The ability to identify risks first appears in the APS capability framework (The ILS) at APS 4. In supporting strategic direction, a person is expected to ‘show judgement, intelligence and common sense’. One of the behaviours to demonstrate this component is ‘identifies risks and uncertainties of processes and tasks’. An APS 5 is further expected to take account of these risks and uncertainties in planning and priority setting. This accounting is extended to decision-making for an APS 6. Risks are not mentioned for EL1s. EL2s are expected to anticipate and seek to minimise risks. Managing risks is SES territory.
This means that while enterprise risk management is mainly the preserve of senior executives, most staff need to have skills in identifying, assessing, and managing risks. These skills are needed during projects, procurement exercises, where there is potential for fraud or risk to business continuity, and in relation to health and safety. Strategic planning exercises also need to consider risks.
What is risk?
Risk is about the chance of something happening that will have an impact on achieving objectives. It’s the effect of uncertainty, a deviation from the expected, either positive or negative.
Two types of risk are identified: strategic and operational risk. Strategic risks are those high-level risks that could impact on achieving objectives identified in strategic plans and should be considered and managed by senior executive staff.
Operational risks are those that impact on achieving objectives from the perspective of particular work units, programs, and projects. These risks are managed by the relevant senior staff for the unit.
As well as agency risks, there are also cross-agency risks, where a risk relates to more than one agency, and whole-of-government risks, which are beyond the boundaries of any one agency and call for a coordinated approach by a lead agency.
Resources about risk
What resources are available to help with understanding responsibilities concerning risk?
Commonwealth public servants need to know about the Public, Governance, Performance and Accountability Act 2013 (PGPA Act) which requires all non-corporate Australian Government entities to establish and maintain appropriate systems and internal controls for the oversight and management of risk. This Act means that agencies need to formalise how they manage risk.
In 2014 the Department of Finance released the Commonwealth Risk Management Policy (CRMP). This document sets out the expectations for agencies managing risk. The CRMP sets out nine elements that must be complied with to establish appropriate levels of risk oversight:
- Establishing a risk management policy
- Establishing a risk management framework
- Defining responsibility for managing risk
- Embedding systematic risk management into business processes;
- Developing a positive risk culture
- Communicating and consulting about risk
- Understanding and managing shared risk
- Maintaining risk management capability
- Reviewing and continuously improving the management of risk.
The APSC’s State of the Service Report 2013-2014 devotes a chapter to risk management. The chapter defines risk management as ‘the culture, processes and structures directed towards realising potential opportunities while managing adverse effects.’ The report notes that ‘risk management is an essential public service skill that is practiced daily’ and the consequences of poor risk management can ‘affect safety, as well as incur financial, administrative and/or reputational costs’. (p. 35)
The previous State of the Service reports identified that agencies needed to improve their risk-management capability and ANAO reports have identified instances where risks could have been better handled. The current State of the Service report notes that: ‘A key point that emerged from these reports is that while risks may have been appropriately assessed at the start of a project, often the project teams failed to keep the risks and controls up-to-date or recognise the implications of material changes in the risk environment that could affect success.’ (p. 37)
Comments are made on strategies for managing integrity risk. This covers policies designed to manage conflicts of interest, receipt of gifts and benefits, drug or alcohol testing of staff, and regular ethics training.
On the subject of delivery risk, the report comments on the need to communicate risk to key stakeholders both internal and external. People working on program and project implementation should note:
‘Internal risk conversations about ensuring risk is part of the consideration of issues and part of normal routine. It should not be an exception. Processes such as programme and project planning, corporate planning, policy development and implementation planning all provide valuable opportunities to test and record an agency’s appetite for risk, and the key risks relevant to activities and projects. Programme and project implementation plans, along with corporate planning processes, need to pay explicit regard to risk identification and assessment, and ensure planning processes routinely produce good quality risk outputs.’ P. 40
The report notes that risk management remains a developmental area for the majority of agencies, most notably in terms of managing strategic, whole-of-agency risks as opposed to project-specific or operational risks.
The report identifies barriers to effective risk management, the two main ones being organisational culture and workforce capability. Improving risk management is not just a matter of improving compliance. Leaders and managers must focus on risk and staff need to be aware of and capable of managing risk.
Key points for applicants
For managers and team leaders, a ‘tick the boxes’ approach to risk management is inadequate, as is seeing risk management as ‘an add on’ rather than as integral to daily work. Part of a manager’s role is to contribute to developing a positive risk culture. The CRMP defines risk culture as ‘the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities.’ Further, it states that:
‘A positive risk culture promotes an open and proactive approach to managing risk that considers both threat and opportunity. A positive risk culture is one where risk is appropriately identified, assessed, communicated and managed across all levels of the entity. Such a culture needs to be fostered and practiced by each entity.’
For management and team leadership roles it may therefore be appropriate to consider how you are developing a positive risk culture, including building staff capacity to identify, assess and manage risks.
For people working on projects and programs that involve risk assessment, you may need to demonstrate your ability to identify, analyse and evaluate risks. Risk matrixes usually identify and analyse risks according to likelihood x consequence, and recommend actions accordingly.
When giving examples to demonstrate risk management-related behaviours, or when considering hypothetical examples to identify potential sources of risks, you will need to be able to think in terms of a hierarchy of risk (project, work unit, agency, cross-agency, whole-of-government) depending on the level of the job, and identify appropriate risk sources. Potential sources of risk include:
- Machinery of government changes
- Public expectations
- Stakeholder relations
- Media relations
- Industry developments
- Security risks
- Business continuity
- Technology trends
- Budgeting and resource allocation
- Expenditure management
- Procurement and contracting
- Performance management
- Natural disasters
- Environmental protection
- Economic trends
- Legal liabilities and litigation.
In terms of professional development, consider what aspects of risk management fall within your responsibilities and identify what further knowledge and skills you need to be more effective. As a minimum, read the Commonwealth Risk Management Policy.