Embedding risk management into the decision making activities of an entity enables risk to be managed in a repeatable and consistent way when designing, implementing, delivering and undertaking government initiatives. The level of complexity in how risk management is embedded into decision making should be proportionate to the nature and severity of the risks faced. It should also consider the maturity of the entity’s culture and framework for managing risk.
It is particularly important that risk management is embedded into an entity’s activities including projects, strategic and operational planning, governance arrangements, performance management, regulatory oversight, program and policy design and implementation.
Managing risk is a core responsibility of Commonwealth officials at all levels. Embedding risk management into business activities allows an entity to consider the whole picture and establishes an element of consistency in decision making.
There are a number of initiatives that can be adopted in order to informally and formally embed risk management across an entity’s operations and decision-making:
- A commitment from senior executives through messaging and demonstrated decision making as part of a business-as-usual approach can help instil a risk-focused approach into any entity.
- Implementing processes and systems that use risk information as an input to inform decision making.
- Building and developing risk management capability to create a workforce that is trained and equipped to consider risk in day-to-day operations.
- Linking an entity’s strategic objectives to risk to reaffirm the importance of making risk-informed decisions as it draws the connection between success and risk management.
- Aligning separate risk disciplines of an entity with an overall risk management framework.
- Including risk sharing arrangements into contracts with third parties.
Successfully embedding risk management into an entity’s business processes requires an approach tailored to the entity’s strategic objectives, operating environment and context. The extent to which risk management should be embedded into business activities may also depend on the maturity and the complexity of the entity’s risk profile and also the size of the entity.
The following is a non-exhaustive list of examples of where entities are able to embed risk management into their activities:
- Governance arrangements - An entity’s governance function has a number of key risk management roles. These include helping to integrate risk management into strategy as well as establishing risk appetite through the entity’s risk management policy, defining risk management roles and responsibilities, benchmarking maturity, and reviewing how risk is managed within the entity.
- Performance management – Tailoring staff performance agreements as well as the operational performance indicators of an entity to reflect core risk management principles. Specific risk management responsibilities should be tailored to the role in question (as outlined in element 4).
- Corporate planning – The early assessment and management of an entity’s enterprise risks is an integral part of an entity’s corporate planning framework. Strategic objectives can be a useful starting point for risk identification processes as part of corporate planning.
- Change management– An early risk assessment of all significant change activities can inform the appropriate level of change management policies and instructions. This helps provide an entity a broader picture of the implications of conducting change activities to inform how best to manage them.
- Projects and programs - Project and program design and implementation involves constantly identifying and managing risk. This includes shared risks and risk interdependencies between projects when managing a program. Entities should consider making risk management a mandatory step of any new program or project plan. Good risk management here involves incorporating dependencies and potential negative consequences into the strategic and operational decision making associated with designing and carrying out projects or programs.
- Audit and assurance programs- Understanding an entity’s risk profile enables an entity to prioritise its greatest risks as part of their audit and assurance activities. Likewise the outcome of internal and external audit activities may influence the design of an entity’s control framework.
- Organisational resilience - Increasing organisational resilience through taking a risk-based approach to understanding the potential consequences of events allows entities to be prepared and increases their ability to return to a satisfactory level of performance in an acceptable period of time after an event has occurred.
- Procurement – Incorporating risk management requirements (cost, safety, probity, quality, and time etc.) into the tender evaluation process when procuring a supplier or contractor can help inform the evaluation of a potential supplier. Embedding risk management into procurement is a good example of where engaging with risk in a balanced way can lead to better outcomes.
- Contract management – Undertaking the contract management process with a risk-lens enables an entity to maximise the potential benefits of contractual arrangements. This can be achieved by establishing and communicating the desired risk tolerance and creating specific checkpoints as part of the quality assurance process in the contract lifecycle to monitor and control any present or potential risk.
- Include a statement of intent and an ‘overview of approach to risk management’ in your entity’s risk management policy. This statement can be useful in conveying the tone for risk management to officials and help shape their attitudes towards risk.
- Link the management of risk to the achievement of objectives. It’s useful to approach risk assessments by thinking about what must go right and then looking at the risks to achieving that. Risk management is far more likely to be embedded when it is seen as an enabler to getting things done and solving problems than a compliance activity. It is also important to look closely at the user experience to ensure processes and tools are easy to use and support staff in getting their work done.
- Highlight and promote good examples of how embedding risk management into business processes has resulted in innovative and positive outcomes.
- Assist teams and business areas to embed risk management into their activities by providing common risk tools and templates that can be incorporated into their documents and processes.
- Include risk management in executive management meetings as a standing item so that it becomes routine. Consider using this discussion to focus on just a few key risks (think about those risks with high inherent and high residual ratings, high consequence or low control effectiveness).