What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

What to read first: What is risk management?

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

Depending on your role, you may also want to look at the risk specialist or executive drill-down articles on this topic.


In the Australian Government the expectation to manage risk comes from the Public Governance Performance and Accountability Act 2013. The Act is very general, and the more specific requirements come from the Commonwealth Risk Management Policy. There is also a useful guide to Implementing the Commonwealth Risk Management Policy.

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations.

However, it separately defines risk management thus:

Risk is the effect of uncertainty on objectives. Risk is the possibility of an event or activity preventing an organisation from achieving its outcomes or objectives. Risk management is the activities and actions taken to ensure that an organisation is conscious of the risks it faces, makes coordinated and informed decisions in managing those risks and identifies potential opportunities. [Implementing the Commonwealth Risk Management Policy, page 5]

This definition is roughly consistent with the explanations in the main article on What is risk management?, with a specific emphasis on ‘an organisation’, echoing ISO 31000 and COSO ERM. Rather untidily, it has two different definitions of risk in consecutive sentences. But it’s clear enough.

Like the other sources quoted, the Commonwealth Risk Management Policy and its supporting guidance avoid prescribing process details and instead focus on the responsibilities that Australian Government organisations must meet.

At the same time, public accountability suggests a formal and defensible approach to risk management. Australian Government organisations are not generally encouraged to just do their own thing (without an explanation) and later defend their decisions purely on their record.

There is a lot of emphasis on risk appetite, which is not covered well in ISO 31000.

The Commonwealth Risk Management Policy appears to assume that readers have an adequate understanding of risk management concepts, or will acquire that understanding soon enough. That may not be accurate for all readers.

Recommended reading

If you find yourself required to act on the Commonwealth Risk Management Policy, but have insufficient understanding of risk management, the following authoritative resources will help close the gap as quickly as possible:

  • SA/NZS HB 436 Risk management guidelines – Companion to AS NZS ISO 31000:2009. This is a comprehensive handbook for risk management in Australia, with ISO endorsement, and it quotes every word of ISO 31000:2009 itself, so you don’t need to buy ISO 31000:2009 separately. However, like ISO 31000:2009 (and its 2017 revision), the handbook gives little attention to risk appetite, which is a major focus of the Commonwealth Risk Management Policy.
  • COSO ERM – Understanding and Communicating Risk Appetite (2012), authors Larry Rittenberg and Frank Martens. This is a free online resource. It has much more to say about risk appetite than COSO ERM (2004) itself. But be warned that risk appetite is a confusing and controversial topic, and this single publication will not settle arguments. Like most sources on risk appetite, it is internally inconsistent.

Your official Australian Government source is Comcover, which is part of the Department of Finance. I have been to some good Comcover training courses, but I haven’t seen a specific Comcover document that combines definitive authority with the full scope of risk management.

This site is written for an audience that includes people in your situation. I attempt to explain the basics in a fair way, with due regard to the established sources. Sometimes conventional and historical practice is in conflict with the authoritative sources, and that difference appears to be the main source of confusion in risk management. The site tends to focus on those areas. You need to bear in mind that it is not authoritative, and it includes some original and non-conventional thinking, clearly identified as such.

If you are a potential member of the Institute of Internal Auditors, I recommend that you plan to enrol in the CRMA program as early as possible. The CRMA program includes a first class education in core risk management concepts, especially Enterprise Risk Manager as required by the Commonwealth Risk Management Policy. (I cannot say the same for the ISACA CRISC program, which is also fine, but in a very different way.)


Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

The goal of risk management

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *