COMCOVER INFORMATION SHEET

Department of Finance

EMBED

An Overview of the Risk Management Process

This information sheet is intended to assist Commonwealth officials at the following levels:

• Foundation level: All officials, regardless of level or role, are required to understand basic risk management
concepts and how risk is managed in the Commonwealth.
• Generalist level: Officials, regardless of level, whose role requires them to engage with and apply their entity’s
risk management framework to successfully deliver outcomes.

The risk management process described in AS/NZS ISO 31000:2009 Risk Management – Principles and
Guidelines is one way of achieving a structured approach to the management of risk. Consistently implemented,
it allows risks to be identified, analysed, evaluated and managed in a uniform and focused manner.

ISO 3100 recommends that risk management be based on three core elements¹:

• a set of principles that describes the essential attributes of good risk management;
• a risk management framework that provides a structure for risk management; and
• a risk management process that prescribes a tailored, structured approach to understanding,
communicating and managing risk in practice.

Principles Framework Process

• Creates value
Mandate
• Integral part of organisational and
processes commitment
Establishing the
• Part of decision making Context
Communication & Consultation

• Explicitly addresses uncertainty

• Systematic, structured & timely Risk Identification
Monitoring & Review

Design of
• Based on the best available framework to
manage risk
information
Risk Analysis
• Tailored
Continual Implement
• Takes human & cultural factors Improvement risk
of the management Risk Evaluation
into account framework
Risk
• Transparent & inclusive Assessment

• Dynamic, iterative and Monitoring

responsive to change and review
of the Risk Treatment
• Facilitates continual framework
improvement and
enhancement of the
organisation

1 Drawn from the AS/NZS ISO 31000:2009

2016 An Overview of the Risk Management Process 1

 Establish the context
In order to understand and manage risk, it’s first necessary to understand your entity’s objectives and operating
environment. Establishing the context is the first of the seven risk management steps where the objectives and
influences of the risk management process are defined.

The first activity in establishing the context is to agree and define the objectives of the entity or the activity being
considered. Objectives can include those which are both explicit (those objectives that are well defined, for example
‘we will increase client satisfaction feedback by 5 percent’) and implicit (those objectives that might be undocumented
but are expected, for example ‘we will obey the law’).

Secondly, it is important to identify relevant stakeholders. The most important stakeholders include organisations which
may expose the entity to risk, are exposed to an entity’s risks, or be able to help an entity manage risk.

There are three other elements that are important to consider when establishing the context for a risk assessment:

• The external context - the environment in which the entity operates and seeks to achieve its objectives
including policy, operational, cultural, political, people, environmental, legal, regulatory, financial, technological and
economic factors. Other things to be considered include key drivers and trends that impact upon the objectives,
and the relationship with, and expectations of, external stakeholders.
• The internal context - includes those factors within the entity that are relevant to the risk assessment.
This is important as risk assessments will be most effective when they are linked to the objectives of the entity
or activity under assessment. Factors typically considered in the internal context include the entity’s strategic
objectives, organisational capabilities and culture.
• The risk management context - this defines the goals and objectives of the risk management activity including
how it is to be undertaken, who is responsible for each component and what is in scope.

Risk identification
The aim of this step is to develop a comprehensive and tailored list of future events which could be uncertain, but are
likely to have an impact (either positively or negatively) on the achievement of the objectives - these are the risks.

Risks need to be documented including key elements such as the risk event, the potential cause and the potential
impact should the risk be realised.

Thorough identification of potential risks is critical to the success of any risk assessment. It is important not be too
narrow or constrained. Often referred to as a ‘failure of imagination’, care needs to be taken to ensure that the
identification process does not just focus on today’s challenges but rather also considers a diverse range of sources
including risk events that are emerging or in the future.

It is important to identify actions, scenarios, events and other external agencies that may give rise to risks.
For each risk identified ensure that its source or cause is well understood and documented.

A number of techniques can be used during risk identification and assist in the discovery process. These can be
sophisticated and highly structured, or more informal, depending on the purpose and context of the assessment being
undertaken. Common techniques include the use of risk categories or linking risks to each objective identified in the
context setting phase. Another method is to begin thinking of the threats and opportunities the entity faces, and use
these to identify relevant risks.

2016 An Overview of the Risk Management Process 2

Risk analysis
Risk analysis establishes the potential impact of each risk and its likelihood of occurrence. The combination of these
two factors determines the severity of the risk, which may be positive or negative. Although there are many ways to
achieve this, a common approach is to use a matrix or ‘risk heat map’. Consequence and likelihood are plotted on
the two axes of the matrix, with each corresponding cell assigned a level of severity. Illustrated below is an example
of a simple risk severity matrix.

Residual Risk Severity

Likelihood/
Insignificant Minor Moderate Major Severe
Consequence

Almost
Certain

5 6
Likely 9
12

Possible 11 3

Unlikely 4 1

Rare 10 8 7 2

The specific matrix employed may be defined in an entity’s risk management framework and should be considered
and agreed in the ‘establish the context’ step.

Whilst entities may use different processes for analysing risk, it is important that each entity ensures all risks within
its organisation are assessed consistently. Where risks are shared between organisations, good communication
is required to ensure each stakeholder understands the severity of the risks.

Risk evaluation
Risk evaluation determines the tolerability of each risk. Tolerability is different from severity. Tolerability assists
to determine which risks need treatment and the relative priority. This is achieved by comparing the risk
severity established in the risk analysis step with the risk criteria found in the likelihood and consequence
criteria already defined.

At its simplest, an entity might decide that risks above a certain severity are unacceptable, and risks below this
are tolerable. More sophisticated approaches might assign risk acceptance delegations for risks of increasing
severity to officials of different levels of seniority.

Decisions on tolerability should also be made after considering the broader context of the risk including the impact
of the risk upon other entities outside of the organisation. Treatment decisions should consider financial, legal,
regulatory and other requirements. Ultimately though, the considered and informed acceptance of risk supports
decision making and is essential to entity performance including the achievement of objectives.

2016 An Overview of the Risk Management Process 3

Risk treatment
Risk treatment is the action taken in response to the risk evaluation, where it has been agreed that additional
mitigation activities are required.
Risk treatment is a cyclical process where individual risk treatments (or combinations of treatments) are assessed
to determine if they are adequate to bring the residual risk levels to a tolerable or appropriate level. If not, then new
risk treatments are generated and assessed until a satisfactory level of residual risk is achieved.
Risk treatment will be most effective where it is tailored to the requirements and capabilities of the entity and
can include strategies such as:
• Avoiding the risk entirely by not undertaking the activity
• Removing a source or cause of the risk
• Sharing the risk with other parties
• Retaining the risk by informed decision
• Taking more risk to achieve certain objectives or opportunities
• Changing the likelihood and/or consequence of the risk through modifying controls in place.

Selecting the most appropriate treatment requires balancing the cost and effort of implementation against the benefits
derived from additional risk mitigation. In some cases, further treatment may be unachievable or unaffordable and the
residual risk may need to be accepted and communicated. Entities may wish to consider how external stakeholders
can provide support when developing treatment options or if treatments can be implemented collaboratively.

Risk treatments are commonly documented in a risk treatment plan. These generally include:

• reasons for treatment selection, including expected benefits and potential hazards
• accountabilities for approving the plan and its implementation
• resource requirements
• reporting, assurance and monitoring requirements
• priorities, timing and schedules.

Communication and consultation

Communication and consultation is an essential attribute of good risk management. Risk management cannot be
done in isolation and is fundamentally communicative and consultative. Hence this step is, in practice, a requirement
within each element of the risk management process.
Formal risk reporting is only one form of risk communication. Good risk communication generally includes the
following attributes:
• encourages stakeholder engagement and accountability
• maximises the information obtained to reduce uncertainty
• meets the reporting and assurance needs of stakeholders
• ensures that relevant expertise is drawn upon to inform each step of the process
• informs other entity processes such as corporate planning and resource allocation.

Different stakeholders will have different communication needs and expectations. Good risk communication is tailored
to these requirements.

2016 An Overview of the Risk Management Process 4

Monitoring and review
Risks change over time and hence risk management will be most effective where it is dynamic and evolving.
Monitoring and review is integral to successful risk management and entities may wish to consider articulating
who is responsible for conducting monitoring and review activities.

Key objectives of risk monitoring and review include:

• detecting changes in the internal and external environment, including evolving entity objectives and strategies
• identifying new or emerging risks
• ensuring the continued effectiveness and relevance of controls and the implementation of treatment programs
• obtaining further information to improve the understanding and management of already identified risks
• analysing and learning lessons from events, including near-misses, successes and failures

Monitoring and review can be both periodic and based upon trigger events or changing circumstances.
The frequency of the review process should be commensurate with the rate at which the entity and its operating
environment is changing

The results and observations from monitoring and review are most useful when well documented and shared.
They may be included in formal risk reports be recorded and published internally and externally as appropriate
and should also be used as an input to reviews of the whole risk management framework.

Further information
This information sheet provides a high level overview of the risk management process. For more detailed guidance
on undertaking the risk management process in practice, refer to the Comcover Information Sheet Undertaking the
Risk Management Process.

If you have any questions or feedback in relation to this information sheet please contact Comcover Member
Services at [email protected].

Comcover’s series of Risk Management Information Sheets are designed to be used as optional guidance
documents and are not mandatory.

It is important that entities develop risk management frameworks and systems that are tailored to the needs of their
organisation. Entities may choose to adapt some or all of the concepts contained in this information sheet to suit
their specific needs or use alternative methodologies.

2016 An Overview of the Risk Management Process 5