Element 2: Risk Management Framework

This information sheet is intended to assist Commonwealth officials at the Specialist level. It outlines the core elements of a risk management framework, and suggestions on how to embed it within your entity.

A risk management framework is a set of components that set out the entity arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout an entity. Aside from the requirements of the Commonwealth Risk Management Policy, there is no standard format for a risk management framework as each entity will tailor their framework to meet their specific requirements.

An overarching risk management policy

As per element two of the Commonwealth Risk Management Policy, an entity’s risk management framework should include a risk management policy. An entity’s risk management policy is a document that communicates to all stakeholders why and how it manages risk and refers to other components of the risk management framework to provide additional detail. A key role of the risk management policy is to provide a clear and meaningful mandate for the entity’s risk management framework. It is important that the accountable authority understands and endorses the policy as this signifies to all officials the expectation that the policy is an essential part of their day-to-day work.

An overview of the entity’s approach to managing risk

Effective risk management frameworks generally describe the risk management processes to be used in the entity. This may include a common process for the assessment and management of individual risks including:

• risk identification - how and when risks are identified,
• risk assessment - how risks are assessed (likelihood, consequence, vulnerability, speed of onset etc), and
• risk treatment - the entity’s approach for treating risks (mitigate, share, transfer, accept etc).

Key risk management responsibilities

In line with element four of the Commonwealth Risk Management Policy, an entity’s risk management framework should also clearly define the risk management responsibilities of officials, including the following:

• Accountable Authority
• Chief Risk Officer (if applicable)
• Senior Executives
• Audit Committee
• Risk Committee (if applicable)
• The risk management function
• Risk owners
• Control owners
• Treatment owners
• All staff

How the entity will report risks to both internal and external stakeholders

A risk management framework should also outline the lines of reporting and escalation in relation to an entity’s risk profile. Risk reporting is important to provide information on the monitoring of risk against the objectives of the entity. It allows for risks to be escalated if they are realised or can be used to proactively report risks before they are realised in cases when tolerance limits and triggers are breached.

Risk reporting is most effective when it is embedded into decision making and business processes. Information that is reported can include what the risk is, what it means, who needs to know and what actions can be taken.

The attributes of the risk management culture that the entity seeks to develop

Risk culture is the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities. The risk management framework has an important role to play in defining the characteristics of a positive risk culture in an entity and the practical measures which will be implemented to encourage it.

For guidance on fostering risk culture, see Comcover’s information sheet Developing a Positive Risk Culture.

An overview of the entity’s approach to embedding risk management into its existing business processes

Risk management is of greatest benefit when aligned and integrated with other business processes. The framework can assist in this regard by describing how the entity’s risk management program supports the achievement of its objectives and is integrated into the entity’s business processes.

To support the understanding and embedding of risk management, the framework can be used to define the risk management concepts and categories of risk applicable to the entity. Categories enable risks to be aggregated and reported upon so that material risks can be shared with senior management to support decision making.

The framework has an important role to play in ensuring risk management within the entity is as consistent as possible, particularly where specialist categories of risk (such as business continuity and work health and safety) may have their own requirements and processes.

For further guidance on embedding risk management, see Comcover’s information sheet Embedding Risk Management.

How the entity contributes to managing any shared or cross jurisdictional risks

A shared risk is where more than one entity is exposed to or can significantly influence the risk. The Commonwealth Risk Management Policy requires entities to implement arrangements to understand and contribute to the management of shared risk.

Examples of such arrangements that can be documented in an entity’s risk management framework can include:

• definitions and examples of shared risk that will be relevant to the entity
• responsibilities for managing shared risk
• mechanisms for identifying, monitoring and reporting on the management of shared risk.

For further guidance on shared risk, see the information sheet Managing Shared Risk.

The approach for measuring risk management performance

Like any business process, risk management is most effective when it is efficient and aligned against the requirements and objectives of the entity. To assist with assessing risk management performance, the risk management framework can describe relevant measures of success and how these are to be assessed.

How the risk management framework and entity risk profile will be periodically reviewed and improved

An entity’s risk appetite and risk exposure changes over time. Accordingly, it is important that an entity’s risk management framework is reviewed and continuously improved. Entities may consider including the following four review activities as part of their risk framework:

• reviewing the entity’s risk management framework for its fitness for purpose and compliance with external requirements,
• mechanisms to measure and encourage compliance with the framework,
• review of the entity’s risk profile and its overall exposure, and
• review of individual risks being managed and their relevant controls and treatments.

For further guidance on reviewing a risk management framework, see Comcover’s information sheet Reviewing a Risk Management Framework.

For further guidance on reviewing an entity risk profile, see Comcover’s information sheet Maintaining an Entity’s Risk Profile.

As entities requirements differ significantly, it is not possible to prescribe a single approach to designing a risk management framework. However, it is often best to build the framework progressively over time, embedding each element in turn. The highest priority elements are typically to: Draft and publish the risk management policy, establishing the importance of structured risk management and assigning key responsibilities,PUBLISH publish a common language for risk and a core risk management process, and DEFINE define key entity responsibilities for assessing, managing and reporting risk. An example of a process to develop a new risk management framework:

Often, a message of personal commitment by the accountable authority can be a useful addition to a risk management framework and help convey its importance and relevance to all staff.

Successful implementation will also require a well-planned education and awareness program including specific training on how to use the risk framework. Intranet portals can provide convenient access points for the risk management framework and any supporting tools, templates or guides.

This information sheet is intended to assist Commonwealth officials at the Foundation, Generalist and Executive levels understand:

• the purpose and benefits of defining an entity’s risk appetite,
• the concepts of risk appetite and tolerance and the difference between them,
• examples of how risk appetite and tolerance statements can be expressed in practice,
• how to undertake a review of an entity’s risk appetite and tolerance statements, and,
• steps to embed risk appetite within an entity.

Risk appetite is the amount of risk that an entity is willing to accept or retain in order to achieve its objectives. Determining and articulating an entity’s risk appetite assists entities to make better choices by considering risk more effectively in decision making.

While a risk assessment enables an entity to understand its risk exposure, it is risk appetite that defines how much risk the entity will accept. Only by comparing risk appetite and exposure can the entity assess if it is maintaining the right level of risk and appropriately balancing threats with opportunities.

Supporting conscious and informed risk taking

By defining how much risk the entity is willing to accept, officials can make informed choices about taking on new programs, improve efficiency, and reduce delays in decision making. Risk appetite provides structure to this conversation and communicates explicitly what is acceptable.

Promoting more consistent risk management

An entity’s risk appetite communicates broadly how much risk is acceptable, or indeed desirable, enabling more consistent risk taking throughout the entity.

Guiding risk decision making and seizing opportunities

Risk appetite statements can increase the transparency of the decision making process by enabling officials to better understand the entity’s position on risk. It allows officials to better identify opportunities for further risk taking or identify areas where unacceptable risk taking is occurring.

Structuring the executive conversation on risk taking

Senior executives can often find it challenging to articulate appropriate levels of risk taking. A structured approach to articulating risk appetite facilitates this process and encourages useful debate on what constitutes desirable, acceptable and unacceptable risk.

Calibrating the entity risk assessment process

Most entities use likelihood and consequence tables and ‘heatmap’ matrices to assess the severity of individual risks. In turn, these risk severity ratings typically determine the acceptability of the risk or define the treatment approach to be followed. If these are not calibrated, the resultant actions may be skewed either too lightly (e.g. no action required) or result in an over-controlled risk response.

A carefully developed risk appetite can support the development of these narrative statements often used to describe different levels of risk. Indeed, for entities with otherwise mature existing risk frameworks, these can form a starting point for developing risk appetite.

Risk appetite statements are a series of behavioural statements that guide decision makers. Together, risk appetite and tolerance form the key components of a risk appetite statement. They help officials understand the risks they face, and measure whether or not the risk being taken is acceptable in the pursuit of business objectives.

Some key questions are to be considered when formulating a risk appetite statement:

• How much risk do we need to take to achieve our objectives?
• How much risk are we willing to take?
• How do we get the most out of what we do, within constraints?
• What activities do we currently do to manage our risk and to what extent?
• Where do we need to do more?
• Where should we do less, allowing us to put our efforts into where it matters most?

Although the specific content and format will vary in line with the needs of individual entities, a risk appetite statement is typically a short document containing:

• a clear statement of endorsement of the senior executive, reinforcing the importance of informed risk taking,
• a definition of what the risk appetite statement is and how it is to be used,
• a high level statement of the entity’s risk appetite, including its overall attitude to risk taking and acceptance, and
• a series of risk tolerance statements, typically aligned against risk categories/sub-categories (where additional detail is desired) or strategic objectives. They are often presented in a tabular format and describe the relative level of tolerance for that nature of risk, ranging from very low tolerance to very high tolerance, and the conditions, caveats and limitations in exercising that risk tolerance.

The risk appetite statement should be an integral element of an entity’s risk management framework. They must be tailored to each entity and consequently will look and feel different according to an entity’s internal and external context. For example, larger more complex entities may have more detailed risk appetite statements, including more detailed tolerance statements and some quantitative measures.

Risk tolerance statements operationalise risk appetite statements as they can relate to specific categories of risk or particular strategic objectives. They support an entity’ risk appetite by defining specific limits for risk taking behaviour for a given risk area or strategic objective – i.e. ‘low’, ‘limited, ‘moderate’ or ‘high’.

Simple examples of risk tolerance statements relating to risk categories are provided below:

Figure 1: Risk tolerance statements – Risk Categories

Depending on the maturity of an entity’s risk management function, a better practice approach could be to align risk tolerance statements with outcomes. This may help provide a greater level of context for officials at the operational level as to how their engagement with risk relates to the achievement of broader business objectives. Articulating behavioural statements that outline what kinds of behaviours are encouraged and discouraged in line with the risk tolerance levels also reaffirms what is expected of officials in their interaction with risk.

It is also beneficial to identify the current and target tolerance level in relation to the business area of focus or strategic pillar. This enables an entity to be able to focus their attention on those areas of focus that require the most change and helps paint the picture of the desired risk taking levels into the future.

Figure 2: Risk tolerance statements – Strategic objectives / Area of focus

Below is an example six step process that could be followed by an entity in the course of developing, defining and implementing their risk appetite statement:

1. Appoint a core reference group

It may be useful to bring together a small core reference group of key subject matter experts, staff members and senior leaders to design, draft, refine, workshop, test and embed an entity’s risk appetite statement. Key factors to the success of the project was keeping this group small and selecting only those who were actively going to work together and be available to see the project through to its completion.

2. Review current risk profile

A review of an entity’s enterprise risk profile can be conducted to identify key risk themes and to obtain an understanding how the current risk profile can translate to their objectives. These themes assist in understanding the context, priorities and sensitivities of an entity which can be used in order to inform subsequent discussions when defining risk appetite and tolerance levels.

3. Interview the entity’s senior executives and define risk appetite statement

An entity’s senior executive should be a valuable reference point to consult, discuss and agree on the overarching risk appetite for the entity. These discussion will feed into and help define the risk tolerance statements for each particular objective. A considered approach to these conversations can be adopted to encourage a useful debate as to what constitutes desirable, acceptable and unacceptable risk, including asking the following questions:

• What does good-risk taking look like?
• What types of risks are unacceptable?
• Under what circumstances should you accept risk?

These discussions can draw on actual and historical behaviour and consequences for clues about relative tolerance, both between objectives and within objectives. Consideration as to where the entity would invest resources to achieve particular objectives and manage the associated risks can be used as inputs into understanding the relative priority and tolerance of one objective to another. All of this information can be used to workshop and define an entity’s initial risk appetite statement.

4. Engage with Subject Matter Experts to build and refine statements

After the initial definition of risk appetite and tolerance levels, it could be necessary to consult particular stakeholders and SMEs within the entity who have responsibility for particular risks and objectives. These discussions can help refine and validate appetite and tolerance levels, providing the entity with a greater level of assurance that these statements are accurately capturing an entity’s appetite and viewpoint in relation to risk management.

5. Governance committee validation

Prior to the risk appetite and tolerance statements coming into effect, endorsement from an entity’s Risk Committee could be sought in order to obtain final review and validation.

6. Incorporate and communicate

After the articulation of new appetite and tolerance statements, the risk management framework also needs to be updated to reflect and ensure alignment with these statements. This could involve potentially updating the consequence and likelihood criteria for an entity’s risk assessment matrix, including any governance or escalation requirements.

In order to effectively embed and entrench risk appetite and tolerance statements, extensive communication and distribution of these statements should be undertaken by senior leaders. By setting the ‘tone from the top’ and clearly articulating risk appetite and tolerance levels, the understanding of acceptable risk taking should cascade throughout the entity.

After an entity has defined their risk appetite and tolerance statements, the next challenge can be to ensure that these are properly incorporated into an entity’s risk management approach and reflected in day-to-day practices. The following considerations could be useful in safeguarding this process and ensuring that risk appetite and tolerance is embedded within an entity:

Don’t start from scratch – build on what you have

It is important to build on an existing risk culture and framework when seeking to implement and embed risk appetite and tolerance statements. Rather than just dismissing what is already in place, acknowledging what exists and how the entity is viewing acceptable risk taking behaviour going forward will better help staff understand this new approach.

Ensure that there is strong messaging from leaders

It is essential to have strong leadership and communication from senior executives to drive the acceptance and understanding of risk appetite and tolerance across the entity. Support and availability to answer questions from senior leaders can create an environment where everyone within the entity considers risk their responsibility and engages with the entity’s risk appetite and tolerance. The language used by leaders needs to be familiar and comfortable with all stakeholders, ranging from the bottom of the entity to the top.

Keep it simple

Don’t add detail into the statements just for the sake of it as more detail doesn’t necessarily improve understanding. Using a simple visual slider to discuss relative tolerance can be helpful to bolster staff’s ability to comprehend the statements.

Make the statements easily accessible through wide circulation

When seeking to establish risk appetite and tolerance statements, it is important that all staff are able to easily identify and locate where these documents exist. This can be done through strong messaging and communication from the top down to circulate the statements, or the existence of an easy-to-use central repository that provides staff access to them.

This information sheet is intended to assist Commonwealth officials at the Foundation and Generalist levels. It outlines the steps of the risk management process, including:

• Identification, analysis, evaluation and treatment of risks,
• Communication and consultation,
• Monitoring and review, and
• Recording and reporting

The risk management process described in AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines is one way of achieving a structured approach to the management of risk. Consistently implemented, it allows risks to be identified, analysed, evaluated and managed in a uniform and focused manner.

ISO 31000 recommends that risk management be based on three core elements:

• A set of principles that describes the essential attributes of good risk management, which support the creation and protection of value;
• A risk management framework that provides a structure for risk management within an entity or activity that is underpinned by leadership and commitment; and
• a risk management process that prescribes a tailored, structured approach to understanding, communicating and managing risk in practice. 

Diagram 1: Source - IS0 31000:2018 Risk Management Principles and Guidelines

Establish the scope, context and criteria

In order to understand and manage risk, it’s first necessary to understand your entity’s objectives and operating environment. Establishing the scope, context and criteria are the first of the eight risk management steps where the objectives and influences of the risk management process are defined.

The first activity is to define the scope, which involves agreeing on the objectives of the entity or the activity being considered. Objectives can include those which are both explicit (those objectives that are well defined, for example ‘we will increase client satisfaction feedback by five percent’) and implicit (those objectives that might be undocumented but are expected, for example ‘we will obey the law’). It is also important to consider outcomes, inclusions/exclusions, resourcing requirements and relationships with other projects.

Secondly, it is important to consider the internal and external context:

• The external context - the environment in which the entity operates and seeks to achieve its objectives including policy, operational, cultural, social, political, people, environmental, legal, regulatory, financial, technological and economic factors. Other things to be considered include key drivers and trends that impact upon the objectives, and the relationship with, and expectations of, external stakeholders.
• The internal context - includes those factors within the entity that may impact the achievement of the activity. Factors typically considered in the internal context include the entity’s strategic objectives, organisational capabilities and culture.

Understanding the context also requires identifying relevant stakeholders. The most important stakeholders include organisations which may expose the entity to risk, are exposed to an entity’s risks, or be able to help an entity manage risk.

The final step is to define its risk criteria by specifying its risk appetite and tolerance relative to objectives. This should be aligned with the entity’s risk management framework, take into account the scope and context, and be consistently communicated within the entity.

Risk identification

The aim of this step is to develop a comprehensive and tailored list of uncertain future events in the future that are likely to have an impact (either positively or negatively) on the achievement of the objectives these are the risks.

Risks need to be documented including key elements such as the potential cause and consequence should the risk be realised.

Thorough exploration and identification of potential risks is critical to the success of any risk assessment. It is important not be too narrow or constrained. Often referred to as a ‘failure of imagination’, care needs to be taken to ensure that the identification process does not just focus on today’s challenges but rather also considers a diverse range of sources including risk events that are emerging or in the future.

It is important to consider actions, scenarios, events and other external agencies that may give rise to risks. For each risk identified ensure that its source or cause is well understood and documented. It is also necessary to identify and understand the consequences of the risk, this allows for an appropriate categorisation of its severity.

A number of techniques can be used during risk identification and assist in the discovery process. These can be sophisticated and highly structured, or more informal, depending on the purpose and context of the assessment being undertaken. Common techniques include the use of risk categories or linking risks to each objective identified in the context setting phase. Another method is to begin thinking of the threats and opportunities the entity faces, and use these to identify relevant risks.

Other key points to consider include:

Include all risks – even those that cannot be controlled - This can include shared risks that are controlled by contractors or subsidiary organisations. It is important that you are aware of any shared risks, although you cannot actively manage them, you can confirm that the other organisation is managing the risk well and be an active stakeholder in their risk management process.

Considering cascading risks and ‘knock-on effects’ - It is important to recognise that small seemingly insignificant risks or events, once combined, can have far greater effects. Similarly, it is important to consider how many of your risks are likely to occur at the same time due to causal factors and their nature. Again, broad consultation will aid in the identification of these knock-on/cumulative effects.

Considering the cumulative effects of many risks - Consider the manner in which risks managed within business units such as branches or groups can have greater effects than anticipated should they escalate.

Emerging and future risk - how far ahead do you look - When performing a risk assessment it is important to note there is a difference between current, emerging and future risk, and the risk assessor should ensure that risk identification considers all three time-frames. The nature of the organisation and environment will dictate how far ahead and how often future risks should be considered.

• Current risks are those risks that are visible and realisable in the current timeframe. They are the traditional focus of many risk assessments as they are the threats that are being managed actively right now.
• Emerging risks are those risks that are just on the horizon, they do not have the ability to directly affect the organisation right now. They need to be tracked and regularly reviewed to understand if they are transitioning into current risks and need treatment.
• Future risks are those risks that are further into the future. Their shape, scale and speed of onset are typically unknown, but by not identifying these risks there could be a future impact upon the organisation or activity. How often should risk identification be undertaken? - The frequency of the risk identification process is largely defined by how rapidly the organisation’s environment is changing. In an environment where the risks are stable and unchanging year on year, annual risk identification would be sufficient to keep abreast of emerging risks that may be on the horizon.

However, in an environment where the risk landscape is constantly changing it is important to be constantly scanning for risks that may not have been present before, but are now directly threatening the ongoing viability of the organisation if they are realised. In the same manner, an organisation in a changing environment may need to continually review their risk register for risks that are no longer relevant.

Risk analysis

Risk analysis rates the potential impact of each risk and its likelihood of occurrence. The combination of these two factors determines the severity of the risk, which may be positive or negative. Although there are many ways to achieve this, a common approach is to use a matrix or ‘risk heat map’. Consequence and likelihood are plotted on the two axes of the matrix, with each corresponding cell assigned a level of severity.

Likelihood - Likelihood is an assessment, based upon information available and past experience, of how probable it is for the risk event to be realised. It can range from not likely to certain.

Consequence - Consequence is an assessment, based upon the information available and past experience of the impact of a risk event being realised.

Risk severity - Risk severity is the calculation based upon the likelihood and consequence rating of the risk, generally through the use of a risk matrix, that rates the risk as low, moderate, high or extreme. Illustrated below is an example of a simple residual risk severity matrix.

Inherent Risk - is the level of risk to the organisation when no action has been taken to mitigate or reduce the risk. Simply put it is the risk before any treatments or controls are put in place.

Residual Risk - is the level of risk to the organisation that remains after controls have been put in place.

The specific matrix employed would likely be defined in an entity’s risk management framework and should be considered and agreed in the ‘establish the scope, context and criteria’ step.

Whilst entities may use different processes for analysing risk, it is important that each entity ensures all risks within its organisation are assessed consistently. Where risks are shared between organisations, good communication is required to ensure each stakeholder understands the ownership and severity of the risks.

Other key points to consider in relation to risk analysis include:

• Ensuring that the risk analysis undertaken is comparable with the magnitude of the risk being assessed
• Interdependence – how risks can affect each other and become more severe
• The speed of onset – some risks are easier to identify as they begin to take shape over days, weeks, months or even years and there is value in recognising the aspect of speed of onset when analysing risks
• Qualitative v quantitative analysis - whilst some risks have never happened before and therefore do not have previous data, others are present in many organisations and are realised on a regular basis. These risks can be analysed using past data which may provide a more accurate likelihood of the risk being realised and consequence being calculated. When considering quantitative and qualitative data for use in the analysis of a risk, it is important to determine the availability of data sources and the integrity of that available data.

Risk evaluation

Risk evaluation determines the tolerability of each risk. Tolerability is different from severity. Tolerability assists to determine which risks need treatment, and their relative priority, by comparing the severity of the risk against the level of risk you are willing to accept.

At its simplest, an entity might decide that risks above a certain severity are unacceptable, and risks below this are tolerable. More sophisticated approaches might assign risk acceptance delegations for risks of increasing severity to officials of different levels of seniority.

The concept of risk appetite and tolerance are key considerations. It is important for those in charge of an organisation to be mindful of how much risk an organisation is comfortable with being exposed to. This appetite for risk should be articulated within the organisations risk appetite statement and should provide details of when the entity is willing to accept higher levels of risk, under what circumstances, and what level of control and monitoring is required.

Decisions on tolerability should also be made after considering the broader context of the risk including the impact of the risk upon other entities outside of the organisation. It is important to note that not all risk is inherently bad, therefore carrying the right level of risk can be necessary in order to achieve an entity’s objectives.

Treatment decisions should consider financial, legal, regulatory and other requirements. Ultimately though, the considered and informed acceptance of risk supports decision making and is essential to entity performance including the achievement of objectives.

Risk treatment

Risk treatment is the action taken in response to the risk evaluation, where it has been agreed that controls in place are deemed ineffective and additional mitigation activities are required.

Risk treatment is an ongoing process where individual risk treatments (or combinations of treatments) are assessed to determine if they are adequate to bring the residual risk levels to a tolerable or appropriate level. If not, then new risk treatments are generated and assessed until a satisfactory level of residual risk is achieved.

Risk treatment will be most effective where it is tailored to the requirements and capabilities of the entity and can include strategies such as:

• Avoiding the risk entirely by not undertaking the activity
• Removing a source or cause of the risk
• Sharing the risk with other parties
• Retaining the risk by informed decision
• Taking more risk to achieve certain objectives or opportunities
• Changing the likelihood and/or consequence of the risk through modifying controls in place.

Selecting the most appropriate treatment requires balancing the cost and effort of implementation against the benefits derived from additional risk mitigation. In some cases, further treatment may be unachievable or unaffordable and the residual risk may need to be accepted and communicated. Entities may wish to consider how external stakeholders can provide support when developing treatment options or if treatments can be implemented collaboratively.

Risk treatments are commonly documented in a risk treatment plan. These can include:

• reasons for treatment selection, including expected benefits and potential hazards
• accountabilities for approving the plan and responsibility for its implementation
• resource requirements
• reporting, assurance and monitoring requirements
• priorities, timing and schedules.

Communication and consultation

Communication and consultation is an essential attribute of good risk management. Risk management cannot be done in isolation and is fundamentally communicative and consultative. Hence this step is, in practice, a requirement within each element of the risk management process.

Formal risk reporting is only one form of risk communication. Good risk communication generally includes the following attributes:

• encourages stakeholder engagement and accountability
• maximises the information obtained to reduce uncertainty
• meets the reporting and assurance needs of stakeholders
• ensures that relevant expertise is drawn upon to inform each step of the process
• informs other entity processes such as corporate planning and resource allocation.

Different stakeholders will have different communication needs and expectations. Good risk communication is tailored to these requirements.

The development of a communication plan, may aid in the communication of risk. The purpose of this plan is to ensure that the right information is communicated to the right people at the right time. It may include information such as the entity’s attitude and approach to risk management, the risk profile, and specifics around control responsibilities and actions.

Risk communication encourages transparency of risk, leading to a more risk-aware organisation and a positive risk culture.

Monitoring and review

Risks change over time and hence risk management will be most effective where it is dynamic and, evolving and responsive. Monitoring and review is integral to successful risk management and entities may wish to consider articulating should articulate who is responsible for conducting monitoring and review activities.

Key objectives of risk monitoring and review include:

• detecting changes in the internal and external environment, including evolving entity objectives and strategies
• identifying new or emerging risks
• ensuring the continued effectiveness and relevance of controls and the implementation of treatment programs
• obtaining further information to improve the understanding and management of already identified risks
• analysing and learning lessons from events, including near-misses, successes and failures

Monitoring and review can be both periodic and/or based upon trigger events or changing circumstances.

The frequency of the review process should be commensurate with the rate at which the entity and its operating environment is changing.

Recording and reporting

The risk management process is most effective when well documented and shared. It may be included in formal risk reports to be recorded and published internally and externally as appropriate and should also be used as an input to reviews of the whole risk management framework.

Key objectives of recording and reporting include:

• Communicating risk management activities and outcomes
• Inform corporate planning and decision making
• Improve risk management activities
• Assist interaction with stakeholders

As part of the documenting the risk management process, your risk report should include:

• How you defined the environmental context you were operating in (for example undertaking an analysis of the political, environmental, social, technological, legal, economical and internal organisational conditions)
• How you undertook your risk assessment – including identification of controls and treatments (for example through a facilitated workshop)
• When you will implement your treatments (for example treatments will be triggered as per the guidance of your risk management framework or if the risk goes beyond the tolerance set by the risk owner that it has been endorsed by your Deputy Secretary)
• Who you communicated and consulted with throughout the process (such as key internal and external stakeholders who can effect or be effected by your work)
• Your monitoring and review process and schedule.

A risk report can be a tool to provide evidence that the risk assessment process and actions arising from it were thought through in a structured process before being actioned.

The aim of this case study is to assist Commonwealth officials at all levels, including senior executives service officials to understand:

• the benefits of establishing an effective risk management framework,
• how an entity can utilise an overarching enterprise risk-based framework to inform operations and successfully implement risk-based practices, and
• how an entity can employ tailored risk tolerance and appetite statements into their program in order to encourage innovation and more active engagement with risk.

This case study can be useful to entities with existing risk management frameworks or entities wanting to refresh their approach to strategic risk management.

This case study provides information on how to successfully incorporate a risk management framework when implementing a program within a complex risk environment. It outlines how to use a risk management framework, in conjunction with risk appetite and tolerance statements to embed best practice risk management into business processes, in order to achieve strategic objectives.

This case study on Operation IRONSIDE outlines how the AFP employed risk-informed practices to conduct an investigation into serious and organised crime allegedly responsible for large drug importations, trafficking and attempts to kill. The AFP and FBI carried out a targeted operation to exploit an encrypted communication platform in 2018 in order to covertly penetrate the criminal environment. This involved the AFP using their risk management framework as an integral reference point to devise their core business and operational process to build capability that allowed law enforcement to assess, decrypt and read communications on the platform. Once the AFP obtained access to the encrypted communications, there was the need to identify, analyse and use the information in a timely and meaningful manner that would benefit the investigation.

Figure 1: Operation IRONSIDE risk profile

A risk management framework is a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. Implementation of a risk management framework assists in the prioritisation of activities, identification of opportunities and the creation of early warning mechanisms to manage risk that may impede organisational objectives.

A Risk Management Framework utilised in planning

There were a number of challenges and risks that the AFP faced in relation to carrying out Operation IRONSIDE. Not only was there difficulty in garnering the ability to access encrypted information, but there were prominent legal and compliance risks that were also applicable in potentially restricting the AFP’s ability to use this information as evidence for investigation, arrests and eventual prosecution. The current law enforcement operating environment involves a number of complexities, including expectations of the AFP and the Australian Government, sensitive international relationships and volatile circumstances caused by dynamic and evolving risks. It was therefore paramount that the AFP adopted appropriate planning and ongoing refinement in order to enable effective management of operational, safety, legal and reputational risks while still achieving the desired outcome of infiltrating underground criminal networks.

Though the operation was an innovative, risk-informed initiative, it was still delivered through the standard police processes and procedures at the planning, implementation and resolution stages. All of these procedures were underpinned and shaped by the entity’s overarching risk management framework that set out the parameters and helped guide the AFP through the difficult operating environment along the way.

In order to combat the increased safety and compliance risks that materialised in the resolution stage of the project, the AFP initiated strong governance relating to operational planning, investigational practices and operational safety from the beginning of the project. Fundamental and well-informed processes were adopted through the risk-based governance framework that ensured accountability and integrity requirements were met and managed at a high standard.

Ongoing implementation

The management of the risks referenced in Figure 1 was ongoing throughout the operation and included the establishment of a Board of Management involving senior executives which regularly reviewed progress and the relevant risks. This encompassed maintaining an overarching risk assessment and treatment plan as a living document through regular review and endorsement.

The AFP leveraged their existing framework to establish a strong operational risk assessment process that was tailored and made applicable to the operation at hand. This risk assessment process helped inform a calculated approach whereby deliberate and meticulous decisions were made based off risk-information. This approach sought to balance the magnitude and nature of risks against the value of the potential outcome.

Risk appetite and tolerance statements allowed for innovation

The amount of risk an entity is prepared to bear informs planning and operational constraints and is outlined in a risk appetite and tolerance statement. In the case of the AFP, a higher tolerance for risks was adopted and allowed for the trialling of innovative approaches to achieving the targeted outcome of decrypting the criminal communications. This enabled them to strive for enhanced efficiency and effectiveness in carrying out the variety of tasks associated with this operation. This deliberately higher tolerance developed by the AFP and FBI in Operation IRONSIDE facilitated the innovative approach that created opportunities for them to address risks posed by gaining access to the criminal use of encrypted communications. There was a level of flexibility in the existing overarching risk management framework that allowed for a tailored and novel approach that encouraged a more active engagement with AFP’s risk landscape.