On this page
- Managing risk = improving performance
- Risk management is critical to the performance of the organisation
- Continuous improvement
- Risk Maturity Benchmark (RMB)
- Deciding priorities
- Defining detailed and specific actions
What does it mean to perform well?
Fundamentally, it’s about achieving your objectives and fulfilling your remit as a public sector organisation. So,
- defining the objectives of the organisation
- managing obstacles to achieving them in your internal and external context
- putting in place people and the resources and systems that'll make it possible for you to achieve those objectives.
These points are about the effectiveness of your organisation. Ideally an organisation should also carry out its functions and activities efficiently, with the minimum resources to do the work to the desired standards and without waste.
There's also an ethical dimension. People must be accountable, systems of governance must be transparent, decisions must be consistent and fair. All employees in the public sector must commit to the Victorian Government’s Code of Conduct.
Responsible bodies and executives have specific obligations under legislation, such as the Corporations Act, Public Administration Act or the Climate Change Act, and responsibilities with legal impacts.
Managing risk = improving performance
Each of these dimensions of performance is clearly a risk management proposition.
Risk is the effect of uncertainty on your objectives.
Assessing risks to your objectives is how you identify and analyse obstacles, threats or opportunities, so you can put in place what is needed to perform well and act ethically.
As part of the risk assessment you evaluate risk, which is crucial in deciding how to use available resources, insure against loss, and justify decisions about expenditure. This puts risk management at the heart of sound financial management.
Organisations that perform well also do what they can to control the type and amount of uncertainty in their internal and external context so that their people, resources and systems can work as effectively as possible.
If you know the organisation’s appetite for risk you can confidently pursue objectives and use the organisation’s resources wisely to control risk.
Finally, organisations that manage risk are able to perform well across the broad range of situations, from the predictable to the chaotic, because they are capable, resilient and innovative.
What this shows is that that risk management, when done well, helps you achieves your objectives.
Risk management is critical to the performance of the organisation
Your responsible body and executive team have a particular role to play in demonstrating good risk management practice in their own decision-making and communicating to other decision-makers about its value.
Use the following tools and links to show how strong performance depends on effective risk management.
Your organisation’s responsible body is accountable for continuously improving the performance of the organisation, which means they are responsible for continuously improving how it manages risk.
This means you need to work with your responsible body to
- define the outcomes you are aiming for when it comes to managing risk
- develop improvement plans
- show how you'll evaluate whether your actions have achieved the desired outcomes.
Risk Maturity Benchmark
The Risk Maturity Benchmark (RMB) was developed as a self-assessment to help you put in place frameworks, processes and culture to manage risk effectively. It uses the concept of ‘risk maturity’ as a way of gauging your risk management performance and growth.
We encourage you to use it to
- assess the elements of your risk framework, processes and culture objectively
- determine the level of maturity that's right for your organisation
- identify improvement opportunities that will help you reach that level of maturity.
Assess the elements of your risk management framework, processes and culture
RMB asks a number of questions about what your organisation is doing right now to manage risk. These questions focus on your risk management frameworks and processes, and your organisation’s risk culture.
Based on your assessment, RMB will suggest improvement opportunities, so it is worthwhile doing it objectively.
You can compare results from one year to another, tracking progress over time. You can also compare your results to a benchmark of other organisations in your sector, other sectors or the whole Victorian Government. Your results are not shared with any other organisation.
Determine the level of maturity that is right for your organisation
RMB will also use the results to assess your organisation’s current risk maturity and give you an overall score.
You'll then need to determine what level of risk maturity you should aim for by the end of the performance cycle.
The risk maturity model we use in RMB has three levels of maturity: Evolving, Embedding and Optimising. The right maturity level for your organisation depends on the size of your organisation, its resources and risk profile, and the sector it works in.
A small organisation, for example, with a comparatively narrow scope of responsibility, will probably find that a foundation-level framework will not only be adequate but also the most appropriate for its decision-making culture.
Larger organisations with a wide range of responsibilities in a sector will need a framework to match and should look to how their frameworks, processes and culture can help them protect and create value for the organisation and the people, places and systems in their care. An organisation like this should aim for Embedding and Optimising.
It’s not just about the size of the organisation though. Organisations operating in a context with a high level of uncertainty, or where the potential consequences of a risk are harmful, or the causes and factors of uncertainty volatile, may need to aim for a higher level of risk maturity.
You should also consider your organisation’s risk appetite. If your responsible body has said that it's willing to take more risk to meet some objectives, then your organisation will need to be more mature in its risk management practices.
Your responsible body and executive team should also look at its history when it comes to managing risks and how that's affected the organisation’s performance. Aiming at a higher maturity level will help the organisation put in place a plan that'll improve risk management and performance.
As with all management decisions, you'll need to weigh up the costs and benefits of efforts to improve.
Remember also that your responsible body will need to attest that it's satisfied that the organisation has an adequate framework in place for managing risk.
To help you decide the right level of maturity, get in touch with your risk adviser at VMIA.
Identify improvement opportunities
The improvement opportunities that RMB suggests after you complete your self-assessment aren't obligatory. We recommend that the lead risk manager
- 1. works with the executive team to decide which are a priority for the organisation
- 2. develops a draft improvement plan which sets out detailed and specific actions that'll ‘fulfil’ the improvement opportunities
- 3. presents the proposed plan to the Audit and Risk Committee for their review, changes and approval
- 4. reports on progress to the Audit and Risk Committee according to the agreed schedule.
Start with the improvement opportunities that'll bring you in to line with the mandatory requirements of the Victorian Government Risk Management Framework (VGRMF).
For the rest, look at what will bring you most value in reaching your desired level of maturity, for example:
- What will reinforce the benefits you get from actions to meet the mandatory requirements?
- What will help you address specific areas of weakness in your frameworks, processes and culture?
- What will help you manage specific risks that matter most to your responsible body?
Also note the effort it'll require to meet the priority. A high-effort action to meet a low priority isn't a good use of your organisation’s time.
Defining detailed and specific actions
The improvement opportunities suggest types of actions. For example,
“Consider integrating risk management into agency performance management programs. For example, examine what are expected risk behaviours, linking rewards programs to risk management, standard contract terms etc”
Your improvement plan will need to define specific actions, assign responsibility and resources, and set timeframes. For example,
Design a program to reward decision-makers across the organisation for exemplary risk management behaviours and actions
Director, Human Resources
Enterprise Risk Manager
Use existing staff to design a program and manage it through to implementation.
RMB is an effective tool to help you put frameworks and processes for managing risk in place and embed them in the practices and culture of the organisation.
We encourage you to make it part of your own continuous improvement cycle and change management practices.