standard format or structure for a risk management framework. The nature of the work carried out by each entity will determine the design and sophistication of its risk management framework. However, framework elements used by many entities include those illustrated below.

Key responsibilities for managing risk

Responsibility for determining risk appetite and tolerance

This may include:

• the person who is ultimately responsible for determining risk appetite and tolerance (usually the accountable authority working with the senior executive)
• specific responsibilities for developing, approving, monitoring and adjusting an entity’s risk appetite and tolerance.

Responsibility or implementing the risk management framework

• design
• publication
• review of the entity’s risk management framework

These responsibilities will be most effective where they are clearly defined, effectively communicated and assigned to a specific person or team

Responsibility for managing individual risks

Responsibilities that may be defined include:

• Risk owners. Accountable for managing a particular risk
• Control owners. Responsible for maintaining the effectiveness of measures to modify risk
• Risk treatment owners. Responsible for implementing strategies in cases where the risk level is unacceptable after controls are applied

Guidance can be provided on how to discharge these responsibilities and how risk and control owners can best interact so that risks are actively managed within agreed tolerances.

Entities are encouraged to include a statement in their risk management framework that all officials at all levels of the entity are responsible for managing risk. These responsibilities include risks within an individual’s area of control and whole-of-entity and shared risks.

Examples of some typical risk management responsibilities can be found at Appendix B.

Opportunities to embed risk management

Successfully embedding risk management into an entity’s business processes is challenging and thought provoking. It requires an approach tailored to the entity’s corporate objectives, operating environment and context. A useful approach to embedding risk management can be to establish short and long-term plans for embedding risk management. These can then be communicated to key stakeholders.

• Governance. An entity’s governance function has a number of key risk management roles. These include helping to integrate risk management into strategy, establishing risk appetite through the entity’s risk management policy, defining risk management roles and responsibilities, benchmarking, and reviewing how risk is managed within the entity.
• Corporate planning. Assessing and managing an entity’s enterprise risks is an integral part of an entity’s corporate planning framework. An entity’s strategic objectives can be the starting point of any risk identification process.
• Change management. Change management policies and instructions may include the requirement for a risk assessment of all significant change activities.
• Projects and programs. Project and program implementation involves constantly identifying and managing risk, such as shared risk in complex projects and risk interdependencies between projects. This could allow individual project risks to be aggregated to provide a program and portfolio view.
• Audit and assurance programs. Clearly understanding an entity’s risk profile enables the prioritisation of an entity’s audit and assurance activities. The outcome of internal and external audit activities may influence the design of an entity’s control framework.

• Organisational resilience. Increasing organisational resilience allows entities to resist being affected by an event or increases their ability to return to an acceptable level of performance in an acceptable period of time after an event has occurred.3

Alignment with specialist risk categories

Specialist risk categories often have their own legislation, standards, compliance and reporting obligations. Entities may also have specialist programs and processes including:

• business continuity and disaster recovery
• fraud control
• workplace health and safety
• protective security

While a specialist program may lead to an increased focus and management of these risks, specialist programs may benefit from being connected to the entity’s overarching risk management framework to ensure consistency. This can be achieved by adopting common terminology and processes across all programs.

Characteristics of a positive risk culture

A positive risk culture exists in an entity when officials understand the risks facing their entity and consistently make appropriate risk-based decisions. A poor risk culture is often evidenced by officials being ignorant of the entity’s risks, being excessively risk averse or overconfident.

A positive risk culture generally includes the following attributes:

• leaders, managers and supervisors consistently and positively demonstrate and discuss the importance of managing risk appropriately
• the entity’s risk management framework is integral to its operating model
• officials are comfortable talking openly and honestly about risk, using commonly understood risk terms and language
• officials understand and agree the need and value of effective risk
• management
• officials own and manage risk and proactively seek to involve others as
• appropriate
• officials own and manage complex and shared risks with others
• incentives reinforce appropriate risk-related behaviour being challenged respond positively
• the entity has a supportive environment for escalating risk issues with the senior executive.

Why is a positive risk culture important?

Culture is more than just complying with your entity’s risk management framework. The behaviours and attitudes to risk are just as important as the framework.

Decisions are often made, and risks managed, without complete information, with inadequate resources and against competing priorities. In these circumstances a strong risk culture will support the proper management of risk.

How to influence risk culture

A brief description of the influencers of risk culture, and some examples of desirable and detrimental risk behaviours are provided below.

In determining the risk behaviours they will display, officials are often guided by the accountable authority and the entity’s executives. Key elements include:

• Role models. Influential individuals who lead by example. The risk management behaviours they display guide others. It can be useful to assign accountability of the entity’s risk culture to a visible senior executive sponsor.
• Explicit messages. During recruitment and induction, and throughout their careers, officials are provided with many instructions and guidelines that will influence how they view and manage risk.
• Incentives. The manner in which officials are rewarded and recognised. How these incentives take into account risk management behaviours will indicate how risk management is valued.
• Symbols and actions. The daily actions of leaders will be noted by officials and mirrored.

Measuring risk culture

It may take years for an entity to develop and maintain a positive risk culture. An entity’s risk culture can be monitored and formally assessed through staff surveys or consultations.

How to communicate risk

Communicating risk information with stakeholders is important, as it maintains confidence and trust and develops a common understanding of the entity’s risks. External stakeholders such as ministers, other government entities, suppliers and the wider community may need an opportunity to communicate their views and feel involved in decision making where appropriate.

Develop a risk communication plan

A risk communication plan can be an effective way of documenting an entity’s approach to communicating risk. When developing a risk communication plan, consider both external and internal reporting requirements. To minimise duplication, risk information provided in corporate reporting may be used to inform senior executives when completing annual reporting tasks.

A risk communication plan can be tailored for each individual entity and may include information on:

• the attitude and approach to managing risk
• the risk profile
• individual risks
• specific control responsibilities.

An entity’s risk profile is a key tool for informing senior executives and stakeholders on the priorities and management of risk and may be developed at a corporate level as well as at business unit and branch levels. Clear communication of the entity’s risks relies on developing quality risk profiles that provide a complete view of key risks.

Build a culture of open risk communication

All officials are responsible for communicating risk and sharing risk information within the entity and with external stakeholders as appropriate.

Open communication requires time to develop and relies on officials acknowledging that good risk communication provides an opportunity to innovate and improve performance.

As part of effective communication, entities are encouraged to provide regular, candid briefings on key risks, threats and opportunities. Where appropriate, significant issues can then be escalated to the accountable authority and/or minister.

Consider communication requirements

Entities are encouraged to use risk communication to identify, assess and provide information on the monitoring of risks against the corporate objectives of the entity. This may be aligned with other reporting frameworks.

When communicating about risk, ask yourself the following questions:

• What needs to be communicated?
• Who needs to know?
• What is the time frame?
• Will terminology be an issue?
• What is the most acceptable format when presenting information?
• What analysis has been performed to provide robustness to the data?
• What follow-up action is needed?

Risk communication is critical to ensure that the entity’s risk management processes are consistently implemented  at all levels. Operational risk reporting to senior executives is most effective when it occurs at regular intervals throughout the year.

Characteristics of shared risk

Shared risks are those risks that extend beyond a single entity, requiring high levels of cooperation between stakeholders to effectively understand and manage those risks. Stakeholders often go beyond government to include other partners, such as industry, the wider community and across jurisdictions.

Shared risk is a crucial element of program/policy delivery and failing to identify and manage these risks often impacts a broad range of stakeholders.

It is therefore important that entities, in collaboration with their stakeholders, cooperate to identify and manage risks, develop clear roles and responsibilities for managing these risks and agree to outcomes.

Aspects to consider in managing shared risk

Visibility of the risk. Proactive and comprehensive information exchange is essential to fully identify the nature and severity of risks, monitor their status and manage the potential realisation of risks.

Controls and treatments. Responsibility for implementing and managing specific controls and treatment programs may be allocated or dispersed across separate entities. This involves collaborative approaches to designing, deploying, monitoring and reporting the effectiveness of controls and treatments.

Exposure to consequences and effects. When a risk is realised, a shared risk may impact a number of entities and the wider community. Where practicable, entities are encouraged to establish mechanisms to appropriately share the burden of the risk exposure. This can be achieved through pooled or collaborative response capabilities, defining financial exposures explicitly in governance arrangements, or through agreeing integrated treatment plans.

Documenting the management of shared risks

Documenting shared risks is good governance, improves understanding of complex relationships and clarifies the extent of knowledge of shared risks at a point in time.

When defining how an entity manages shared risk, guidance to officials may include:

• a meaningful definition of shared risk in the entity’s risk management policy the concept of shared risk, and the arrangements for managing it, into project or program management frameworks and processes
• examples of shared risks that are relevant to the entity
• a list of those in the entity likely to be responsible for managing shared risk
• protocols for establishing mechanisms to collaboratively manage shared risks
• an identification of the mechanisms and protocols to be used for recording, monitoring and reporting on managing shared risk, both internally and externally.

Collaborative resilience

Common shared risks within the Commonwealth include risks which threaten the safety and security of entities and the services they provide. These may include natural disasters, acts of terrorism, and infrastructure or market failures. Significant opportunities exist for Commonwealth entities to collaborate in order to enhance their individual and collective resilience to such risks.

Entities are encouraged to work with stakeholders to better understand common threats, shared vulnerabilities and to optimise their collective ability to prevent, manage and recover from disruptive events. Communities of practice, peer entities or those in close proximity to one another can be formed to encourage this.

Determining the appropriate level of risk management capability

When determining an appropriate level of risk management capability, consider the severity of the risks being managed and the importance or profile of the objectives they may affect. The level of risk management capability in an entity may be measured against the potential cost of the risks, should they be realised, and the entity’s risk appetite and tolerance for those risks.

Maintaining an appropriate level of risk management capability does not necessarily mean owning it exclusively in an entity. Many Commonwealth entities face common risk challenges and can therefore share the specialist capabilities needed to manage them. For example, the specialist expertise required to analyse particular natures of risk can be shared by peer entities as can the lessons learned.

Capabilities that can help an entity manage risk

Risk systems and tools

The risk management frameworks and risk profiles of entities will vary greatly in complexity and scale. Risk processes and tools can be tailored accordingly and may range in complexity from simple spreadsheets to dedicated enterprise risk management software.

Some of the functions provided by risk systems and tools include:

• integrated storage of risk information and risk profiles
• analysis of risk information, including analytics such as ‘causal factor’ analysis and key risk indicator monitoring
• risk information dissemination and sharing, including risk status reports and risk and compliance dashboards
• automation of risk processes workflows.

Risk systems and tools will be most effective when they are appropriate to the entity’s needs, well maintained and complemented by training and workplace support. If they are overly complex they will be underutilised. If they are inadequate, they will not provide the functionality desired or support efficient work processes.

An entity’s risk manager, or risk management team, can support the development of good risk processes through:

• developing a fit-for-purpose risk management policy and processes in the entity
• supporting senior executives by coordinating, compiling and presenting clear and concise risk information able to be used in planning and decision making
• ensuring there are easily accessible systems and processes in place to enable all officials to systematically manage risk in their day-to-day work
• supporting business units to implement the risk management process
• ensuring risk management processes are applied consistently across the entity
• developing and implementing an appropriate risk communication strategy
• identifying the needs for skills development and specific training in risk management across the entity
• developing and maintaining a risk reporting framework to enable regular reporting of key risks, and the management of those risks, to senior management.

Reviewing the management of risk

As an entity’s environment, objectives and capabilities change over time, so do its risks, its risk appetite and its exposure to existing risks. To ensure new risks are identified, and existing risks remain appropriately managed, entities need to continuously review their risk management framework and the risks being managed.

Effective risk management programs require regular review and evaluation mechanisms, both formal and informal. This guides whether the entity’s approach to risk management is consistent with its objectives, ensures that the risk management framework is continuously improved and that good risk management practice is recognised and rewarded. These mechanisms also provide assurance to the accountable authority on the efficiency, effectiveness and relevance of the entity’s approach to risk management.

To assess the performance of an entity’s risk management framework, three key aspects can be considered:

• Value add. The degree to which risk management is contributing to the achievement of the entity’s objectives and its effectiveness in identifying and managing risk.
• Maturity. Whether the risk management framework is fit for purpose for the entity and represents the appropriate application of better practice.
• Compliance. The extent and the consistency of the application of the risk management framework in practice across the entity.

Reviewing an entity’s approach to managing risk, and the performance of its risk management framework, has four key steps:

1. review the entity’s risk management framework
2. review compliance with and the application of the framework
3. review the entity’s risk profile
4. review individual risks and the controls that are in place to manage them.

How to review the risk management program

The table below identifies some common accountabilities and responsibilities for managing risk in an entity. These are examples and may not apply to all entities.