Being an effective risk manager for the organisation

On this page

• Who’s the risk manager for the organisation?
• What do they do?
• Keep an eye on the big picture
• What are the outputs of your work?
• What are the outcomes?
• What skills and knowledge do you need?

Risk management is about making good decisions in situations of uncertainty. Those decisions should create and protect value for the people, places and systems in your care.

An effective risk manager helps people to do that in a few ways.

One is by building frameworks and designing processes that make it easier for people to identify, analyse and evaluate risks against the organisation’s objectives, develop treatment plans, monitor their risk management and report.

They also work with the executive team and others to create a culture that takes a positive attitude to uncertainty—seeing the opportunities as well as the hazards.

They can also assist decision-makers to work through particular decisions. For example, a risk manager can facilitate a deliberation about the organisation’s internal and external context, the potential scenarios ahead, opportunities, costs and benefits, identifying risk indicators, and various strategies for controlling risks.

They can perform this facilitating role with the responsible body, in particular, helping them to work out their risk appetite and identify the value they want to create and protect for the people, places and systems in their care.

They also help the organisation continuously improve by advising on governance, standards, and improvement strategies and better practices.

In all of this, an effective risk manager makes the case for acting decisively, confidently and creatively in situations of uncertainty.

Who’s the risk manager for the organisation?

The person with the lead role in advising on risk management and overseeing risk practice in the organisation. They may not always have the title and the work may be distributed across more than one role.

Even if it’s not in the formal job description, we encourage you to work closely with colleagues whose jobs are about consciously managing risk for their organisation: specialists in business continuity, IT security, safety, privacy, information management, environment, compliance, learning and development, procurement, internal audit and insurance officers.

What do they do?

We think the role involves

• advising the executive team, responsible body and decision-makers across the organisation on good decision-making in situations of uncertainty 
• facilitating deliberation about appetite, tolerance, value, risk, and controlling risk 
• designing frameworks and processes and helping create a positive risk culture 
• monitoring the performance of frameworks and processes and the health of the risk culture
• reporting on performance of frameworks, processes and culture.

We also think the risk manager can jump in to help decision-makers across the organisation to make their decisions.

If you’re a risk manager, we encourage you to develop your skills and knowledge so that you can challenge and question a team in productive ways as they make decisions about their objectives.

Take the opportunity to show your colleagues how they can use risk thinking and techniques to slow down and think about their objectives. Remind them that they need to stay alert to changes in their internal and external context and show them how they can do it.

It’s up to those decision-makers, though, whether they’re an administrator, manager, executive or a member of the responsible body to

• define their objectives based on a courageous and reasonable assessment of their internal and external context
• assess risks to those objectives
• own those risks
• do the work of controlling them
• account for their work to the appropriate body in their governance structure.

Decision-makers are accountable for controlling and reporting on the risks. Risk managers enable them to do this.

Keep an eye on the big picture

A risk is the effect of uncertainty on your objectives—that’s the answer we usually give to the question What is a risk?

Public sector organisations need to remember, though, that they’re part of a whole-of-government effort to create and protect value for Victorians.

State-significant risk, for example, goes beyond the objectives of a particular organisation. Shared risk demands that you collaborate with other organisations.

This means working with the appropriate people in your organisation to seriously assess risks like climate change and the contribution you might make, whatever the size and function of your organisation.

It means minimising your insurable risk, so that we can make responsible use of insurance as a way of controlling financial risk.

It means looking at opportunities to collaborate with other organisations and using whatever influence to bring a risk that you’ve identified to the attention of the appropriate decision-maker.

What are the outputs of your work?

Your organisation’s risk management framework is a set of documents capturing the organisation’s policies, strategies, statements and procedures when it comes to managing risk. They should be written in plain language, tailored to the work and context of the organisation and accessible.

As we’ve said, risk is dynamic. To advise on action, report on progress, report on change in your internal and external context, you’ll also need to produce

• briefings showing background research, analysis and advice on courses of action
• reports on significant changes in your internal and external context
• reports on notable changes in government legislation, codes of conduct, policies, and strategies for the organisation
• documents that capture the results of deliberation and add value
• reports on the performance of risk management frameworks and processes and the health of the risk culture

What are the outcomes?

We’re all here to create and protect value for the people, places and systems in your organisation’s care. That’s the outcome we’re all seeking.

Risk management helps the organisation to define objectives which produce that value and also perform well.

This means there’s a direct link between the organisation’s performance and its risk maturity. Use this link to tell the story of how risk thinking and techniques can help make real decisions, both day to day and strategic.

 

What skills and knowledge do you need?

You’ll need to know the requirements of the Victorian Government Risk Management Framework (VGRMF) inside out. We also recommend that you have a working knowledge of the AS ISO 31000 standard on risk management.

We also encourage you to become familiar with legislation, regulations and government policies and strategies that are designed to create and protect value for Victorians, in particular, or Australians. We’re thinking of the Climate Change Act and the obligations that it creates for your organisation, the Victorian Government’s policies on procurement, privacy and data collection and its code of conduct.

Get to know the guidance material we’ve published here. Use the language, the concepts, the tools, slides and links to frame how you talk about risk in your organisation.

Talk to your risk adviser at VMIA about the problems your organisation’s trying to solve. Join communities of practice on specific areas of risk, build relationships with risk practitioners in other organisations, create networks of influence with those who can act to produce the change you need to see.

We also recommend that you develop your skills in

• facilitating deliberation in groups
• stakeholder mapping
• cost-benefit analysis
• research and analysis
• writing