Chapter 4: Integrating Risk Management
Risk management should be considered in all of an organisation’s practices and processes. This means that, in addition to being part of a dedicated risk function (if resources permit), risk management activities should be embedded into the policies, daily operations and decision-making processes of the organisation. By doing so, organisations can ensure that risk considerations are consistently applied across all functions and levels, leading to more effective and proactive risk management and better decision making.
Your agency should have dedicated risk policies and procedures in place. In addition, even policies and procedures which do not directly address risk should consider uncertainties that might impact their goals. This means identifying risks early and putting measures in place to handle them. Integrating risk management into your policies and procedures ensures risk is part of decision-making at all levels.
Policies need to be flexible and regularly updated to deal with new risks and changing circumstances.
Risk management practices should be embedded in the agency’s operations. Examples of this include
- Developing standard templates and/or frameworks that guide staff through articulating and capturing risk requirements ad risks in a structured way
- Providing risk-related training and support to front-line staff and risk owners
- Clear communication protocols and feedback loops between the risk function and business
- Clearly defined roles and responsibilities in risk management between the different internal parties
Risk management should be embedded into strategy development, planning and decision making. Planning is the process of determining a desired outcome, establishing objectives and then designing a course of action to achieve that outcome.
There is a clear link between planning and risk management. When setting up a strategic plan, an organisation's risk appetite should be considered. Strategic objectives can be put forward, discussed and if they are found to sit outside the organisations risk appetite, either rejected or with a modification to the Risk Appetite Statement.
As part of the business planning process, the agency should identify and assess the operational risks linked to your business and operational objectives. Where risks are identified as beyond your risk appetite, the agency should treat these risks to bring them to a level that the agency can accept or tolerate. Resources for managing risks should also be part of the planning process.
Incorporating risk management into the agency’s strategic planning process may involve the following:
- Strategic assessment. Develop a general understanding of all sources of risks that affect the agency. Consider both the external and internal factors that could impact on the agency’s ability to achieve its objectives. This can involve exercises such as horizon scanning.
- Strategic development and planning. When developing your strategic objectives, you must consider the associated risks and opportunities. Risk assessment plays a crucial role in this step, as it allows you to analyse the effectiveness of current controls and identify residual risks. Based on the assessment results you can adjust delivery plans, policies, and procedures to support the achievement of strategic objectives. Additionally, reviewing the existing risk profile, Risk Appetite Statements, and merging risks on a periodic basis can embed risk management into the strategic process.
Another benefit of integrating risk assessment at the strategy development and planning stage is that it helps to assign risk owners and identify performance indicators before implementing processes.
Effective project governance is essential for managing project risks. Project risks should be visible within the overall risk management process of the agency and managed alongside other ongoing risks, rather than in isolation. Following the completion of a project, risks identified during the project should be reviewed and assessment made on next steps. If a risk does not close at the end of a project, then the risks should be handed over to BAU. Project risk management aligns with the agency’s wider risk management framework. By aligning project risk management with your agency’s wider risk management framework, the agency will be able to identify and manage common project risks such as those related to poor project governance, flawed scope definition, or sub-optimal resourcing arrangements.
NSW Treasury’s Investment Framework guidance material provides further guidance on considering risks in capital planning processes, including developing robust business cases. Risks identified in business cases should not just be captured in business cases – instead they should be integrated into organisational risk management for ongoing monitoring and reporting.
An agency may have specialist risk management functions, such as climate change, cyber, work health and safety, or organisational resilience. Where an agency maintains specialist risk management functions, the specialist risk management framework should align with the agency’s broader risk management framework.
Download or print
Request accessible format of this publication.