Home > Risk > Australian Government Agency’s Risk Management Guidance – The Good and the Bad

Australian Government Agency’s Risk Management Guidance – The Good and the Bad

Whether you are new to risk management or not, you may enjoy a recent set of guidance that has been published by the Treasury Department of the government of New South Wales (in Australia).

In this post, I am going to highlight some of the good and – unfortunately – the bad from the guidance, with reference to their Executive Guide. The good far exceeds the bad, but the bad merits discussion.

The guide is driven by (believe it or not) valuable regulation:  “NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05) requires department heads and governing boards of statutory bodies to establish and maintain a risk management process that is consistent with the current Australian/New Zealand (AS/NZS standard on risk management).  Standards Australia has adopted the international standard (ISO 31000), which it is has titled AS/NZS ISO 31000:  Risk management – Principles and guidelines.”

If you are not familiar with the global risk management standard, ISO 31000:2009 (which I recommend), the NSW guidance will get you started.

The Guide explains that:

“ISO 31000 consists of a set of principles, frameworks and processes aimed at improving decision making about risks and their management by reducing uncertainty and increasing the likelihood that organisational objectives will be achieved.  It is not a compliance standard, but instead provides principles-based guidance on best practice.

“Risk management, like other management systems, should be designed to meet an agency’s specific needs. “

This accurately spells out the value of risk management. It is not in the periodic report and discussion of risk at executive and board meetings! It is in the ability to provide quality information to decision-makers across the enterprise and drive better decisions every day – and through them the achievement of objectives.

The Preface to the Executive Guide makes a statement that I only wish was true:

“Our tolerance for ineffective risk management is diminishing.”

Unfortunately, few organizations seem aware of the limitations of their ability to manage risk. They are satisfied with, at best, periodic reviews of top risks. They do not understand the need to consider risk in the processes of setting strategies, managing performance, and making decisions every day.

The Guide repeats the definition of ‘risk’ in ISO 31000: “Risk, in ISO 31000, is defined as the effect of uncertainty on your agency’s objectives. This can mean both negative and positive effects on your objectives. While risk is inevitable, it can and must be managed.”

It explains a risk framework and says:

“ISO 31000 provides a risk management framework to embed the process for managing risk throughout your agency, including your overall governance, strategy, planning, budgeting, management, and reporting processes and policies.”

“This means, for example, that you should formally consider risks:

    • in your strategic, business and workforce planning processes
    • in your budgeting processes
    • when developing and implementing: – new or revised policies or programs
      • new strategies, projects or activities
      • significant changes to an initiative, project or level of activity
    • in all capital projects
    • in procurement processes.”

The Guide includes a discussion of the features of an effective risk management framework and includes some questions to help you assess it. It continues with a useful discussion of an effective risk management process.

When it comes to its discussion of risk criteria (a term I far prefer to either ‘risk appetite or tolerance’), I believe the Guide makes a very subtle error when it restates the global standard. It starts correctly with “To prioritise your risks, you need to have a scale or terms of reference to evaluate them against; these terms of reference are defined in ISO 31000 as ‘risk criteria’. You must define your risk criteria before conducting a risk assessment.”

However, while ISO 31000 talks about “the nature and types of causes and consequences that can occur and how they will be measured”, the Guide only talks about “the type of consequences that will impact on objectives”.

It omits the word “nature”.

Why is this important?

Almost everybody focuses exclusively on the level of the impact and its likelihood. They don’t consider other aspects of the consequence and whether it is acceptable. These might include:

  • The speed of onset of any potential adverse effect. When bad stuff happens quickly, there is little time to prepare any defense or other response. The faster the impact, the less likely it is to be acceptable
  • The volatility of the risk. When the potential impact can vary significantly, it may be acceptable one minute and unacceptable the next. This should be considered when setting risk criteria
  • The ability or capacity of the organization to address any potential impact. If management takes a long time to make decisions and respond to risk, it may be necessary to set the acceptable level lower
  • The duration and longer-term effects of the risk. How long will any effect endure and how long will it take to recover? The longer the duration, the less likely it is to be acceptable
  • Will this risk, should the impact occur, reduce the organization’s ability to respond to other risks? Not only may a single adverse situation have multiple effects, but it may lower the capacity for other adverse events. For example, on regulatory violation is significant in itself, but lowers the ability to countenance a second violation – even if it is another area

The discussion of risk assessment starts, appropriately, with risk identification and says “Risk management is iterative: your list of risks will not be static and will evolve over time”. This is good. Risk identification and assessment is a continuous task.

However, the discussion of risk assessment seems to assume that this is a periodic exercise and heat maps are an effective tool. I disagree on both counts.  Risk assessment should be continuous, and heat maps (as illustrated in the Guide) fail to tell the correct story. They show the size and likelihood of the potential impact, but not whether it exceeds risk criteria. That is what matters, not the absolute level.

The section on risk reporting ignores the fact that risk is ‘managed’ every day in decision-making. The Guide says “The frequency and content of reports should be tailored to the needs of individual stakeholders. Those stakeholders will include your Head of Authority or governing board, your agency’s executive, and the Audit and Risk Committee.” Why are stakeholders at lower levels ignored? Every manager is a manager of risk and needs quality information if they are to make quality decisions.

I have issues with some of the points made on barriers to effective risk management.

The first barrier they list is “You do not strongly link it to your objectives”. The problem is that you don’t identify risks and then link them to objectives. You consider the objectives and identify what uncertainty lies between you and achieving (or surpassing) your objectives. When you link risks to objectives and do not take the top-down approach of linking objectives to risks, there is a high risk that you will miss something.

The point on identifying the right risks is good until it says “Your agency’s key decision makers need a concise list of risks that accurately reflects the most significant risks your agency faces.” This may lead people to focusing on their ‘top 20’ instead of all the risks that might have a significant impact on the achievement of objectives. It assumes that a small group reviews a list and makes risk decisions, instead of recognizing that every manager makes risk decisions pretty much every day.

What do you think?

  1. Ehtisham Syed
    July 2, 2013 at 9:35 AM

    All good points. I particularly like ““Our tolerance for ineffective risk management is diminishing.” Risk management plays a central role in decision making process. There are many decisions taken place in an organization in a given day but only few of them are of strategic in nature. In other words, the effectiveness of decision making processes determines the effectiveness of risk management process. Oftentimes, our decisions are reflection of our biases which lead us to ineffective risk management process. And the result is obvious. Disasters, failures, and harm to both individuals and society.

    ISO 31000 RMS needs to provide explicit guidelines on the effectiveness of decision making process!

  2. Michael Ogbole
    July 2, 2013 at 10:26 AM

    Norman, You have made very good observations as usual. There must be clear objectives before looking at the risks that stand between you and attainment of those objectives. Also every stakeholder manages risks at different levels of responsibility and none should be ignored as you rightly observed.

  3. July 3, 2013 at 3:58 AM

    Hi Norman. Glad you liked TPP 09-05. I can’t take any credit for writing it, but did have some input into it. Alas I can’t say the same for the Risk guide.

    For those who are interested, TPP 09-05 has proven to be groundbreaking, in that each government agency is required to appoint a majority of independent members from a central government vetted panel of acceptable people. It ensures that those members are fiercely independent and not part of the mates-driven approach than can and often does happen. The key idea (possibly mine) was that it’s the demand driven by independent capable members which will drive a rapid uplift in audit quality, and this will happen faster than trying to drive it bottom up. Now a bad model.

    By way of context, NSW represents around 30% of Australia’s population, so not big by US standards, but is the big one for us.

    @todddavies

  4. July 3, 2013 at 9:58 AM

    Norman, we can have better discussions of risk events if we ask “how will it happen” rather than “if it will happen.” “If” leads to what you were referring to likelihood and impact. “How” leads to deeper conversations on the risk management process.

  5. July 3, 2013 at 2:42 PM

    Hi Norman, I am glad you have found this, and like Todd, I have been on the edge of these processes. I am an approved Chair for Audit and Risk Committees in NSW and have Chaired a number of agency’s committees. I have runs a public sector independent audit and risk committee member discussion group in Sydney and we provided feed back on the draft. Not all of our recommendations were adopted!

    When the requirement to have Audit and Risk Committees in NSW Public Sector came out, guidance of risk was missing with only a reference to the ISO standard.

    This became problematic as agencies then started inventing their own wheels and wasting resources. Whilst I agree with your comments, as a first cut for a whole of government approach (recognising that NSW has some of the largest government agencies in the world (for example the Department of Education and Communities has over 100,000 staff and educates almost 750,000 students and training about another 500,000), at least there is a common starting point. We are currently going through a consultation on the Audit and Risk Committee/Internal Audit policy (and I am on the reference group), and I think a year or two down the line there will be a review of the risk policy to tweak and improve it.

    At the end of the day, it comes down to implementation. I was the first Chair for an investigation and prosecution agency (for a professional bodies area), and there was not a lot of spare dollars to put to effective risk management or ERM. Spending a year discussing how this would be done, effectually the Chief Executive came to the committee with a suggestion. What about if we include risk management in our management development program (an element of it rather than a special course) and we integrate risk into all of our discussions. This lead to case officers thinking about risks relating to the complainant, the professional being investigated, the integrity of the profession and the agency. When there were team case reviews, this became a natural element of the discussions. At divisional critical case reviews, again these risk elements became a natural part of the discussion, and so on.

    This approach went across into the corporate support areas (their operations, their internal clients, the external stakeholders).

    At the Executive Management Committee meetings, risks formed part of most discussions and there was a separate risk agenda item to consolidate key risk discussions.

    At our Audit and Risk Committee the consolidate risks and emerging risks were discussed.

    In the end we had an enterprise risk approach without any computer systems.

    Kind regards
    Jason

  6. Norman Marks
    July 3, 2013 at 3:34 PM

    Thanks for the comment, Jason. I love how you have “integrated risk into all your discussions.”

  7. July 12, 2013 at 3:55 AM

    Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realised residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc.). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management’s preemptive approach and assumes that the disaster will happen at some point.

  8. July 21, 2013 at 1:23 AM

    The recommendation for the project risk management team is to evaluate the risks to the team’s objectives in a general sense. The primary evaluation should be on the impact to the project elements that complete the objectives. The team activities include a plan that addresses an analysis and response to any risk and how to track and respond to that risk. The risk event process should include an assessment form. The contingency plan should include time and financial cushions to handle unforeseen risks to the project. The team output includes executing the risk management plan and tracking changes that occur to the project and subsequently to the risk events. Constant updates on the risk assessments require the latest information to best address the risk (Gray & Larson, 2008, pp. 218-219).

  9. lug
    July 31, 2013 at 4:45 PM

    Do you mind if I quote a couple of your articles as long
    as I provide credit and sources back to your weblog? My
    blog is in the very same area of interest as
    yours and my visitors would genuinely benefit from a lot of the information you
    provide here. Please let me know if this alright with you.
    Thanks!

    • Norman Marks
      August 1, 2013 at 12:34 PM

      No problem

  10. July 31, 2013 at 8:21 PM

    There are two things in this definition that may need some clarification. First, the process of risk management is an ongoing iterative process . It must be repeated indefinitely. The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasures ( controls ) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: