Element 1: Embedding Risk Management

This information sheet is intended to assist Commonwealth officials at the Specialist and Executive levels understand how to test how effectively risk management is being embedded in their entity. It includes practical strategies for recognising and successfully embedding risk management in an entity’s day-to-day operations and decision-making.

Managing risk is a core responsibility of Commonwealth officials at all levels. However, the way in which individuals assess risk and their personal appetite for risk vary considerably. An entity’s risk management framework that is effectively embedded is an essential tool to encourage consistency in risk decision making.

The greatest test of how well risk management is embedded in an entity is the extent to which it influences decision making and behaviours. Some practical questions to test how well this is being achieved include:

• Is a risk assessment an essential part of key business processes and planning activities?
• Is there a culture of speaking openly about risks?
• Are risks routinely communicated and their management broadly discussed or are risks identified and managed in silos?
• How diligently do officials appointed ownership or stewardship of individual risks monitor and manage those risks?
• Is there a senior champion for risk management in the entity?
• Are risk governance arrangements such as a risk committee of the board, risk committee of management, or the discussion of risk as an agenda item of the board appropriately informed and influential?
• Do officials refer routinely to the entity’s risk appetite and ensure their decision making and risk judgements reflect the articulated risk appetite of the senior executive?
• When risks are realised, are they used to improve the management of similar risks, or are narrow solutions implemented?

It is important that risk management within a decision-making process adds value. Accordingly, the effort expended in considering risk needs to be commensurate with the level of risk itself. The following are some practical strategies which encourage the successful embedding of risk management.

Begin with objectives in mind

Each activity or process in an entity will ideally have objectives which link to the objectives of the entity. These objectives are the starting point for embedding risk management, as they define the critical measures of success against which risk must be most carefully managed.

For example, when planning for the delivery of critical and essential public services in a post natural disaster environment, the requirement for the rapid deployment of capability in affected areas may be more important than broad, sustained coverage. Hence, the initial focus of risk management in the activity might be identifying the risks to achieve this.

Develop risk processes that are fit-for-purpose and easy to implement

Where possible, weave the consideration of risk into existing activities or requirements. For example, in assessing risk during a major procurement project, add the consideration of risk into existing project reviews and gateway processes. Where possible, align project risk reporting into established project health status reports or dashboards. This encourages a culture where managing risk in a structured manner is an integral part of day-to-day management.

Identify where risk needs to be managed in an activity

The nature of risk in different business processes or activities varies, therefore risk management needs to be tailored. Some examples of risk management objectives or priorities in a typical process include:

• Understanding the relevant accountable authority’s appetite for risk in that process, and under what circumstances and against which outcomes they are prepared to accept it.
• Ensuring the process is not unacceptably affected by risks to which it is exposed from stakeholders and its supply chain. Sometimes these exposures will not be immediately apparent, however by identifying the risk up-front further information can be sought to ensure they are sufficiently understood.
• Managing and communicating where the process may expose others to risk (shared risk). For example, thinking about whether the burden of responsibility between different entities for delivery of a public service expose another entity to risk they are not well placed to manage.
• Understanding where risks are shared and may require several entities or partners to work collaboratively to manage the risk. This may require understanding the potential for cascading failures where a common cause or event can cause multiple risks to be realised.

Build staff awareness and encourage a positive risk culture

Embedding risk management is ultimately about influencing the manner in which decisions are made. However, officials can only embed risk management in their work if they understand and value it. As each entity applies risk management in different ways, it is important that staff understand the entity’s own unique requirements and expectations in addition to the basic theory of risk management.

Equipping staff to embed risk management requires:

• Risk management training relevant to an official’s role and responsibilities.
• Providing easy access to generic and agency specific risk management guidance materials.
• Establishing collaborative forums where staff can share how they have been able to successfully embed risk management in their activities. This may include encouraging ‘risk champions’ who can lead by example and mentor their colleagues.
• Ensure the management of risk, and the application of the entity’s risk management framework is an explicit component of performance management.

Engage the senior executive

How senior executives question and challenge the management of risk will be influential in determining the value staff perceive in it. Often referred to as ‘tone from the top’, the most senior executive can support the uptake and embedding of risk management by:

• Setting a personal example through the visible consideration of risk in their own personal decision making and ensuring that the entity’s strategic risks are managed consciously and communicated well.
• Treating issues and undesirable events as the realisation of risks. When things go wrong, asking whether the relevant risk had been identified, assessed and whether the treatment strategy was documented.
• Rewarding or recognising those who manage risk well. This includes supporting officials who took informed sensible risks but may not have achieved the outcome they had hoped for.

Embed risk management across the ‘three lines’

A common model for applying and embedding risk management within an organisation is referred to as the ‘Three Lines Model’. Working together, these three lines can be embedded within the operations of an entity as well as being aligned to the objectives of an entity. In doing so, audit and risk committees will be able to receive a comprehensive and holistic view of governance, risk and controls to make informed decisions.

This model consists of:

The first step in successfully embedding risk management into an organisation is to develop and implement a high quality fit-for-purpose risk management framework. This will be most effective where it provides clear guidance on how risk should be managed through:

• a risk appetite statement articulating what level of risk the entity should be taking
• clearly defined risk management accountabilities and responsibilities
• a common risk management vocabulary and process.

Building on this foundation and the strategies described above, some key steps to embedding risk management are included below:

1. Establish a staged plan with target maturity states at achievable intervals. Communicate success stories quickly to build momentum and encourage adoption.
2. Prioritise and focus on those processes where the positive outcome will be greatest. Commonly, governance and corporate planning processes provide significant benefit as they are often highly influential on senior decision making. Use these as models for further implementation.
3. Work with stakeholder and peer entities to share good practice and encourage consistency wherever sensible to do so.
4. Ensure that the entity’s change management processes require risk management to be an integral element and outcome of any change program.
5. Some specialist categories of risk may require their own risk assessment and management approaches. Ensure that these are as consistent as possible with the entity risk management framework.
6. Recognise that embedding risk management requires time to achieve, in part because it is as much about changing behaviours as it is about changing processes.

This information sheet is intended to assist Commonwealth officials at the Specialist and Executive levels to understand:

• how to effectively embed risk management within typical public sector operations and programs, with a particular focus on the procurement process
• practical examples and strategies for recognising and successfully embedding risk management in an entity’s decision-making and tender process
• the benefits that exist when an entity integrates and embeds risk management within its day-to-day operations.

This case study can be useful to newly created entities or entities wanting to incorporate risk and/or a risk-based approach into their procurement process in order to help them achieve their business and strategic objectives.

The following example provides information on how to successfully embed risk management within an entity’s enterprise wide business activities and ensure that risk information is used to inform decision making in the procurement process. This approach enables risk to be managed in a repeatable way when designing, implementing and delivering government outcomes.

In 2017, The Western Sydney Airport Co Limited (WSA Co) were tasked with the responsibility to build and operate Sydney’s new airport. The risk landscape that WSA Co were exposed to was particularly complicated and involved a heavy planning, design, construction and eventually an operational phase. WSA Co’s systematic approach to establishing a risk management framework, and embedding risk management thinking into the process of conducting procurement and stakeholder engagement illustrates how to successfully involve and align risk management within an entity’s strategic objectives.

Ensuring that risk management is prominent throughout an entity’s day-to-day activities can create an environment where there is a common understanding amongst stakeholders around the threats, vulnerabilities and potential opportunities the business faces. It allows for a more proactive response to mitigating and responding to the challenges an entity is presented with. Whilst it also facilitates informed business decisions that are aligned to and more accurately reflect the organisation’s landscape and strategic objectives.

When procuring and partnering with external service providers, the utilisation of risk-based thinking and assessment allows an entity to position itself with providers who are at similar risk maturity levels, alike in system establishment and implementation, as well as identifying the risks associated with the services to be delivered and by whom identified risks will be owned and controlled.

Given the constantly changing nature of the project, WSA’s strategy for risk management centred on:

• The early embedding of risk management into day-to-day business as usual
• A focus on core risk principles to align with the stage of the project
• Educate the organisation (human capital) to bring the business on the risk journey
• Resilience: Anticipating and planning for the long-term.

In order to effectively embed risk management into an entity’s operations from the beginning, WSA Co firstly established and implemented a successful fit-for-purpose Enterprise Risk Management Framework. Instead of targeting certain aspects of the project/company, WSA Co’s Framework set out the basic steps of Risk Management – Identification, Evaluation, Treatment, Monitoring and Reporting. By aligning their framework to core risk principles, this ensured that it could be easily adopted by the business regardless of the stage of the project.

The early establishment of these foundational risk Frameworks (See Diagram 1A) and subsequent targeted education and awareness of their principles allowed risk to be embedded as Business as Usual (BAU). The easier the process and the more it is integrated through training and awareness programs, the more likely employees will engage and incorporate risk management into their work. In this way, there was a greater level of consistency across the project and company with employees ‘speaking the same language’. Through this focus on education and risk-related training, WSA were able to change the perspective of risk management seen as predominately compliance-based. Thereby, laying the foundation for risk to be seen as essential to informing and shaping business decisions.

Diagram 1.A

When undertaking the essential business activity of the procurement of contractors, WSA incorporated a series of risk management requirements (cost, interface management, time, scope and safety) into the tender process. These aligned with WSA’s established frameworks and the ISO31000 requirements. This can be necessary to standardise and prioritise the approach to quality assurance in relation to procuring contractors used on the project, further assisting with the management of interface risk and ensuring consistent reporting regimes. Due to the significant level of procurement activities and related risks, WSA implemented a variety of controls to mitigate these risks. For example, this approach paved the way for a Probity advisor to be included and on-boarded as part of the procurement process, thereby safeguarding the business against any potential negative consequences arising out of engaging contractors.

As part of the evaluation process for a number of the main works package procurements, WSA held assurance and risk-based ‘interactives’ with principal contractors, which focused on safety as a primary risk topic. These sessions would involve holding a meeting with the leadership team as well as project directors and construction managers to discuss and formulate responses to risk-based scenarios. This process helped illicit frank and fearless discussions surrounding risk and assurance activities, whilst also helping WSA assess their alignment and compatibility with contractors.

Throughout this project, WSA has always ensured that risk remains prevalent when informing decision-making at the executive level, as well as the day-to-day operational level. A business case process was established to help inform commercial decisions that affect future operations. This process incorporated the assessment of risk and alignment of consequence outcomes with the organisations defined risk appetite statements. This allowed management and the Board to be presented with the relevant risk and consequence models associated with key business decisions. As a result of the risk-focused mentality of the entity, this process has continually been refined as the business matures and can be utilised for future commercial decisions.

Through these key steps:

• Establishing strong risk-based foundations
• Embedding risk from the beginning
• Working with and educating the business
• Implementing strong governance.

WSA Co were able to achieve a state of ‘business with a risk mindset’. Despite only being established for 4 years, they have successfully awarded all main works contracts, adapted to COVID-19, maintained continuity of operations, achieved their safety targets and are forecasted to be on-time and on-budget. In 2020, an ANAO performance audit of WSA’s procurement processes presented no recommendations or adverse findings, highlighting the maturity of their risk management capability. All of this can be heavily linked to building a strong risk culture and embedding risk into their operations, as a risk mindset has been fully demonstrated and embraced by the organisation.