Shared risks are those risks extending beyond a single entity which require a collaborative effort of shared oversight and management. These include risks that extend across entities and may involve other sectors and jurisdictions.
The management of shared risks should be agreed by all parties involved. Accountability and responsibility for the management of these risks should be identified and accepted by those best positioned to manage them.
Shared risks can be a crucial element of the design and delivery of policies and programs and failing to identify and manage these risks often impacts a broad range of stakeholders.
Shared risks are those risks that extend beyond a single entity. They require high levels of collaboration and cooperation between stakeholders to effectively understand and manage. The stakeholders affected by shared risks often exist beyond government to include other partners such as industry or the wider community. Shared risks can be unavoidable in government and require inter-entity cooperative oversight and management approaches to minimise their consequences should they materialise.
Visibility of the risk: Individual stakeholders will likely be able to see or understand different aspects of the risk. Proactive and comprehensive information exchange is essential to fully identify the nature and severity of these risks, monitor their status, and manage their potential consequences.
Understanding of controls, treatments and responsibilities: Responsibility for implementing and managing controls and treatments should be agreed to and clearly allocated across separate entities. This involves collaborative approaches to designing, monitoring and reporting the effectiveness of controls. It is important to ensure that the approach is sufficiently understood by all parties. The allocation of controls is important as the risk environment, structure and management priorities change over time across entities.
Exposure to consequences and effects: When a risk is realised, a shared risk may impact a number of entities and the wider community. Where practicable, entities are encouraged to establish mechanisms to appropriately share the burden of the risk exposure. This can be achieved through sharing capabilities, defining exposures explicitly in governance arrangements, or through agreeing treatment plans.
Responsibility of Accountable Authority: Where a risk stretches across more than one entity, it may be unclear who owns the risk. In this case Accountable Authorities are responsible for their entity’s contribution to the management of these risks.
When defining how an entity manages shared risk, guidance to officials should include:
- examples of shared risks that are relevant to the entity
- a clear definition of the shared risk and the arrangements for managing this risk
- mechanisms and protocols to be used for identifying, recording, monitoring, managing and reporting on shared risk, both internally and externally.
- Establish a memorandum of understanding with partners to formalise an agreed understanding of responsibilities and expectations for managing shared risk.
- Develop shared risk registers and profiles between relevant partners and hold regular workshops with representatives of these partners to encourage participants to look beyond their own entity’s view of the risk.
- It is likely that the multiple partners collaborating around a shared risk will have different risk frameworks, processes, risk matrices and terminology. Therefore, it may be necessary for agencies to be agile and cooperate to agree a compromised approach that incorporates elements of each parties risk frameworks.
- Risk register and risk profile templates can be enhanced by documenting the controls and control owners for monitoring shared risk. For example, ensure that risk controls managed from outside the entity are noted and monitored.
- Ensure shared risks are linked to governance arrangements such as interdepartmental committees or established joint arrangements.