Designing processes to manage risk

• something needs to be achieved to a certain standard every time it's done
• it matters when certain actors contribute their skill or knowledge in a complicated value chain
• certain actions are done over and over again in every part of the organisation
• activities and functions could be more efficient
• the context is dynamic and a process can provide stability and continuity.

In 2015, a public sector agency in the transport portfolio realised that, with so many of its projects delivered by other Victorian public sector organisations, it was exposed to significant risks in project delivery, reputation and their balance sheet.

To manage them better it developed a process for identifying state-significant and shared risks. This chart shows the flow of actions [PDF, 198KB]. It’s a good example of a process that introduces stability and continuity in a dynamic context and also helps make sure various actors contribute at the right time.

The agency worked with its public sector partners on the design of the process, before it was reviewed by their executive team and endorsed by their risk committee. Over the course of its working life it was used to structure the management of a number of projects.

Better oversight of the effectiveness of controls was a key benefit, crucial for projects designed with the objective to save lives on Victoria’s roads. The process also led to better sharing of knowledge and information across the transport sector, and contributed to the discovery of risks that had not be considered up till then—such as the potential impacts of the emerging ride-share market on the wider transport system.

Another benefit, not sought when the process was initially being designed, were a better understanding of the board’s risk appetite as the project analysed potential impacts on the organisation.

Other public sector organisations in the portfolio also evaluated their risk appetite and processes to make them consistent with the state significant and shared risk management process [PDF, 439KB], and the whole transport sector mapped out a process for identifying sector-wide risk.

And, finally, the agency’s pioneering work put in play what were then new requirements in the Victorian Government Risk Management Framework (VGRMF), and became the foundation for VMIA’s position on managing shared and state-significant risk.

A quality assurance process protects value by making sure that what goes out to users, clients or stakeholders works and won’t harm people, places, systems or the organisation’s reputation.

But what if product failure is unlikely and the consequences, if it happens, are small? In this case, a quality assurance process may an expense that doesn’t protect value. It should only be applied to the goods and services where there is a real risk that the quality might be in question.

Risk assessment is a fundamental process in risk management. To be effective in managing risk though, the results of that process must inform management activities.

A process for escalating risk is one way in which the risk assessment process hooks onto wider management processes in the organisation’s governance. When a risk is assessed it receives an evaluation, which indicates what type of action will be required—in this case, an escalation.

This workflow [DOCX, 28KB] shows the process for escalating risk as a next step after risk assessment.

It's important to point out that the process doesn’t need to be represented graphically—a set of statements about what decision makers need to do in certain circumstances is fine too.

Procuring goods and services is a good example of deliberately entering a space of uncertainty to achieve organisational objectives. Risks and opportunities emerge from

• mapping out proposed value chains
• going to the market with a clear specification of your requirements
• finding suppliers in the market that can deliver in the quantity or to the quality required
• negotiation and agreement
• management of the contract.

The Victorian Government’s buyer’s guide to procurement is a process designed to navigate this uncertainty and ensure that the purchase is one that protects and creates value.

You’ll notice this process has a lot of rich information, rather than a diagram showing a simple workflow. It shows how flexible the concept of a process is. Risks to probity, value for money and reputation mean that it's worth investing in that detail.

Detail is also needed when you want people with very diverse skill sets, in teams or organisations with different objectives, to follow a process. When there's a lot of in-house knowledge, shared culture and objectives, and the participants and stakeholders are known, you need a lot less information in the formal process because it is captured ‘informally’ in the context.