Chapter 6: Collaboration and Best Practice
Collaboration is a central focus of improving risk management across the sector. By breaking down silos and collaborating, we can use risk management to detect and respond to changes in a timely manner. Information and perspectives should be supplemented by further enquiry as necessary, should reflect changes over time, and should be appropriately evidenced.
Communication and consultation should:
- bring together different functions and areas of professional expertise in the management of risks
- ensure that different views are appropriately considered when defining risk criteria and when analysing risks
- provide sufficient information and evidence to facilitate risk oversight and decision making
- build a sense of inclusiveness and ownership among those affected by risk
- raise the profile of the risk conversation and keep consideration of risk at front of mind
Risk registers are an effective way to ensure key stakeholders are aware of the full range of risks that the agency faces, how these risks might evolve, and the risk control strategies in place to manage them.
A risk register is a list of the risks that the agency has identified and assessed as part of its risk management process. Large or complex agencies may benefit from developing a hierarchy of multiple risk registers. By having this holistic view, key stakeholders can make more informed decisions in how these risks are managed. Keeping up to date risk registers also helps the agency to meet their information obligations to Audit and Risk Committees, Boards, and other relevant stakeholders.
Responsibility for maintaining the risk register should be assigned at each level of the agency. For example, the whole-of-agency risk register should be compiled and maintained by your CRO. It is important to maintain an audit trail of when changes are made to the risk register.
For further information on how a risk register is developed and the information it might contain, please see Appendix E.
Risk reporting is the regular sharing of risk information with decision makers to enable them to fulfil their risk management obligations1. Accurate and timely reporting of risk information is an essential part of good governance.
In some situations it can be helpful to focus not just on current risks, but also on ‘worst-case risks’ which enable stakeholders to make decisions while being aware of all possible outcomes.
Risk reports should be aligned with the governance arrangements of the agency and be customised to reflect your structures, committees and functions. This will inform things such as:
- The frequency and timeliness of reporting
- How reporting is integrated with planning and performance management processes
- Links to organisational objectives
- The method and format of reporting
- The scope of strategic risk updates
- The requirements of stakeholders
1 Risk reporting is governed by the State Records Act 1998; State Records Regulation 2015; C2021-05Managing Records in NSW Government; Privacy and Personal Information Protection Act 1998 (NSW); Privacy and Personal Information Protection Regulation 2019 (NSW) (PPIP Regulation).
There are multiple different types of report which each serve different purposes in risk reporting. These include strategic risk reports, operational risk reports, emerging risks, and deep dive reports. The CRO is usually responsible for producing these reports and optimising the frequency and content of the reports to meet the needs of the agency.
Please see Appendix F for examples of strategic and operational risk reports, and their purposes.
Download or print
Request accessible format of this publication.