The Commonwealth Risk Management Policy is silent on the subject of centralised or de-centralised risk management processes within an agency.
The Commonwealth Risk Management Policy doesn’t talk about a single risk assessment for the agency, nor about multiple risk assessments in the agency. Yet there is a widespread assumption that risk management will be done throughout each Government organisation, and involve nearly everyone at some time or another. Every Division, Branch, and Section within the organisation is expected to have its own risk assessment.
Life would be very difficult if the Policy required a single integrated risk management process. Other government-wide directives mandate risk management for particular purposes, including electronic security, protective security, fraud prevention, privacy protection, workplace health and safety, and projects subject to Gateway Reviews by the Department of Finance.
Those other directives recommend specific process details not applicable to all risk management across the agency. The Clear Lines recommend a few other agency risk management processes that are fairly standard, but not mandated.
So risk management is most often de-centralised in Government agencies.
But that’s not the main thing
The mandated risk management processes might be convincing in their own spaces, but they leave out the primary objectives and activities of the Government agency. Those primary objectives are also a subject for agency risk management, arguably the most important. The Commonwealth Risk Management Policy, and common sense, each require that the risks to and from the agency’s main policy, regulatory or business functions are also understood and acted upon. Official guidelines for that level of risk management are necessarily very general. The Clear Lines are specific on how that level of risk management might be approached, at the Division/Branch/Section level and at the enterprise level.
Division, Branch, Section risk management processes
In Australian Government agencies, there is a widespread expectation that every unit in the agency structure, at each level, will maintain some form of risk management process. At the least, there is supposed to be a risk assessment supporting the annual ‘business’ plan for each work unit.
If you have been living with that expectation, you might be surprised to learn that the subject of de-centralised risk management is not addressed in any authoritative standards. Global standards barely acknowledge the possibility of de-centralised risk management.
Conversely, if you don’t live with the expectation of de-centralised risk management, you might find it surprising, and think it likely to create a fragmented view of enterprise risk.
Even within the Australian Government, where de-centralised risk management is normal, there are very few explanations of how Division, Branch, Section risk assessments might relate to an enterprise or agency-wide view of risk. The Clear Lines have come across two overlapping ideas about those relationships:
- All risk assessments within the agency should be standardised, and based on common criteria, so that each separate risk assessment can be compared and added across the enterprise. Ideally all risk assessments are in a central database.
- Lower-level risk registers are the primary content of the risk registers at the next higher level, with some extra risks added at each level on the way upward.
At the same time, nearly every Government agency reports a lack of results from going down those paths. One obvious problem with the strategy is that central enterprise risk registers will contain an unmanageable number of separate risks.
The Clear Lines have developed a better way of integrating de-centralised risk assessments at multiple levels of the enterprise. The Clear Lines also allow for an agency-wide risk assessment to use the results of specialised thematic risk assessments, such as the one maintained separately for information security.
|In the Clear Lines solution for de-centralised enterprise risk management, with integration, each separate risk register is complete and effective for its own purpose, while also informing higher organisation levels. The Clear Lines method does not involve standardisation or a central database. Instead, the Clear Lines sets some demanding expectations for each of the component risk assessments to be integrated. Those demanding expectations are about the effectiveness of the assessment in dealing with risk as ‘the effect of uncertainty on objectives’ (per ISO 31000). That focus tends to be lost in rule-based and process-based risk policies, of the kind that the Clear Lines avoid. The Clear Lines offer the further advantage that each level and instance of risk management can start independently, without waiting for any others. There is no need even to wait for an agency risk policy to be finalised.
Even the Clear Lines method does not guarantee success for ‘risk management’. There will never be effective risk management without genuine demand drivers from high-level stakeholders. Those demand drivers are often absent, and they are not created overnight by persuasive arguments from ‘risk managers’. If you are a risk specialist within an Australian Government agency, I recommend that you keep working on the high-level stakeholders to find the latent demand drivers, and in the meantime build up whatever strands of risk management activity may already have authentic and emotional drivers. Forget all about centralisation and standardisation: discarding those with dramatic emphasis might even be a selling point for genuine recognition of the effects of uncertainty on objectives.
Previous article for Australian Government
Main article on De-centralised risk management