Appendix 6: Risk Management

Risk is the effect of uncertainty on objectives. All activities of an entity involve risks. Risk management aids decision making by taking account of uncertainty and its effect on achieving objectives, and assessing the need for any actions.

Risk management is an essential pillar of good public sector governance.³¹ Public sector governance arrangements must be tailored to the circumstances of individual entities. They should be based on a risk management approach that considers potential benefits and costs associated with activities that contribute to meeting specified objectives. These risks could either prevent the entity from achieving its business objectives, or provide the opportunity for extra benefits to be realised.

To be effective, the risk management process needs to be rigorous, structured and systematic. It is important that the emphasis is on real actions and outcomes so that it does not become a procedures-based exercise. Effective risk management requires an entity to have a risk-assessment culture whereby all major decisions are considered in terms of risk management principles.

In June 2008, the Department of Finance and Deregulation’s Comcover branch published a Better Practice Guide on Risk Management. Comcover’s guide provides a summary of the key principles and concepts of risk management as well as some practical tips to be considered when implementing or reviewing an entity’s framework for managing risk. It also emphasises the importance of developing the right culture for managing risk.

The risk management process generally used in Australia today is modelled on Standards Australia’s Risk Management: AS/NZS 4360:2004.

To effectively implement risk management within an entity, AS/NZS 4360:2004 requires the entity to develop a framework for risk management that is a set of components that provides the foundations and organisational arrangements for designing, implementing, monitoring and reviewing and continually improving risk management throughout the entity. This includes the development of risk management policy and a risk management plan.

AS/NZS 4360:2004 proposes a logical and systematic methodology for establishing the context, identifying, analysing, evaluating, treating and monitoring and reviewing risks. It also emphasises embedding risk management into the entity’s culture through communication and consultation, and the appropriate recording of risks.

In 2009 a new International Standards Organisation standard, ISO 31000, that builds upon AS/NZS 4360:2004, is expected to be released.

Further references

• Enterprise-Wide Risk Management: Better Practice Guide for the Public Sector, 2002, CPA Australia.
• Public Sector Audit Committees, Better Practice Guide, 2005, Australian National Audit Office.
• Public Sector Governance, Better Practice Guide, Volume 1 and 2, 2003, Australian National Audit Office.
• Risk Management, AS/NZS 4360:2004, 2004, Standards Australia.
• Risk Management, Better Practice Guide, June 2008, Department of Finance and Deregulation, Comcover.
• Risk Management Guidelines, Handbook 436:2004, 2004, Standards Australia.
• Risk Management: Principles and guidelines on implementation, ISO 31000, Forthcoming International Standard.

³¹ _{See the ANAO’s ‘House of Public Sector Governance’, in various publications such as Public Sector Governance, Better Practice Guide, Volume 1 2003.}