De-centralised risk management in the Australian Government

The Commonwealth Risk Management Policy is silent on the subject of centralised or de-centralised risk management processes within an agency. But that’s not the main thing Division, Branch, Section risk management processes

What to read first: Risk Management in the Australian Government Centralised or de-centralised risk management in your enterprise?

Australian Government Version 2.1 Beta

The Commonwealth Risk Management Policy is silent on the subject of centralised or de-centralised risk management processes within an agency.

The Commonwealth Risk Management Policy doesn’t talk about a single risk assessment for the agency, nor about multiple risk assessments in the agency. Yet there is a widespread assumption that risk management will be done throughout each Government organisation, and involve nearly everyone at some time or another. Every Division, Branch, and Section within the organisation is expected to have its own risk assessment.

Life would be very difficult if the Policy required a single integrated risk management process. Other government-wide directives mandate risk management for particular purposes, including electronic security, protective security, fraud prevention, privacy protection, workplace health and safety, and projects subject to Gateway Reviews by the Department of Finance.

Those other directives recommend specific process details not applicable to all risk management across the agency. The Clear Lines recommend a few other agency risk management processes that are fairly standard, but not mandated.

So risk management is most often de-centralised in Government agencies.

Details of risk management processes mandated and recommended for Australian Government agencies

But that’s not the main thing

The mandated risk management processes might be convincing in their own spaces, but they leave out the primary objectives and activities of the Government agency. Those primary objectives are also a subject for agency risk management, arguably the most important. The Commonwealth Risk Management Policy, and common sense, each require that the risks to and from the agency’s main policy, regulatory or business functions are also understood and acted upon. Official guidelines for that level of risk management are necessarily very general. The Clear Lines are specific on how that level of risk management might be approached, at the Division/Branch/Section level and at the enterprise level.

Division, Branch, Section risk management processes

In Australian Government agencies, there is a widespread expectation that every unit in the agency structure, at each level, will maintain some form of risk management process. At the least, there is supposed to be a risk assessment supporting the annual ‘business’ plan for each work unit.

If you have been living with that expectation, you might be surprised to learn that the subject of de-centralised risk management is not addressed in any authoritative standards. Global standards barely acknowledge the possibility of de-centralised risk management.

Conversely, if you don’t live with the expectation of de-centralised risk management, you might find it surprising, and think it likely to create a fragmented view of enterprise risk.

Even within the Australian Government, where de-centralised risk management is normal, there are very few explanations of how Division, Branch, Section risk assessments might relate to an enterprise or agency-wide view of risk. The Clear Lines have come across two overlapping ideas about those relationships:

  1. All risk assessments within the agency should be standardised, and based on common criteria, so that each separate risk assessment can be compared and added across the enterprise. Ideally all risk assessments are in a central database.
  2. Lower-level risk registers are the primary content of the risk registers at the next higher level, with some extra risks added at each level on the way upward.

At the same time, nearly every Government agency reports a lack of results from going down those paths. One obvious problem with the strategy is that central enterprise risk registers will contain an unmanageable number of separate risks.

The Clear Lines have developed a better way of integrating de-centralised risk assessments at multiple levels of the enterprise. The Clear Lines also allow for an agency-wide risk assessment to use the results of specialised thematic risk assessments, such as the one maintained separately for information security.

In the Clear Lines solution for de-centralised enterprise risk management, with integration, each separate risk register is complete and effective for its own purpose, while also informing higher organisation levels. The Clear Lines method does not involve standardisation or a central database. Instead, the Clear Lines sets some demanding expectations for each of the component risk assessments to be integrated. Those demanding expectations are about the effectiveness of the assessment in dealing with risk as ‘the effect of uncertainty on objectives’ (per ISO 31000). That focus tends to be lost in rule-based and process-based risk policies, of the kind that the Clear Lines avoid. The Clear Lines offer the further advantage that each level and instance of risk management can start independently, without waiting for any others. There is no need even to wait for an agency risk policy to be finalised.

Even the Clear Lines method does not guarantee success for ‘risk management’. There will never be effective risk management without genuine demand drivers from high-level stakeholders. Those demand drivers are often absent, and they are not created overnight by persuasive arguments from ‘risk managers’. If you are a risk specialist within an Australian Government agency, I recommend that you keep working on the high-level stakeholders to find the latent demand drivers, and in the meantime build up whatever strands of risk management activity may already have authentic and emotional drivers. Forget all about centralisation and standardisation: discarding those with dramatic emphasis might even be a selling point for genuine recognition of the effects of uncertainty on objectives.

Parent articles

Centralised or de-centralised risk management in your enterprise?

What is Enterprise Risk Management? What is a ‘risk management process’? Centralised and de-centralised approaches: ERM as an enterprise-level risk management process Centralised ERM Decentralised risk management processes throughout the enterprise Decentralised but standardised risk management processes through the enterprise. How you end up with one or the other The good and bad in each approach: The common problem is a long path from trigger event to enterprise outcome. ERM as a ‘top level’ risk management process is incomplete. Centralised ERM is ok, but has big problems. Decentralised risk management processes need an enterprise view created. Creating the enterprise view Decentralised but standardised risk management processes are not a solution. The bottom line: decentralised is smart, but there are conditions to meet.

Risk specialists Version 2.0 Beta

Drill-down articles

Mandated risk management processes in Australian Government agencies

Risk management is mandated for certain themes and activities. Electronic security Protective security Fraud Privacy Workplace health and safety Projects subject to Gateway Reviews Recommended non-mandatory risk management processes for projects, procurements, and business continuity

Australian Government Version 2.2 Beta

Previous article for Australian Government

Risk Management in the Australian Government

Australian Government risk management is mandated by law and by the Commonwealth Risk Management Policy. The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management. Australian Government agencies have specific motivations to ‘manage risk’ Risk management is de-centralised between and within Australian Government agencies ‘Risk averse’ means sensitive to criticism, while numb to achievement Recommended reading

Australian Government Version 2.0 Beta

Main article on De-centralised risk management

Leave a Reply

Your email address will not be published.

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.