Risk Management Toolkit

Chapter 9: Appendices

On this page

Appendix A – Risk-related Accountabilities, Roles and Responsibilities
Appendix B - Drivers for improving risk culture
Appendix C - Tools to support the risk management process
Appendix D - Control Effectiveness Ratings Tables
Appendix E - Risk Register
Appendix F - Reporting

9.1 Roles and Responsibilities table

The table below outlines example risk-related responsibilities for various roles which may exist in the agency. Please note that this list is not fully comprehensive and only includes responsibilities related to risk.

These roles and responsibilities can support development of your agency’s risk management policy. Not all agencies will need all the roles set out in this table.

Role	Responsibilities
Accountable Authority/Governing Board of a Statutory Body	Has the ultimate responsibility for risk management and is the risk sponsor Ensures that there is an effective system of internal control over the financial and related operations of the entity Ensures that internal audit functions are established Determines the entity’s risk tolerance and appetite Ensures the implementation and regular review of the entity’s risk management plan Ensures that risk management is included in job descriptions, staff induction programs and performance agreements, and is considered as part of performance appraisals. Ensures compliance with current Australian/New Zealand standards and NSW public sector policies on risk management
Audit & Risk Committee (ARC)	Reviews whether management has a current and appropriate risk management process in place, and associated procedures for effective identification and management of financial and business risks, including fraud and corruption Reviews whether a sound and effective approach has been followed in developing and implementing risk management strategies in relation to major projects or undertakings Reviews the impact of the risk management process on the entity’s control environment and insurance arrangements Reviews whether a sound and effective approach has been followed in establishing business continuity planning arrangements, including whether disaster recovery plans have been tested periodically Reviews the fraud control plan to confirm that the entity has appropriate processes and systems in place to capture and effectively investigate fraud-related information.
Executive/Management Committees	Reviews activities with a focus on risk management Reviews risk treatment plans and risk management reports, including risk registers, and assessing them for completeness, accuracy, consistency, and use of a common language Reviews internal controls for efficiency and effectiveness May also have the executive authority to manage risks
Risk Management Function	Develops/leads the development of the risk management policy and strategy for risk management Acts as the primary champion for risk management at the strategic and operational level Designs and reviews the processes for risk management Builds a risk management culture within the agency, including appropriate staff training and development Provides advice and tools to staff to assist them in managing risk Co-ordinates the various functional activities relating to risk management within the agency Works with risk owners to ensure compliance with the risk management framework Collates and reviews risk registers for completeness and accuracy Prepares risk management reports for the ARC It is important to emphasise that the risk management function does not own the risks. Risk owners are responsible and accountable for risks, and this accountability must form part of their job descriptions.
Chief Risk Officer (CRO)	Leads the risk management function as the primary risk champion, including designing the entity’s risk management framework and managing the day-to-day activities associated with coordinating, maintaining and embedding the framework. The role does not have to be a dedicated one. In smaller agencies it is common for a staff member who has operational responsibility for some risks (e.g. Work Health and Safety or Project Management), and who understands risks and risk management, to be assigned the role of a CRO. More complex agencies may benefit from a dedicated role to ensure comprehensive and focused risk management. The role of the CRO is different from the role of the CAE. Appropriate safeguards be in place to address the threats to independence of both roles.
Risk Champion	Promoting risk management across the agency, or specifically within a particular agency function or project. Embeds risk management into the agency’s other systems and processes. Ensures that functional and project areas are using the agency’s risk management processes consistently. A risk champion may hold any position within the agency, but is generally a person who: Is responsible for supporting and driving particular aspects of risk management Has sufficient authority to intervene in instances where risk management efforts are being hampered by a lack of cooperation or through lack of risk management capability or maturity Is able to add value to the risk management process by providing guidance and support in managing difficult risk or risks spread across functional areas
Managers	Managing risk and ensuring that their staff perform their duties within the constraints of the agency’s ability to manage risk. This includes being responsible, within the sphere of their authority, for: establishing an environment that promotes an awareness of internal controls and responsibility for individual risks identifying uncertainties that will affect the achievement of agency objectives establishing policies, operating and performance standards, budgets, plans, systems and procedures to address identified risks and reduce them to an acceptable or tolerable level monitoring the effectiveness of controls carrying out self-assessments (where directed) to certify the effectiveness of controls addressing risks for which they are responsible (e.g. internal control self-assessments, which are completed by operating units, could be a mechanism that management can use to demonstrate this aspect of the internal control structure).
Chief Financial Officers	The person primarily responsible for financial management within an agency including preparation of financial information. Oversees the management of financial risk within the agency. Advises the Accountable Authority, who is accountable for financial performance. Oversees a program of internal controls to provide assurance on financial systems and information. This is required to be annually certified to the Accountable Authority that they have ‘effective systems, processes and internal controls to ensure that the monthly and annual financial information provided to Treasury is reliable’.
Risk Owners	Designs, implements and monitors risk treatments for a particular risk. Ensures that the risk is managed in accordance with the agency’s ability to accept or tolerate risk. The risk owner must be knowledgeable about the process or activity for which risks are being assessed, but may not necessarily be the person who implements the internal control
Staff, workers and contractors	All staff, workers and contractors must be aware of their responsibilities in managing risk in their day-to-day roles. This includes carrying out their roles in accordance with all policies and procedures, identifying risks and reporting these to relevant risk owners in accordance with reporting protocols. Staff, workers and contractors should also report ineffective or inefficient controls. All staff, workers and contractors should be aware of the risks that relate to their roles and activities.
Chief Audit Executive (CAE)	Oversees the planning and management of the agency’s annual internal audit program, and ensuring effective reporting of internal audit findings to the accountable authority, responsible executives and the ARC. Provides assurance that: risk controls are appropriately designed and effectively implemented the agency’s risk management framework is effective. control processes are effective and adequate Understanding the ARC’s assurance requirements.

Role

Responsibilities

Accountable Authority/Governing Board of a Statutory Body

Has the ultimate responsibility for risk management and is the risk sponsor
Ensures that there is an effective system of internal control over the financial and related operations of the entity
Ensures that internal audit functions are established
Determines the entity’s risk tolerance and appetite
Ensures the implementation and regular review of the entity’s risk management plan
Ensures that risk management is included in job descriptions, staff induction programs and performance agreements, and is considered as part of performance appraisals.
Ensures compliance with current Australian/New Zealand standards and NSW public sector policies on risk management

Audit & Risk Committee (ARC)

Reviews whether management has a current and appropriate risk management process in place, and associated procedures for effective identification and management of financial and business risks, including fraud and corruption
Reviews whether a sound and effective approach has been followed in developing and implementing risk management strategies in relation to major projects or undertakings
Reviews the impact of the risk management process on the entity’s control environment and insurance arrangements
Reviews whether a sound and effective approach has been followed in establishing business continuity planning arrangements, including whether disaster recovery plans have been tested periodically
Reviews the fraud control plan to confirm that the entity has appropriate processes and systems in place to capture and effectively investigate fraud-related information.

Executive/Management Committees

Reviews activities with a focus on risk management
Reviews risk treatment plans and risk management reports, including risk registers, and assessing them for completeness, accuracy, consistency, and use of a common language
Reviews internal controls for efficiency and effectiveness
May also have the executive authority to manage risks

Risk Management Function

Develops/leads the development of the risk management policy and strategy for risk management
Acts as the primary champion for risk management at the strategic and operational level
Designs and reviews the processes for risk management
Builds a risk management culture within the agency, including appropriate staff training and development
Provides advice and tools to staff to assist them in managing risk
Co-ordinates the various functional activities relating to risk management within the agency
Works with risk owners to ensure compliance with the risk management framework
Collates and reviews risk registers for completeness and accuracy
Prepares risk management reports for the ARC

It is important to emphasise that the risk management function does not own the risks. Risk owners are responsible and accountable for risks, and this accountability must form part of their job descriptions.

Chief Risk Officer (CRO)

Leads the risk management function as the primary risk champion, including designing the entity’s risk management framework and managing the day-to-day activities associated with coordinating, maintaining and embedding the framework.

The role does not have to be a dedicated one. In smaller agencies it is common for a staff member who has operational responsibility for some risks (e.g. Work Health and Safety or Project Management), and who understands risks and risk management, to be assigned the role of a CRO. More complex agencies may benefit from a dedicated role to ensure comprehensive and focused risk management.
The role of the CRO is different from the role of the CAE. Appropriate safeguards be in place to address the threats to independence of both roles.

Risk Champion

Promoting risk management across the agency, or specifically within a particular agency function or project.
Embeds risk management into the agency’s other systems and processes.
Ensures that functional and project areas are using the agency’s risk management processes consistently.

A risk champion may hold any position within the agency, but is generally a person who:

Is responsible for supporting and driving particular aspects of risk management
Has sufficient authority to intervene in instances where risk management efforts are being hampered by a lack of cooperation or through lack of risk management capability or maturity
Is able to add value to the risk management process by providing guidance and support in managing difficult risk or risks spread across functional areas

Managers

Managing risk and ensuring that their staff perform their duties within the constraints of the agency’s ability to manage risk.
This includes being responsible, within the sphere of their authority, for:
- establishing an environment that promotes an awareness of internal controls and responsibility for individual risks
- identifying uncertainties that will affect the achievement of agency objectives
- establishing policies, operating and performance standards, budgets, plans, systems and procedures to address identified risks and reduce them to an acceptable or tolerable level
- monitoring the effectiveness of controls
- carrying out self-assessments (where directed) to certify the effectiveness of controls addressing risks for which they are responsible (e.g. internal control self-assessments, which are completed by operating units, could be a mechanism that management can use to demonstrate this aspect of the internal control structure).

Chief Financial Officers

The person primarily responsible for financial management within an agency including preparation of financial information.
Oversees the management of financial risk within the agency.
Advises the Accountable Authority, who is accountable for financial performance.
Oversees a program of internal controls to provide assurance on financial systems and information. This is required to be annually certified to the Accountable Authority that they have ‘effective systems, processes and internal controls to ensure that the monthly and annual financial information provided to Treasury is reliable’.

Risk Owners

Designs, implements and monitors risk treatments for a particular risk.
Ensures that the risk is managed in accordance with the agency’s ability to accept or tolerate risk. The risk owner must be knowledgeable about the process or activity for which risks are being assessed, but may not necessarily be the person who implements the internal control

Staff, workers and contractors

All staff, workers and contractors must be aware of their responsibilities in managing risk in their day-to-day roles. This includes carrying out their roles in accordance with all policies and procedures, identifying risks and reporting these to relevant risk owners in accordance with reporting protocols. Staff, workers and contractors should also report ineffective or inefficient controls.
All staff, workers and contractors should be aware of the risks that relate to their roles and activities.

Chief Audit Executive (CAE)

Oversees the planning and management of the agency’s annual internal audit program, and ensuring effective reporting of internal audit findings to the accountable authority, responsible executives and the ARC.
Provides assurance that:
- risk controls are appropriately designed and effectively implemented
- the agency’s risk management framework is effective.
- control processes are effective and adequate
Understanding the ARC’s assurance requirements.

Appendix B - Drivers for improving risk culture

9.2 Drivers for improving risk culture

Drivers	Action
Values Statement	Including risk and risk management in a Values Statement, or similar, approved by the Accountable Authority. For example, by stating that ‘We value communication of risk information and the management of risk’.
Management demonstrating commitment to risk management	Communicating to staff the consequences of not demonstrating expected risk management behaviours Ensuring that risk is included on the agenda in relevant project or team meetings Conducting regular review of risk status, risk reporting and follow up actions Actively monitoring key risk indicators
Systems and processes	Designing agency-specific, fit-for-purpose tools, systems and processes to help people manage risk. Providing guidance to staff in the agency that use these tools and ensuring support is available
Organisational structure	Ensuring the organisational structure allows responsibility for risks in all levels, and risk treatment to be delegated.
Roles and responsibilities	Ensuring job descriptions refer to accountabilities and responsibilities for risk management Assigning leadership roles in risk management Addressing poor risk management behaviours and reviewing these as part of the staff appraisal process.
Performance agreements	Articulating risk management responsibilities in performance agreements
Desired versus actual behaviours	Measuring risk management culture and attitude through surveys into organisational climate surveys and performance management systems. Analysing results and recognise those who effectively identify or manage risk.
Effective communication	Ensuring that the agency communicates its reasons for managing risk and that these are commonly understood and agreed. Creating an environment where all staff feel comfortable discussing risk management issues, encouraging effective two-way communication about risks and their management. Ensuring that staff understand the agency’s tolerance for risk and when and to whom risks should be escalated.

Appendix C - Tools to support the risk management process

9.3.1 Methods or tools to identify risks

Methods or tools to identify risks:

checklists (lists of hazards, risks and control failures, based on experience, such as previous risk assessments or past failures)
self-assessment questionnaires
evidence-based methods, such as reviews of historical data
systematic team-based approaches involving experts
more specialised techniques, such HAZOP (Hazard and Operability studies)
audits or physical inspections
risk assessment workshops

Risks can be identified through these business activities:

assessment against standards
records of incidents or complaints
investigations
internal or external audit, or both
routine team meetings.

Some actions for risk identification:

consider possible sources of risk for the agency (or business unit, policy, program, project, etc.)
discuss possible areas of risk with key individuals, within and outside the organisation, including people who have a sound knowledge of the business (e.g. staff and management, external stakeholders and clients, and other subject matter experts); discussions could take the form of structured or semi-structured interviews, facilitated workshops or brain-storming sessions, informed by relevant and up-to-date information
identify potential risks to the organisation (or business unit, policy, program, project etc.) based on this consultation
document the identified risks in a risk register and the risk identification process that was used as well as stakeholders involved in the process.

Each method has strengths and limitations. Previous experience can guide risk identification, but may not be reliable for new processes, systems, or policies. Therefore, the agency should follow a systematic and disciplined approach that isn’t limited by past experience.

Risk identification should be integral to your strategic, business, operational, change management, and project planning processes. It should be part of daily activities, involving knowledgeable stakeholders. All risks should link to the agency’s objectives, identified when establishing context. This process should be continuous to identify new risks and validate existing ones.

9.3.2 Likelihood and Consequence Tables

These tables provide a foundation for an agency to tailor them to their own circumstances in development of their risk rating methodology.

Figure 4. Likelihood scale
Likelihood Rating	General Description	Historical	Probability
Almost Certain	Expected to occur in most circumstances involving normal operations.	Large number of known incidents within the department. Occurs regularly in the industry.	Predicted to occur in almost every operation of this kind (>90%)
Likely	Considerable opportunity and means to occur. Could happen at any time.	Regular incidents known within the department. Has occurred many times in the industry	Likely to occur in more than 1-in-2 operations of this kind (50%-90%)
Possible	Some opportunity and means to occur.	Few infrequent, random occurrences recorded within the department. Has occurred several times in the industry.	Likely to occur between 1-in-2 and 1-in-4 operations of this kind (25-50%)
Unlikely	Little opportunity or means to occur. Might happen, but not expected to occur.	No known incidents recorded or experienced within the department. Has occurred once or twice in the industry	Likely to occur between 1-in-4 and 1-in-20 operations of this kind (5%-25%)
Rare	Almost no opportunity to occur. Might happen, but probably never will.	Not known or reported to have ever occurred in the industry.	Highly unlikely to occur (<5%)

Figure 4. Likelihood scale
Likelihood Rating Almost Certain General Description Expected to occur in most circumstances involving normal operations. Historical Large number of known incidents within the department. Occurs regularly in the industry. Probability Predicted to occur in almost every operation of this kind (>90%)
Likelihood Rating Likely General Description Considerable opportunity and means to occur. Could happen at any time. Historical Regular incidents known within the department. Has occurred many times in the industry Probability Likely to occur in more than 1-in-2 operations of this kind (50%-90%)
Likelihood Rating Possible General Description Some opportunity and means to occur. Historical Few infrequent, random occurrences recorded within the department. Has occurred several times in the industry. Probability Likely to occur between 1-in-2 and 1-in-4 operations of this kind (25-50%)
Likelihood Rating Unlikely General Description Little opportunity or means to occur. Might happen, but not expected to occur. Historical No known incidents recorded or experienced within the department. Has occurred once or twice in the industry Probability Likely to occur between 1-in-4 and 1-in-20 operations of this kind (5%-25%)
Likelihood Rating Rare General Description Almost no opportunity to occur. Might happen, but probably never will. Historical Not known or reported to have ever occurred in the industry. Probability Highly unlikely to occur (<5%)

Figure 5 – Example Consequence Table
Category	Insignificant Minimal impact requiring only marginal remediation activities/management	Minor Small, local effects easily contained	Moderate Some impact or impact requiring remediation	Major Significant impacts/costs with some objectives not met	Extreme Catastrophic event threatening viability of function and objectives
Example 1: Financial/Built Assets	Barely noticeable financial impact easily absorbed within project or program budget	One-off under or overspend up to $10M or 5% of your budget	One-off under or overspend up to $25M or 15% of your budget	One-off under or overspend up to $100M or 25% of your budget	One-off under or overspend over $250M or 30% of your budget
Example 2: Health, Safety & Wellbeing	Physical or psychological Injury/ Illness requiring notification or treatment up to First Aid only.	Physical or psychological Injury/ Illness requiring professional medical treatment	Physical or psychological Injury/ Illness resulting in moderate temporary impairment or disability (up to 6 months).	Physical or psychological Injury/ Illness resulting in partial permanent disability or long-term temporary impairment (more than 6 months)	Single or multiple fatalities. Physical or psychological Injury/ Illness resulting in irreversible, total permanent impairment or disability

Figure 5 – Example Consequence Table
Category Example 1: Financial/Built Assets InsignificantMinimal impact requiring only marginal remediation activities/management Barely noticeable financial impact easily absorbed within project or program budget MinorSmall, local effects easily contained One-off under or overspend up to $10M or 5% of your budget ModerateSome impact or impact requiring remediation One-off under or overspend up to $25M or 15% of your budget MajorSignificant impacts/costs with some objectives not met One-off under or overspend up to $100M or 25% of your budget ExtremeCatastrophic event threatening viability of function and objectives One-off under or overspend over $250M or 30% of your budget
Category Example 2: Health, Safety & Wellbeing InsignificantMinimal impact requiring only marginal remediation activities/management Physical or psychological Injury/ Illness requiring notification or treatment up to First Aid only. MinorSmall, local effects easily contained Physical or psychological Injury/ Illness requiring professional medical treatment ModerateSome impact or impact requiring remediation Physical or psychological Injury/ Illness resulting in moderate temporary impairment or disability (up to 6 months). MajorSignificant impacts/costs with some objectives not met Physical or psychological Injury/ Illness resulting in partial permanent disability or long-term temporary impairment (more than 6 months) ExtremeCatastrophic event threatening viability of function and objectives Single or multiple fatalities. Physical or psychological Injury/ Illness resulting in irreversible, total permanent impairment or disability

9.3.3 Risk Matrix

Appendix D - Control Effectiveness Ratings Tables

Example Control implementation / operational effectiveness table

Rating Category	Control Design
Very Strong	Will substantially reduce risk. High degree of automation or documented formalised processes.
Strong	Will substantially reduce risk. High degree of automation or documented formalised processes. Rare exceptions. Places reliance on knowledge/actions of key persons.
Adequate	Designed in such a way it will reduce risk. Expected to fail at times, however within acceptable appetite. Places reliance on knowledge/actions of key persons.
Limited	Designed in such a way it will reduce some aspects of risk. Likely to fail requiring remedial effort and actions. Places heavy reliance on knowledge/actions on persons to manually address exceptions/incidents.
Weak	Poor design even when used correctly. It provides little or no protection. Only addresses part of the risk requiring additional work arounds or manual processes to make up for deficiencies. Extreme reliance on knowledge/actions of key persons.

Rating Category

Very Strong

Control Design

Will substantially reduce risk.
High degree of automation or documented formalised processes.

Rating Category

Strong

Control Design

Will substantially reduce risk.
High degree of automation or documented formalised processes.
Rare exceptions.
Places reliance on knowledge/actions of key persons.

Rating Category

Adequate

Control Design

Designed in such a way it will reduce risk.
Expected to fail at times, however within acceptable appetite.
Places reliance on knowledge/actions of key persons.

Rating Category

Limited

Control Design

Designed in such a way it will reduce some aspects of risk.
Likely to fail requiring remedial effort and actions.
Places heavy reliance on knowledge/actions on persons to manually address exceptions/incidents.

Rating Category

Weak

Control Design

Poor design even when used correctly.
It provides little or no protection.
Only addresses part of the risk requiring additional work arounds or manual processes to make up for deficiencies.
Extreme reliance on knowledge/actions of key persons.

Rating Category	Implementation
Very Strong	The control operates consistently as intended and is being correctly applied by the vast majority of users. Never known to fail in the past, highly unlikely to fail in a short to mid-term.
Strong	The control operates on a mostly consistent basis and is being applied correctly by most users. Control is mature and unlikely to fail significantly within 12-month period. Has significantly addressed the risk.
Adequate	The control operates as intended at least half of the time by sections of control users. The control has experienced a failure in the past 12 months but is not expected to experience more in the immediate future.
Limited	The controls are not operating consistently and/or effectively or have not been implemented in full. The control has experienced failures in the past 12 months and is expected to experience more, potentially more frequently. Rates of failure are deemed to be unacceptable.
Weak	Consistently not operating as intended, immature, operating inappropriately or inconsistently. Rates of failure are significant and deemed unacceptable.

Rating Category

Very Strong

Implementation

The control operates consistently as intended and is being correctly applied by the vast majority of users.
Never known to fail in the past, highly unlikely to fail in a short to mid-term.

Rating Category

Strong

Implementation

The control operates on a mostly consistent basis and is being applied correctly by most users.
Control is mature and unlikely to fail significantly within 12-month period.
Has significantly addressed the risk.

Rating Category

Adequate

Implementation

The control operates as intended at least half of the time by sections of control users.
The control has experienced a failure in the past 12 months but is not expected to experience more in the immediate future.

Rating Category

Limited

Implementation

The controls are not operating consistently and/or effectively or have not been implemented in full.
The control has experienced failures in the past 12 months and is expected to experience more, potentially more frequently.
Rates of failure are deemed to be unacceptable.

Rating Category

Weak

Implementation

Consistently not operating as intended, immature, operating inappropriately or inconsistently. Rates of failure are significant and deemed unacceptable.

Control Matrix example

Appendix E - Risk Register

Comprehensive risk register

A comprehensive risk register typically contains the following information:

risk ID (this is a unique identifier)
entry date (into risk register)
name of the person(s) who did the assessment
description of the risk
objective(s) that will be affected by the risk
risk assessment information, such as:
- the worst case consequence, likelihood and risk level
- the current controls, their owners and their effectiveness
- the current consequence, likelihood and risk level
- whether the risk is acceptable or tolerable
- additional treatments, their owners, and treatment due dates if the risk is not acceptable or tolerable
- the residual risk level once additional treatments have been implemented.
risk owner – who is accountable for managing the risk
monitoring information – how and when the risk and its controls will be reviewed and reported
the date the risk register was last updated
risk category (e.g. Financial, Service Delivery, Work Health and Safety)
target risk rating and due date

The information captured in your risk register can be useful in helping the agency prioritise risks and make the best use of its resources.

For further guidance on how to best create a risk register that suits the agency’s needs, try answering the following questions for guidance:

Have risk owners been assigned?
Have control owners been assigned?
Have controls been assessed (effective, partially effective, ineffective)?
Have risk ratings been reviewed and updated?
Have treatment actions been implemented as planned?
Are treatment actions being monitored?
Are there mechanisms in place to review and update the risk regularly?

The agency’s risk register can be developed or set out in many ways. The content of your risk register should be customised for the agency and the information needs of key stakeholders. In more complex organisations, additional technical or specific information may be needed.

The agency decides whether risks that are no longer relevant are removed from the register and archived, or remain on the register but are marked as no longer applicable. Both strategies have their benefits: archiving helps to restrict the length of the register to a manageable level, while retaining all risks on the register can help maintain corporate knowledge.

It is important that there is an audit trail of changes to the risk register, so there is a record of when changes are made and who has made them.

Appendix F - Reporting

Types of reports

Report type	Users		Frequency	Purpose and content
Attestation statement in accordance with TPP20-08:Internal Audit and Risk Management Policy for the NSW Public Sector	Treasury and users of annual reports		Annually	The attestation statement requires the department head or the governing board of a statutory body to attest, among other things, that risk management processes consistent with the current Australian/New Zealand standard have been implemented. The template for the attestation is prescribed in TPP20-08.
Annual report	External and internal stakeholders		Annually	The GSF Act and Treasurer’s Direction TD23-10 requires agencies to report on the risk management activities and insurance arrangements affecting the agency. Information in the annual reports should possess the requisite qualitative characteristics of relevance, reliability and comparability, and be easily understood.
Reports to the Audit and Risk Committee (ARC)		Head of Authority Governing boards of statutory bodies ARC Senior management Internal Audit	As per frequency of ARC meetings	Reports can include: Risk register Significant risks: information provided on these risks include risk owner, risk treatment, additional treatments and timeframes and any other information Risk trends: trend analysis can only occur where there is frequent and regular assessment of risks. Trend reports can: cover movements in risks, identifying those which are getting worse or better show the effect of treatments on risk identify risks that need further treatment. New or emerging risks: by conducting regular assessments, reports on new or emerging risks should be able to be compiled Risks with ineffective controls: the provision of this information will allow the ARC and the AA to identify potential points of business failure requiring urgent response or action Risk categories: generic risk categories are strategic, operational, compliance and reporting (both financial and management)
Operational risk reports		Functional business unit managers Project managers Staff responsible for managing risks	Monthly or quarterly	Production and dissemination of tailored reports to risk owners. Where risks are not assigned to an owner, operational risk reports will provide management with details of risks that have not been treated or risks that are not being monitored. Providing risk reports to risk owners allows an opportunity for staff to view the risks and treatments that they are required to oversee.
Incident report		Risk manager Internal Audit Functional business unit manager	Ad hoc as they occur Summary reports monthly	Communicate risks realised, including control failures.
Staff communication		All employees	As required	Includes but not limited to risk management policy, training and development.

Report type

Attestation statement in accordance with TPP20-08:Internal Audit and Risk Management Policy
for the NSW Public Sector

Users

Treasury and users of annual reports

Frequency

Annually

Purpose and content

The attestation statement requires the department head or the governing board of a statutory body to attest, among other things, that risk management processes consistent with the current Australian/New Zealand standard have been implemented.

The template for the attestation is prescribed in TPP20-08.

Report type

Annual report

Users

External and internal stakeholders

Frequency

Annually

Purpose and content

The GSF Act and Treasurer’s Direction TD23-10 requires agencies to report on the risk management activities and insurance arrangements affecting the agency.

Information in the annual reports should possess the requisite qualitative characteristics of relevance, reliability and comparability, and be easily understood.

Report type

Reports to the Audit and Risk Committee (ARC)

Users

Head of Authority

Governing boards of statutory bodies

ARC

Senior management

Internal Audit

Frequency

As per frequency of ARC meetings

Purpose and content

Reports can include:

Risk register
Significant risks: information provided on these risks include risk owner, risk treatment, additional treatments and timeframes and any other information
Risk trends: trend analysis can only occur where there is frequent and regular assessment of risks. Trend reports can:
cover movements in risks, identifying those which are getting worse or better
show the effect of treatments on risk
identify risks that need further treatment.
New or emerging risks: by conducting regular assessments, reports on new or emerging risks should be able to be compiled
Risks with ineffective controls: the provision of this information will allow the ARC and the AA to identify potential points of business failure requiring urgent response or action
Risk categories: generic risk categories are strategic, operational, compliance and reporting (both financial and management)

Report type

Operational risk reports

Users

Functional business unit managers

Project managers

Staff responsible for managing risks

Frequency

Monthly or quarterly

Purpose and content

Production and dissemination of tailored reports to risk owners.

Where risks are not assigned to an owner, operational risk reports will provide management with details of risks that have not been treated or risks that are not being monitored.

Providing risk reports to risk owners allows an opportunity for staff to view the risks and treatments that they are required to oversee.

Report type

Incident report

Users

Risk manager

Internal Audit

Functional business unit manager

Frequency

Ad hoc as they occur

Summary reports monthly

Purpose and content

Communicate risks realised, including control failures.

Report type

Staff communication

Users

All employees

Frequency

As required

Purpose and content

Includes but not limited to risk management policy, training and development.

Download or print

Download NSW Treasury Risk Management Toolkit PDF 851.57KB Current as of Wednesday, 28 May 2025.

Print this page

Request accessible format of this publication.

Top

Chapter 9: Appendices

Appendix A – Risk-related Accountabilities, Roles and Responsibilities

Appendix B - Drivers for improving risk culture

Appendix C - Tools to support the risk management process

Appendix D - Control Effectiveness Ratings Tables

Appendix E - Risk Register

Appendix F - Reporting

Download or print