Chapter 1: Risk Management Guiding Principles

Risk is the ‘effect of uncertainty on objectives’, as defined in ISO 31000.

When an activity is undertaken by an agency, risk represents the threats that the activity may not proceed as planned or will potentially lead to an unexpected outcome. Often people think that risks only have negative effects, however sometimes they can have positive effects, or a combination of the two.

Risk should be considered for all activities and decision making undertaken by an agency. This supports an agency in ensuring that their activities have the best chance to achieve positive outcomes in the face of uncertainties.

The purpose of risk management is to create and protect value within the agency. Risk management refers to the steps taken by an agency to identify and manage risks which may impact their activities and achievement of objectives.

Risk management is a systematic and transparent process which aids the agency in making decisions and achieving its goals.

Critical elements of effective risk management include:

• establishing clear ownership of risks, controls, and actions
• building strong risk practices and positive risk-aware behaviours
• considering risk from the start of a process, and either avoiding, mitigating, or accepting it within a set risk appetite
• involving risk management in any decision-making, business strategy, and operational choices, and
• exploring worst-case scenarios and deciding if they are acceptable within your risk appetite.

Incorporating risk management into all areas of the agency results in greater resilience, which helps you respond to change, seize opportunities, and make informed choices.

It is important that everyone in your organisation is aware of their responsibilities in managing risk. The Three Lines Model was developed by the Institute of Internal Auditors (IIA) to show the role of different areas of an organisation in managing risk. The responsibility of the three lines is as follows:

• The first line contains all staff who are accountable for work to deliver the objectives of the agency. Their role within the first line is to observe and own any risks which arise from their work, communicate these risks, and manage them appropriately with the support of the second line. Additionally, the first line is responsible for day-to-day risk management decision-making involving risk identification, assessment, mitigation, monitoring and management. This line will have processes in place to maintain effective internal controls and ensure a continual focus on risk management.
• The second line relates to functions that specialise in risk management and compliance. This line provides risk management support to the first line. Their role includes reviewing and monitoring the effectiveness of risk management, internal controls, and activities. They may have broad responsibilities such as enterprise risk management, or specialist risk responsibilities such as cyber, climate change, or work health and safety. Oversight of the level of risk in the agency and its relationship to risk appetite and any necessary reporting and escalation to the executive and relevant committees’.
• The third line relates to functions that provide independent assurance and advice to the Accountable Authority (the AA) regarding the adequacy and effectiveness of the first and second lines. This is the line where internal and external audit sit.

If the agency has an Audit and Risk Committee (ARC), this sits outside of the three lines and has an oversight role. An ARC provides advice and guidance to the AA with input from the Chief Audit Executive (CAE) and Internal Audit team. While the Chief Risk Officer (CRO) and the risk management team report functionally within the agency, they also provide information to the ARC to support their oversight role.

A visual representation of the Three Lines Model for NSW can be seen below:

A risk management framework is the foundation established by an organisation on which their risk management process is built. A well-designed and implemented risk management framework will provide the agency with a blueprint to use when designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.

The purpose of a risk management framework is to embed risk management throughout the agency and provide a structure that facilitates the use of a consistent process to manage risk whenever decisions are made. This assists the agency in integrating risk management into all activities and functions.

Establishing a risk management framework is an ongoing process. The framework will evolve over time to reflect changes in the agency’s size, complexity, risks, and objectives.

A diagram of the development cycle of this framework, taken from ISO 31000 can be seen below:

A risk management framework helps the agency to make more informed decisions, however it is not fail-proof. Human error can occur, internal controls can be circumvented or may not be effective and cause poor management of risk, as well as purposeful circumvention of controls, and management can override decisions. This means no risk management framework can provide absolute assurance that the agency will achieve its objectives. However, with a robust risk management framework the agency is more likely to achieve its objectives.