On this page
- Embedding risk thinking techniques
- What happens if you don’t start with objectives
- Show that you’ve considered risk in your strategies and plans
- Consider your risks
- Roles & responsibilities
- The role of the risk practitioner
- Remember the risk is dynamic
- The benefits
One of the requirements of the Victorian Government Risk Management Framework (VGRMF) is that your strategic and business planning processes “embed risk management”.
Your strategies and plans should also demonstrate that you’ve considered your material risks.
Risk is the effect of uncertainty on your objectives. This means you need to apply risk thinking and techniques right at the beginning when you’re working out your objectives, during which your responsible body and executive team should:
- examine its internal and external context to identify trends and potential events that could be a source of benefit or harm to the organisation
- ask how the organisation can create and protect value
- consider its appetite for risk
- review the organisation’s tolerances for risks, shocks and stresses
- identify risks
- identify opportunities to collaborate on shared risks
- identify risks of state significance
Everything here is a risk management technique. Each one also has an obvious value for the task of deciding your organisation’s objectives.
Used right at the beginning, they’ll make sure your responsible body and executive team develop objectives that take and create the right amount and type of risk. They’ll also be objectives that, when realised, will create and protect value for Victorians.
This is also how risk thinking and techniques become embedded in the organisation’s strategies and plans.
As a risk practitioner you can advise and support the responsible body and executive team to do this work.
There’s more to be done, of course, building frameworks, designing processes and creating a positive risk culture. All of these embed risk thinking and techniques even further in the organisation’s decision-making.
If you don’t start with your objectives, it’ll resemble working to make a ship seaworthy when the navigation system is all wrong.
Here are some issues we’ve seen in the sector because risk thinking and techniques aren’t applied to an organisation’s objectives.
Conflicts between objectives
Take as an example the design, development and rollout of an online information portal to help people decide what services they need and then access them.
These projects are often being delivered in situations of great uncertainty. Timelines may be short. More than one agency may be involved. Perhaps a Minister has made public commitments in a politically charged context.
This is exactly the time to apply risk thinking and techniques. You need to slow down your thoughts and do a cool-headed scan of your environment for risks, test your appetite and tolerances, consult with stakeholders and those you share risk with. You need to critically evaluate the value proposition of the project and look beyond the launch date.
It’s worth doing. Rolling out the portal before it’s been properly tested exposes you and the government to large reputational risks. If the service shuts down within a few years, money which might’ve been spent on other services will have been wasted. If the information portal gives people access to critical information—health information, for example—it may expose those users to more serious risk and potential claims for damages in the future.
Tensions between objectives
A frontline agency, for example, will have the objective of not exposing its employees to danger. It’ll also have the objective of securing public safety in situations that are sometimes dangerous.
These are two legitimate objectives which are in tension, rather than conflict. The tension can’t be eliminated, but the organisation needs to do its best to manage both in a mutually-reinforcing way.
Apply risk thinking and techniques to
Can you achieve the objectives you’ve settled on for your strategy? Sometimes a risk assessment workshop will show that you can’t because the risks are too high and they can’t be reduced.
For example, the organisation may have committed to moving all its frontline services online but an analysis of its clients, the types of services that need to be provided, the capability of staff and the organisation’s systems, shows that it simply cannot achieve that objective within the life of the strategy.
To avoid this, assess risks as part of working out your objectives and, before you finalise your strategy, do a risk identification workshop to test whether they’re achievable.
Strategies and plans describe how objectives will be achieved. If you’ve applied risk thinking and techniques to working out your objectives, you’ve already taken a big step in ‘embedding’ risk management.
When it comes to your strategy, keep things simple. A strategy describes
- what the future state looks like when the objectives are achieved
- how the organisation will get there.
The strategy should paint a specific and unambiguous picture of the new place the organisation needs to be in when the strategy is done. The focus should be on the outcomes and what’s materially changed both in the organisation and for the people, places and systems in its care.
Your plans describe the work to be done within the functional structure of the organisation to produce that change. They should detail
- what actions will be done
- who’ll do them
- when they’ll be done
- the resources to be allocated.
Once you have a solid strategy and plan in place, you can consider risks that could make a material difference to whether you achieve your objectives.
Once you start building the strategies and plans, you need to focus on what must go right to achieve the organisation’s objectives and what mustn’t go wrong.
Examine your external context
Look at what’s going on in your organisation’s environment, both in the short and long term. Use PESTLE [DOCX, 4.59MB] and scenario analysis and any other tools you have to understand what might happen over the relevant period, whether that’s 3 months or 30 years.
Bear in mind that different scenarios present different types of uncertainty. Do a preliminary investigation of the risk indicators that would show whether and how a risk was changing in your environment. Look at how your organisation might contribute to identifying and managing state-significant risk
Examine your internal context
Use risk thinking and techniques
Examining your internal and external context will generate information and evidence for your decisions about how to manage risks to your strategies and plans. Now
- do a deep dive and assess the risks
- work out how you’ll control risks and make your treatment plan the core of your plans
- size up what information you need to monitor change in your risks
- minimise insurable risk
- make sure you have the right balance between retained or transferred risk
- start discussions with partners on shared risk
- escalate risks and issues relevant to state-significant risks.
How people perform their roles and carry out their responsibilities makes up the risk culture of the organisation. It’s also another way to embed risk thinking and techniques.
Putting aside legal and other requirements, each organisation will be different in how the responsible body and executive body carry out their roles. It comes down to the organisation’s culture, its remit, size and structure and the sector it operates in.
Broadly though, your responsible body will be thinking about the organisation as a whole and how it can create and protect value. It needs to face uncertainty that the organisation is in, both in the short and long term, and see the opportunity as well as the hazards.
The responsible body should
- communicate clearly with the organisation about what information it needs to make its decisions
- be accountable for its decisions about objectives
- state its risk appetite, so that management is clear about where the boundaries are when pursuing their objectives
- be satisfied with the strategy
- be satisfied that the organisation has the frameworks, processes and culture in place to carry out the strategy
- be accountable for the work that the organisation does in carrying out the strategy
- attest that it’s satisfied with the adequacy of the organisation’s frameworks, processes and culture for managing risk.
This means it should
- investigate potential paths to achieve the responsible body’s objectives
- analyse the costs and benefits of those options
- assess the organisation’s risk tolerance
- recommend one of those paths to the responsible body as the optimal strategy
- put in place the frameworks, processes and culture to achieve the strategy
- put in place systems for monitoring and reporting risk and performance indicators
- report to the responsible body on progress
- report to the responsible body on changes in the internal or external context that might mean they need to reassess the risks the organisation is taking and creating
- report to the responsible body on changes in priorities when it comes to objectives and plans.
Risk practitioners can play a valuable role in making sure the organisation doesn’t over-design its frameworks and processes. They can focus on developing the objectives, workshop the strategic options and work out the plan.
They can also make a difference by ensuring risk management doesn’t become a parallel framework or a set of processes but, instead, simply, how you meet objectives.
When it comes to defining objectives, a risk practitioner—in collaboration with colleagues—can help decision- makers by
- designing a process that keeps risk thinking and techniques on the table
- facilitating the deliberation
- researching the internal and external context
- checking past performance or benchmarking
- documenting and feeding back results as thinking develops
- advising on how the organisation could share risk or act on state-significant risks
- advising on approaches to risk
- reminding of responsibilities and obligations.
When it comes to assessing material risks to the organisation’s strategies and plans, the risk practitioner—again in collaboration with others—can help by
- making sure people know how to assess and describe risks
- taking risk management and insurance out of their silos
- creating a positive risk culture
- designing templates for strategies and plans that prompt thinking about the organisation’s risk appetite and tolerances, risk indicators, state-significant risks, and other stakeholders and potential partners in the sector.
As we’ve said before, risk is dynamic. What may have been an achievable objective 6 months ago may not be now. Conversely, what may not have been achievable three months ago may now be possible.
The COVID-19 pandemic generated many examples of this across the sector. Events like this compel us to examine our objectives and either find others that are achievable in the new environment, or think more critically about the value that you were trying to create or protect by achieving that objective.
Another more common change in circumstances is not getting the funds you expected for a project. Be ready to de-scope rather than attempt to deliver the outcomes described for the earlier budget.
Both are examples of how circumstances can change radically. Be ready for change, even when things seem secure.
- Build capability beforehand so that when you’re compelled by circumstances to stop delivering services the old way, you can switch to the new way.
- Prepare alternative ways to meet objectives if resources change.
- Have alternatives in your drawer ready to go if the opportunity presents itself.
The decisions you make about risk are critical to strategy and business planning, not an afterthought—that’s why the VGRMF makes this a requirement.
We encourage you to start at the top with your objectives, apply risk thinking at techniques to your strategies and plans, and make sure your people know how to respond to change.