Effective risk management requires an entity to maintain an appropriate level of capability to administer its risk management framework and to manage its risks. The nature and scale of this capability includes governance, processes, staffing, education and systems.
Risk management capability must be regularly considered in the context of an entity’s current resource and capability profile and be commensurate with the characteristics and complexity of its risk profile.
Risk management capability includes risk systems, processes, information and tools as well as people capability. All of these are equally important and go hand in hand to enable an entity to capably manage their risk environment.
Having the required people capability as well as effective risk systems and tools in place provides an entity first and second line of assurance against the threats and pressures they face within their operating context.
Risk systems, processes and tools
The risk management framework and risk profiles of entities will vary greatly in complexity and scale. Risk processes and tools can be tailored accordingly and may range in complexity from simple spreadsheets to dedicated enterprise risk management software.
Some of the functions that can be provided by risk systems include:
- integrated storage of risk information and risk profiles
- analysis of risk information, including analytics such as the identification of common causal factors or interdependencies between risks
- key risk indicator monitoring
- risk information dissemination and sharing, including risk status reports and risk and compliance dashboards
- an audit function that identifies changes and decisions made
- automation of risk workflows.
Risk tools assist staff to make consistent judgements on risk across the entity. They can include:
- risk assessment and treatment plans
- risk severity assessment matrix
- risk consequence descriptors
- risk likelihood scale
- control effectiveness rating tool.
Risk systems and tools are most effective when they are appropriate to the entity’s needs, maintained and complemented by training and workplace support. If they are overly complex, they will be underutilised. If they are inadequate, they will not provide the functionality desired or support efficient work processes.
Building the capability of an entity’s officials is critical as it ensures a consistent approach to the understanding of how risk is managed across the entity. Equipping officials to effectively manage risk may include:
- clearly defining responsibilities and accountabilities for managing risk
- building risk competency through induction, ongoing learning and development, mentoring and experience through on the job learning
- access to relevant internal and external communications and information
- peer support and collaboration mechanisms
- sharing of cases studies and lessons learned.
Managing risk is everyone’s responsibility. However, learning and development opportunities will be most effective where they are tailored to the current competency level of officials and the requirements of their role. While the concept of managing risk will be the same for everyone, the appropriate level of risk competence among officials may vary between levels.
To identify the entity’s risk management training needs, entities can:
- determine and compile the risk management competency requirements of their workforce at the different levels of the entity
- undertake a skills analysis to determine their current level of capability.
Comparing these will provide a clear understanding of competency needs in order to develop a prioritised learning and development or communication program.
1 - Determine the appropriate level of risk management capability
When seeking to enhance and maintain a high level of risk management capability, it is first of all important to consider the capability needs of the entity. This approach should be undertaken in terms of the capability needs for people, processes, systems and information. It is also necessary to consider the internal and external operating environment, the severity and complexity of the risks being managed and the importance or profile of the objectives they may affect. The level of risk management capability in an entity may be measured against the potential cost of the risks, should they be realised, and the entity’s risk appetite and tolerance for those risks.
2 - Analysing current capability against required level to identify training needs
It is necessary for an entity to maintain and regularly assess their level of risk management capability. This can involve an internal review of an entity’s risk management function and all of the resources i.e. people, systems, processes and tools. Through this process gaps can be identified and actions can be taken to bridge those gaps. This can be done through process or system enhancement, as well as through further education, training or talent acquisition. Well-articulated capability statements promote a clear understanding of the role and function when managing risk.
3 - Implementing initiatives to build or maintain risk management capability
Some key steps to build risk management capability may include:
- Providing appropriate risk management awareness training to officials on a regular basis. Include an overview of the entity’s risk management framework in the induction program and highlight the capabilities officials can draw on to help them manage risk.
- Keeping risk management policies and processes up-to-date helps ensure that all officials’ knowledge and understanding of the entity’s approach to risk management is in line with expectations and best practice for the entity. Ensure that obsolete or superseded guidance is removed from your IT environment, currently authorised versions are clearly identified and links are regularly tested and kept up to date.
4 - Sharing risk management expertise
Maintaining an appropriate level of risk management capability does not necessarily mean owning it exclusively in an entity. Many Commonwealth entities face common risk challenges and can therefore share the specialist capabilities needed to manage them. For example, the specialist expertise required to analyse particular categories of risk can be shared by peer entities as can the lessons learned.
- Think holistically about the capabilities the entity needs to effectively manage risk including people, processes, systems, and information. Conduct a capability needs analysis to determine and prioritise risk management capability gaps.
- Identify, train and connect risk champions drawn from diverse parts of the entity. These champions can help spread risk management good practice and influence behaviours.
- Identify opportunities to develop skills through more informal learning methods such as regular lunchtime discussion sessions or opportunities for people to learn through practical experience.
- When considering the acquisition or development of risk tools or systems, ensure the entity identifies a fit-for-purpose solution.
- Ensure that any investment in risk management systems is in line with the entity’s risk competency and culture.