Australian Government Agency’s Risk Management Guidance – The Good and the Bad
Whether you are new to risk management or not, you may enjoy a recent set of guidance that has been published by the Treasury Department of the government of New South Wales (in Australia).
In this post, I am going to highlight some of the good and – unfortunately – the bad from the guidance, with reference to their Executive Guide. The good far exceeds the bad, but the bad merits discussion.
The guide is driven by (believe it or not) valuable regulation: “NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05) requires department heads and governing boards of statutory bodies to establish and maintain a risk management process that is consistent with the current Australian/New Zealand (AS/NZS standard on risk management). Standards Australia has adopted the international standard (ISO 31000), which it is has titled AS/NZS ISO 31000: Risk management – Principles and guidelines.”
If you are not familiar with the global risk management standard, ISO 31000:2009 (which I recommend), the NSW guidance will get you started.
The Guide explains that:
“ISO 31000 consists of a set of principles, frameworks and processes aimed at improving decision making about risks and their management by reducing uncertainty and increasing the likelihood that organisational objectives will be achieved. It is not a compliance standard, but instead provides principles-based guidance on best practice.
“Risk management, like other management systems, should be designed to meet an agency’s specific needs. “
This accurately spells out the value of risk management. It is not in the periodic report and discussion of risk at executive and board meetings! It is in the ability to provide quality information to decision-makers across the enterprise and drive better decisions every day – and through them the achievement of objectives.
The Preface to the Executive Guide makes a statement that I only wish was true:
“Our tolerance for ineffective risk management is diminishing.”
Unfortunately, few organizations seem aware of the limitations of their ability to manage risk. They are satisfied with, at best, periodic reviews of top risks. They do not understand the need to consider risk in the processes of setting strategies, managing performance, and making decisions every day.
The Guide repeats the definition of ‘risk’ in ISO 31000: “Risk, in ISO 31000, is defined as the effect of uncertainty on your agency’s objectives. This can mean both negative and positive effects on your objectives. While risk is inevitable, it can and must be managed.”
It explains a risk framework and says:
“ISO 31000 provides a risk management framework to embed the process for managing risk throughout your agency, including your overall governance, strategy, planning, budgeting, management, and reporting processes and policies.”
“This means, for example, that you should formally consider risks:
- in your strategic, business and workforce planning processes
- in your budgeting processes
- when developing and implementing: – new or revised policies or programs
- new strategies, projects or activities
- significant changes to an initiative, project or level of activity
- in all capital projects
- in procurement processes.”
The Guide includes a discussion of the features of an effective risk management framework and includes some questions to help you assess it. It continues with a useful discussion of an effective risk management process.
When it comes to its discussion of risk criteria (a term I far prefer to either ‘risk appetite or tolerance’), I believe the Guide makes a very subtle error when it restates the global standard. It starts correctly with “To prioritise your risks, you need to have a scale or terms of reference to evaluate them against; these terms of reference are defined in ISO 31000 as ‘risk criteria’. You must define your risk criteria before conducting a risk assessment.”
However, while ISO 31000 talks about “the nature and types of causes and consequences that can occur and how they will be measured”, the Guide only talks about “the type of consequences that will impact on objectives”.
It omits the word “nature”.
Why is this important?
Almost everybody focuses exclusively on the level of the impact and its likelihood. They don’t consider other aspects of the consequence and whether it is acceptable. These might include:
- The speed of onset of any potential adverse effect. When bad stuff happens quickly, there is little time to prepare any defense or other response. The faster the impact, the less likely it is to be acceptable
- The volatility of the risk. When the potential impact can vary significantly, it may be acceptable one minute and unacceptable the next. This should be considered when setting risk criteria
- The ability or capacity of the organization to address any potential impact. If management takes a long time to make decisions and respond to risk, it may be necessary to set the acceptable level lower
- The duration and longer-term effects of the risk. How long will any effect endure and how long will it take to recover? The longer the duration, the less likely it is to be acceptable
- Will this risk, should the impact occur, reduce the organization’s ability to respond to other risks? Not only may a single adverse situation have multiple effects, but it may lower the capacity for other adverse events. For example, on regulatory violation is significant in itself, but lowers the ability to countenance a second violation – even if it is another area
The discussion of risk assessment starts, appropriately, with risk identification and says “Risk management is iterative: your list of risks will not be static and will evolve over time”. This is good. Risk identification and assessment is a continuous task.
However, the discussion of risk assessment seems to assume that this is a periodic exercise and heat maps are an effective tool. I disagree on both counts. Risk assessment should be continuous, and heat maps (as illustrated in the Guide) fail to tell the correct story. They show the size and likelihood of the potential impact, but not whether it exceeds risk criteria. That is what matters, not the absolute level.
The section on risk reporting ignores the fact that risk is ‘managed’ every day in decision-making. The Guide says “The frequency and content of reports should be tailored to the needs of individual stakeholders. Those stakeholders will include your Head of Authority or governing board, your agency’s executive, and the Audit and Risk Committee.” Why are stakeholders at lower levels ignored? Every manager is a manager of risk and needs quality information if they are to make quality decisions.
I have issues with some of the points made on barriers to effective risk management.
The first barrier they list is “You do not strongly link it to your objectives”. The problem is that you don’t identify risks and then link them to objectives. You consider the objectives and identify what uncertainty lies between you and achieving (or surpassing) your objectives. When you link risks to objectives and do not take the top-down approach of linking objectives to risks, there is a high risk that you will miss something.
The point on identifying the right risks is good until it says “Your agency’s key decision makers need a concise list of risks that accurately reflects the most significant risks your agency faces.” This may lead people to focusing on their ‘top 20’ instead of all the risks that might have a significant impact on the achievement of objectives. It assumes that a small group reviews a list and makes risk decisions, instead of recognizing that every manager makes risk decisions pretty much every day.
What do you think?