Chapter 2: Risk Governance

It is important to facilitate responsible risk behaviours across the organisation. Activities that support this include:

• ensuring the AA has endorsed the risk management policy
• communicating the benefits of risk management to all staff
• ensuring that all staff feel comfortable reporting risks, and risk management strategies
• identifying performance indicators that will enable you to measure how well the agency manages risk, and
• ensuring that decisions are made in accordance with the agency’s risk appetite.

2.1.1 Risk appetite and the Risk Appetite Statement

Defining an agency’s risk appetite through a Risk Appetite Statement (RAS) is one way for an agency to support a common stance towards risk through an agency. A RAS defines the amount of risk that the agency is willing to take in pursuit of its strategic objectives.

An agency’s risk appetite may vary depending on the strategic objective, or the type of risk. Risk appetite can also vary over time.

A RAS is most effective when it has been agreed by an agency’s Executive team, communicated through the agency, is used to drive decision-making, and is regularly refreshed so it remains relevant.

Clear role descriptions, expectations and lines of accountability are an essential part of both good governance and good risk management. The Three Lines model provides a systematic approach that may be used to help clarify the specific roles and responsibilities that are necessary for the effective management of risks.

Leadership is ultimately responsible for ensuring the agency has sufficient capable and competent staff to implement and maintain your risk management framework. They must ensure that all staff:

• have job descriptions that clearly define and assign accountabilities in their job descriptions
• receive sufficient training and development to build their risk-related competencies
• review risk accountabilities and responsibilities during performance appraisals, and
• are empowered to take ownership of and escalate risks throughout the agency.

Different roles in the agency will have significantly different risk responsibilities. To ensure these are clearly communicated, a capability matrix can be used to record for each position or level in the agency:

• the risk management roles undertaken
• the capability required to perform these roles
• how to develop this capability, including induction, and ongoing learning and development.

For many operational or front-line staff, the capability required may simply be an understanding of your agency’s approach to risk management and knowledge of key operating procedures, work health and safety, and hazard reporting systems.

Guidance is available in Appendix A on the different roles which may be found in the agency, and their risk related responsibilities. Not all roles will be necessary in all agencies.

Training and development are central to uplifting and maintaining the risk-related capability of staff and increasing awareness of risk management throughout the agency. In conjunction with leadership, your risk management function should identify and address the agency’s training needs.

Training may be delivered through your internal learning and development area, or through an external provider. Ideally this training should be a mandatory component of continued professional development within the agency.

Programs are most successful when they:

• are tailored to suit the needs of the agency and the varied risk management capability needs of your staff,
• use a range of training delivery mechanisms, and
• are regularly reviewed and developed as risk management capability improves and the needs of the agency change.

Capability can also be uplifted by providing additional opportunities for staff members who show an interest or ability in risk management. For example, you might provide opportunities for staff to act in other roles within the agency, or to participate in specific risk management-related projects.

Training needs should consider roles, competencies and capacity (see 2.2 above).