This article assumes you have read What is risk management? (Everyone), and adds some specific advice for people working in the Australian Government. Depending on your role, you may also want to look at the risk specialist or executive drill-down articles on this topic.
In the Australian Government the expectation to manage risk comes from the Public Governance Performance and Accountability Act 2013. The Act is very general, and the more specific requirements come from the Commonwealth Risk Management Policy. There is also a useful guide to Implementing the Commonwealth Risk Management Policy.
The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations.
However, it separately defines risk management thus:
Risk is the effect of uncertainty on objectives. Risk is the possibility of an event or activity preventing an organisation from achieving its outcomes or objectives. Risk management is the activities and actions taken to ensure that an organisation is conscious of the risks it faces, makes coordinated and informed decisions in managing those risks and identifies potential opportunities. [Implementing the Commonwealth Risk Management Policy, page 5]
This definition is roughly consistent with the explanations in the main article on What is risk management? (Everyone), with a specific emphasis on ‘an organisation’, echoing ISO 31000 and COSO ERM. Rather untidily, it has two different definitions of risk in consecutive sentences. But it’s clear enough.
Like the other sources quoted, the Commonwealth Risk Management Policy and its supporting guidance avoid prescribing process details and instead focus on the responsibilities that Australian Government organisations must meet.
At the same time, public accountability suggests a formal and defensible approach to risk management. Australian Government organisations are not generally encouraged to just do their own thing (without an explanation) and later defend their decisions purely on their record.
There is a lot of emphasis on risk appetite, which is not covered well in ISO 31000.
The Commonwealth Risk Management Policy appears to assume that readers have an adequate understanding of risk management concepts, or will acquire that understanding soon enough. That may not be accurate for all readers.
If you find yourself required to act on the Commonwealth Risk Management Policy, but have insufficient understanding of risk management, the following authoritative resources will help close the gap as quickly as possible:
- SA/NZS HB 436 Risk management guidelines – Companion to AS NZS ISO 31000:2009. This is a comprehensive handbook for risk management in Australia, with ISO endorsement, and it quotes every word of ISO 31000:2009 itself, so you don’t need to buy ISO 31000:2009 separately. However, like ISO 31000:2009 (and its 2017 revision), the handbook gives little attention to risk appetite, which is a major focus of the Commonwealth Risk Management Policy.
- COSO ERM – Understanding and Communicating Risk Appetite (2012), authors Larry Rittenberg and Frank Martens. This is a free online resource. It has much more to say about risk appetite than COSO ERM (2004) itself. But be warned that risk appetite is a confusing and controversial topic, and this single publication will not settle arguments. Like most sources on risk appetite, it is internally inconsistent.
Your official Australian Government source is Comcover, which is part of the Department of Finance. I have been to some good Comcover training courses, but I haven’t seen a specific Comcover document that combines definitive authority with the full scope of risk management.
This site is written for an audience that includes people in your situation. I attempt to explain the basics in a fair way, with due regard to the established sources. Sometimes conventional and historical practice is in conflict with the authoritative sources, and that difference appears to be the main source of confusion in risk management. The site tends to focus on those areas. You need to bear in mind that it is not authoritative, and it includes some original and non-conventional thinking, clearly identified as such.
If you are a potential member of the Institute of Internal Auditors, I recommend that you plan to enrol in the CRMA program as early as possible. The CRMA program includes a first class education in core risk management concepts, especially ERM as required by the Commonwealth Risk Management Policy. (I cannot say the same for the ISACA CRISC program, which is also fine, but in a very different way.)
Main article on What is risk management? (Everyone)
Recommended next articles:
|Some other main topics||
Discrete risk management processes within an enterprise
‘Enterprise Risk Management’ and risk management (coming soon)
All pages on What is Risk Management?