Risk Management Toolkit

Chapter 7: Continual Improvement

Continual improvement is an important part of risk management as it helps the agency adapt to changing circumstances and situations. Agencies are operating in an increasingly volatile and complex environment, with new threats emerging quickly. Transparency and accountability are more important than ever when managing the impacts of risks.

By regularly and proactively updating risk management strategies, the agency can ensure that potential threats are identified efficiently - even with frequent changes in technology, regulations, and government priorities. In addition to safeguarding assets and ensuring compliance, this approach promotes a culture of resilience and innovation, and is a key driver for meeting community expectations and ensuring long-term success.

7.1 Monitoring, Review and Evaluation Process

Continual improvement can be achieved by utilising the agency’s monitoring, review and evaluation processes to identify changes to improve the efficiency and efficacy of your risk framework. The agency should:

  • Periodically review the performance of the risk management framework against its purpose, implementation plans, indicators and expected behaviour; and
  • Determine whether elements of the framework remain suitable and effective in supporting the objectives of the agency.

Evaluations can be in the form of self-assessments, management reviews, or independent audit. Some questions which may be considered in the evaluation include:

  • Does your risk management framework demonstrate good practice, and is it aligned with the standard (ISO 31000) and the needs of the agency?
  • What are the background indicators telling us about the performance of systems and operations, and are they effective in measuring performance?
  • Is the framework effectively implemented, and how well is it integrated into operations?
  • Does the framework support the effective identification, management, and review of critical risks?
  • Does the agency have an effective continuous improvement program? How are improvement opportunities identified, prioritised, implemented and monitored?
  • How do the agency’s senior leadership promote a positive risk culture?
  • What can we learn from any incidents that have occurred previously and how can these learnings be implemented?

Key Risk Indicators

Key Risk Indicators (KRIs) provide a way to effectively monitor and review the progress and performance of the risk management activities adopted by the agency and provide early warning of potential future events.

KRIs are most effective when they relate directly to agency objectives, are embedded in the agency’s performance management and reporting system, and provide actionable information.

It can also be useful to monitor the progress of implementing risk treatment plans as a qualitative performance measure. As the agency’s risk management maturity increases, you can develop other key risk performance indicators that measure the level of performance of a particular item or activity.

For example, the agency can monitor:

  • Changes to the consequence or likelihood of a risk: If the agency requires a certain number of staff with specialised skills to be recruited within a particular timeframe to deliver a project, your actual recruitment rate may be an indicator of the likelihood, and therefore overall risk, of not delivering the project
  • Changes to the effectiveness of your controls: If the agency’s firewall is your major control against the risk of being hacked, the number of failed attempted firewall breaches can be an indicator of effectiveness of your firewall
  • Processes and activities as they are performed or implemented: You can monitor the controls implemented by individual risk owners to ensure that risks are being managed most appropriately.

KRIs should be included in risk management reports to the executive and, where relevant, the agency’s ARC. 

7.2 Continual Improvement

When improvement opportunities are identified, the agency should develop plans and assign tasks to those accountable for implementation. Small improvements can be done on a continuous basis as they are less likely to require major changes.

Any actions taken should contribute to improving risk management in the agency. Below are some useful tools to support continual improvement of the risk management framework.

7.2.1 Lessons Learnt

Continuous risk management learning enhances risk management performance, as it uses your agency’s existing knowledge and recent experiences to achieve agency-wide behavioural and cultural change.

This knowledge can be sourced from both previous risk management decisions and from the experiences of other agencies. This kind of knowledge can be shared through working groups, information sessions, learning events, newsletters and other publications.

These lessons should be continually captured, evaluated, and acted upon.

7.2.2 TPP20-06 Treasury Risk Maturity Assessment Tool

The TPP20-06 Treasury Risk Maturity Assessment Toolaims to support the improvement of risk management, culture and capability across the NSW public sector.

The tool is a good starting point to identify the current level of the agency’s risk maturity, and how you can reach your desired level of risk maturity. It provides a uniform approach to self-assessment.

Your risk maturity assessment should result in a program of activities that will support the agency in lifting its level of risk maturity.

Download or print

Download NSW Treasury Risk Management Toolkit PDF 851.57KB Current as of Wednesday, 28 May 2025.
Print this page

Request accessible format of this publication.

Previous
Chapter 6: Collaboration and Best Practice
Page 8 of 10
Next
Chapter 8: Glossary
Top of page