Element 8: Risk Management Capability

The aim of this information sheet is intended to assist Commonwealth officials at the Specialist and Executive levels. Topics covered include:

• an overview of the core aspects of risk management capability
• different areas to consider when determining a target level of risk management capability
• practical tips on how to build risk management capability.

Effective risk management requires an entity to think holistically about the capabilities they need to effectively manage risk and determine if there are any capability gaps that should be prioritised to improve the management of risk across the entity. This information sheet provides high level guidance to support element eight of the Commonwealth Risk Management policy; Maintaining risk management capability.

Building risk management capability requires developing a vision for risk management and tailoring resources to areas that will have the biggest impact. Consider each of the areas outlined below to determine where improvements may be made to the risk capability of your entity.

Risk systems and tools – Ranging in complexity, risk systems and tools are designed to provide storage and accessibility of risk information that complement the risk management process. The complexity of risk systems and tools often range from simple spreadsheets to complex risk management software and are most effective when they are proportionate and adaptive to the needs of the entity.

The availability of data for analytics and monitoring, risk registers and profiles, and dashboards and reporting will assist in building risk capability. However, this will only be possible if the systems and tools are well maintained, the information is rich and up to date, and training and support is provided.

Considerations:

• Are your current set of risk management tools and systems effective in storing the required data to make informed business decisions?
• Are your current set of risk management tools and systems too complex for the risk exposure of your business?
• Are there opportunities to redesign, redevelop or rebuild the risk management tools and systems used in your entity to improve utilisation and functionality that will assist in building risk capability?
• How effective are your risk systems in providing timely and accurate information for communication to stakeholders?

People capability – A consistent and effective approach to risk management is a result of well skilled, trained and adequately resourced staff. All staff have a role to play in the management of risk. Therefore, it is important that staff at all levels of the entity have clearly articulated and well communicated roles and responsibilities, access to relevant and up-to-date risk information, and the opportunity to build competency through formal and informal learning and development programs.

Considerations:

• Are risk roles and responsibilities explicitly detailed in job descriptions?
• Have you determined the current risk management competency levels and completed a needs analysis to identify gaps and learning needs?
• Do induction programs incorporate an introduction to risk management for all levels of staff?
• Is there a learning and development program that incorporates ongoing risk management training tailored to different roles and levels of the entity?
• Do you have risk champions and risk professionals within the entity who could take on a risk mentor role?
• Is risk part of the conversation? Are risks regularly raised in discussions?

Managing risk information – Successfully assessing, monitoring and treating risks across the entity is dependent on the quality, accuracy and availability of risk information and supporting documentation.

Driving a consistent approach to the sourcing, recording, and storage of information will improve the reliability and availability of required information to different audiences. Providing information that is tailored to different audiences and levels throughout the entity is important. This ensures that risk is effectively measured and managed, and informed decisions that will support the entity’s strategic objectives are made. Using risk information available both internally and externally to the entity will provide a greater opportunity to identify risks before they arise. 

Considerations:

• Have you identified those data sources that provide you with the required information for a complete view of risk across the entity?
• What external data sources are available to you for a forward looking, proactive approach to risk management?
• Have you considered how external data sources may assist in identifying emerging risks?
• How can you use the external environment to inform you of potential risk events, for example, changes in Government, the economic environment, unemployment rates etc?
• Is there an opportunity to subscribe to databases that provide detail on external incidents that could provide insight into the scale and assessment of your risk?
• What is the frequency of collating risk information for delivery to different committees and audiences across the entity? Is it enough to satisfy the effective management of risk exposure?
• Do you have readily available risk information accessible to all staff that will assist in building capability and information sharing?
• How would you rate the integrity and accuracy of the available data?

Risk management processes – The effective documentation and communication of the risk management processes that support an entity’s approach to managing risk will provide a consistent approach to risk management and allow for clear, concise and frequent presentation of risk information to support decision making.

Considerations:

• When was the last time your risk processes were reviewed?
• Are your risk management processes well documented and available to all staff?
• Have you received any staff feedback on the effectiveness of implementation and the usage of risk processes across the entity?
• Do your processes support your Risk Management Policy?
• Do your risk management processes align to your risk management framework?
• Is there training available, tailored to different audiences, in the use of your risk processes?

• Consider the capability needs of the entity in terms of people, process, systems and information. Then do a needs analysis against each of these areas to determine gaps in risk management capability. For example; is your risk management information system/risk register fit for purpose? Does it capture all the relevant information you need for making informed business decisions in a timely manner? If the answer is no, what information do you need, and how do you build that capability into your information systems and decision making processes?
• Consider providing appropriate risk awareness training at all levels of the entity, including during induction of new employees and contractors. Consider what staff ‘must know’ to be effective in managing risk in their role and try to avoid the ‘nice to know’.
• Determine the frequency of risk awareness training for all levels of the entity, i.e. what should be completed during induction, what should be ongoing, what should be recertified on an agreed timeframe.
• Make risk information engaging and readily accessible on internal sites and keep this information current. The use of examples and eye catching graphics will draw staff to the content and often result in the information being better understood.
• Share knowledge in the form of case studies, war stories and lessons learnt. Consider establishing a portal that could store these stories, or informal information sessions that could cover the sharing of knowledge on a regular basis, perhaps quarterly for specialists. Sharing case studies etc. across business lines within an entity can reduce the likelihood of the same or similar risk events happening again.
• Keep risk management policies and processes up-to-date. If changes or updates are made to formal documents, consider publishing them on your intranet and communicate the changes. This is especially important if any changes have been made to roles and responsibilities.
• Determine whether risk management practices are applied consistently across your organisation. Consistency in risk management practices will result in a simpler aggregation of risk across the entity and provide a more accurate view of the risk exposure.
• Identify risk champions across different business areas that can assist in building the capability of staff, champion the use of risk information systems, and apply the risk management process and framework within their business area. Once identified, your risk champions should be involved in the distribution of any risk communications, raising awareness of risk training programs, and consulted for input and feedback on proposed changes to risk management processes.  Involving risk champions in consultations and risk specialist activities will assist in building a positive risk culture across the entity.
• Use simple and consistent language on entity wide risk information and risk resources that all staff will resonate with. Risk jargon is often misunderstood. 
• Use creative channels to build the capability of your staff, for example, the use of posters, risk awareness weeks, postcards, newsletter articles etc. Consider using your Communications team to assist in creating posters on different risk categories, such as cyber risk, and place the posters in common areas to raise awareness. Another option is to consider taking part in national/global risk awareness weeks such as Privacy Awareness Week or Business Continuity Awareness Week.  The attention created through subscribing to these awareness weeks can often assist in building risk capability on the identified topic across your entity.
• Identify opportunities to learn from others by subscribing to professional body publications, joining communities of practice and other collaborative forums. These provide an opportunity to network with like-minded individuals across a number of different industries and organisations. Remember that capability building can be both formal, such as structured learning and assessments, and informal, for example, lunch & learn sessions.
• Use Comcover’s risk management services including risk management training programs, seminars and educational resources, guidance, advice and consultancy services.

This case study is intended to assist Commonwealth officials at Specialist and Executive levels understand practical tips on how to build risk management capability.

This case study provides guidance for entities seeking to build their risk management capability, as modelled off the method used by Australian Financial Security Authority (AFSA). AFSA reformed its risk management approach in order to support staff to better navigate uncertainty and make effective decisions in their day-to-day work. This approach required the following key initiatives:

• Building risk management capability using a contemporary evidence-based risk framework
• Creating ownership and accountability by defining roles and capabilities at all levels
• Engaging the support of an external provider to train the agency risk team through a structured knowledge handover arrangement
• Distributing and rolling out co-designed guidance materials to clarify risk roles and support staff decision making
• Greater investment into ongoing staff training to help foster a strong risk culture

Successful risk management requires an entity to maintain an appropriate level of capability across its business processes, governance, projects and systems in order to effectively manage its risks. An appropriate level of risk management capability should be commensurate with an entity’s size and resources as well as the nature and complexity of its risk profile.

Improved risk management tools and systems

AFSA previously relied on risk registers and an enterprise-wide risk matrix, and used Microsoft Excel to document risks at various levels across the entity. While this system captured key information, the detail was often excessive and unmanageable. The agency decided to invest in a contemporary approach to risk management that instead focused on utilising objective sources of evidence to verify the actual effectiveness of critical actions, activities and measures that helped control key agency risks. By focussing on critical controls - and ensuring that objective sources of evidence can be used to regularly verify their effectiveness - there is greater confidence that risks are actually effectively managed.

As a result, risk registers were replaced with standalone critical control profiles and risk bowties. This approach uses streamlined visual templates to increase the focus on control effectiveness and identify where further effort is required to address control gaps. This approach helped provide a consistent approach to risk management that allowed for a clear, concise and meaningful presentation of risk information to support decision making.

Engaging an external provider

ASFA enhanced the capabilities of its risk team by partnering with an external provider to harness their knowledge of emerging risk management approaches. This ensured the requisite skills and knowledge needed to sustain the agency’s new risk management approach could be transferred to staff within the agency in a structured way. The knowledge transfer consisted of informal and formal training sessions, and on-the-job training and mentoring as the project progressed. Initially, AFSA staff supported the external provider’s facilitation of risk workshops, however by the project’s midpoint, AFSA staff were facilitating workshops with minimal support from the external provider. This arrangement led to AFSA’s risk team having the skills and confidence to apply and manage the new approach without the ongoing assistance of the external provider. This has ensured that AFSA’s risk transformation is self-sustaining.

Guidance documents

AFSA supported the uplift of risk management capability across the agency through the co-design of risk guidance material with the staff who were going to use them. AFSA consolidated its risk management framework, policy and plan into a single document (Managing Risk at AFSA), and used non-technical language to make it easier for staff to understand why risk management is important, how the agency manages risk and how it links to the Corporate Plan. Most importantly, the Managing Risk at AFSA document re-enforces that risk management is not a compliance activity, but a day-to-day component of everyone’s role. The document also outlines risk appetite and tolerance statements that identify supporting and inhibiting behaviours of risk decision making. This ensures that staff are able to make informed decisions and operate confidently within the entity’s risk tolerance and appetite. The guidance is not excessive in length and uses simple and consistent language that is easily understood.

Clearly defined risk roles

All staff have a role to play in the management of risk. Therefore, it is important that staff at all levels of the entity have clearly articulated and well communicated roles and responsibilities, and access to relevant and up-to-date risk information. AFSA equips staff to effectively manage risk through clearly defined staff roles and responsibilities with risk in its agency capability framework. Staff within these risk roles also have the opportunity to build competency through tailored risk reporting information sessions. These distinct roles ensure staff clearly understand their decision-making responsibilities and procedures for escalation.

AFSA decision making model

The AFSA Decision Making Model builds risk management capability by supporting all staff with a practical tool to help them make sound decisions that support the entity’s strategic objectives. The decision making model outlines 5 aspects of balanced decision making and is supported by guiding questions that help staff explore a range of aspects of the decision being made. The tool can help improve decisions by clarifying assumptions and highlighting all the elements of the decision being made.

The risk team co-designed the ‘AFSA Decision-making model’ with representatives of business areas across the agency. This collaborative approach was taken in order to develop a practical tool that would actually resonate with staff. It was introduced during the agency’s performance agreement cycle to better integrate risk management in performance discussions and encourage reflection about risk at every level.

The tool involves the following key elements:

• Wisdom: the capability of the decision maker/s to use personal judgement to rationalise aspects of the situation into a decision
• Authority: the authority that permits the decision to be made
• Perspective: the external context relative to the decision maker and the decision being made
• Outcomes: decision to act, or not to act will have a range of potential results
• Information: the evidence to support the logic of the decision

Figure 1: AFSA’s Decision Making Model

General staff training

AFSA conducted whole-of-agency training to build risk management capability and ensure a consistent approach to managing risk across the entity. The training sessions focused on practical day-to-day risk management and decision making, introduced AFSA’s new risk tools and systems, and was attended by over 90% of staff. Learning and development opportunities were tailored to the current competency level and risk management required of different roles and levels across the entity. AFSA also hosted a significant number of risk workshops for senior leaders and staff at all levels talking about controls, potential risk exposures and areas for improvement. Capability building is embedded long-term through refresher risk training for all officials, as well as a structured induction on AFSA’s approach to risk management for those new to the agency.