A board should develop and approve a risk management plan suited to the size and needs of its public entity and its risk profile.
A board should inform its responsible minister of major risks to its public entity and the applicable risk management procedures in place to mitigate them.
Risk management involves protecting the public entity from the chance of something happening that will impact negatively on the objectives of the public entity.
Develop a Risk Management Plan
A board should manage risks through a board-approved risk management plan suited to its size and risk profile. Risk management begins with five basic questions:
- What can go wrong?
- How likely is it to go wrong?
- What will be the consequences if it goes wrong?
- What will be done to prevent it?
- What will be done if it happens?
Not every risk can or should be prevented but, by understanding what the risks are and agreeing on appropriate prevention strategies, the level of risk can be reduced or managed.
The benefits of risk management are to:
- protect the public entity from legal liability
- lower insurance premiums
- improve the perception of your public entity
- provide better information for decision-making
- design better asset management and maintenance
- protect stakeholder relationships.
Stakeholder management is a key aspect of risk management for a public entity. Stakeholders may be affected by many of the decisions of the board. Consultation and communication may be necessary to keep stakeholders (and the board) informed and to ensure that stakeholder interests are properly considered.
Some authorities spell out their obligations to external stakeholders in a legal statement of obligations and instruments, such as the Water Industry Regulatory Order or the Patient’s Charter.
Register of Assets
A board is required to maintain a register of assets held or managed by it and to develop and keep under review a risk management strategy (s. 44B of the Financial Management Act 1994 and s. 23 of the Victorian Managed Insurance Authority Act 1996).
The Victorian Managed Insurance Authority (the VMIA) receives a copy of these documents at intervals determined by the VMIA, together with a report on implementation of the public entity’s risk management strategy. The VMIA reports to the minister and the public entity on the adequacy of the register, the risk management strategy and the risk report.
Under the Public Administration Act 2004 (s. 81(1)(b)), a board of a public entity governed by Division 2 of Part 5 of the Act must inform the responsible minister and the relevant departmental secretary of:
- known major risks to the effective operation of the public entity
- the risk management systems that it has in place to address those risks.
Directors need to understand the risks and liabilities potentially affecting their public entity and need to exercise care, skill and diligence in dealing with them. They are required to ensure that effective risk management strategies are developed by the public entity including appropriate internal controls.
Risk management is closely linked to a director’s duty of care. If the board does not ensure that the public entity’s risk is managed, it is not fulfilling its duties.
AS/NZS ISO 31000:2009 Risk management – Principles and Guidelines defines the Australian standard that a board may wish to use for information when developing a risk management plan.
The components set out here provide a useful overview of the of the principal risk management issues relevant to the government sector and are not intended as a comprehensive checklist of board or public entity risk management responsibilities.
Identify what can have a negative impact on the public entity’s objectives. Risk categories in the public sector include:
- financial risk such as market risk (gains/losses from changes in financial and physical market prices), liquidity risk (risk that a public entity cannot fund its operations or convert assets/contracts into cash) and credit risk (gains/losses from the failure of a counterparty to fulfil all of their obligations under contracts or agreements)
- social risk such as where government policy or its administration leaves a social group worse off
- public safety risk such as defective management of a public utility such as the state’s water supply system
- environmental risk such as the consequences of a spill of dangerous chemicals
- health and safety risk such as physical and psychological injuries and work related disease of employees, contractors, their staff or directors who attend public entity premises
- risks to customers, patients and clients resulting from poor advice provided by staff
- risk resulting from procedural or policy shortfall.
- legal risk (including legislative risk), embarrassment, or losses suffered by citizens because of poorly drafted legislation
- operational risk (the potential for gain or loss arising from a procedural or operational failure) such as loss of public money through misappropriation or expenditure based on poor decision making resulting from incomplete research and analysis by the board or management (these illustrate inadequate internal controls)
The board, with management’s assistance, needs to identify each risk within each risk category.
- Determine how likely it is that the risk will eventuate and what the likely consequences will be for the public entity both internally and externally. To do this, you can develop a risk assessment matrix.
Determine the degree of seriousness for each risk if the risk were to eventuate. The AS/NZS 4360:2004 Risk Management Standard uses the following risk identification:
- E: extreme risk (immediate action required)
- H: high risk (senior management attention needed
- M: moderate risk (management responsibility must be specified)
- L: low risk (manage by routine procedures)
Determining how the likelihood or degree of seriousness could be reduced and what the public entity would do if the risk were to eventuate.
Using the risk assessment matrix, developed using the criteria of likelihood and seriousness, it is easy to see visually which risks may be necessary to address first.
For example, a risk may be identified as highly unlikely and extremely serious if it did occur. If the public entity manufactured aeroplane engines, a plane crash as a result of a faulty engine may be regarded as highly unlikely and extremely serious.
It would be up to management to determine the public entity’s degree of tolerance for such a risk and develop strategies for addressing such a risk for the board’s approval. In some cases, some public entities, usually larger, commercial or quasi commercial public entities, may need departmental and/or ministerial approval of the public entity’s corporate strategy and risk plan.
The board and management need to conduct regular reviews of the risk assessment matrix to determine what has changed and update the matrix.
Directors can gain a level of assurance that adequate risk management arrangements are in place by:
- ensuring that they have been briefed on and have approved the risk framework to be used, particularly consequence ratings and levels of acceptable risk
- requesting a briefing on risks at meetings (the frequency of such briefings depends on the risk profile of the public entity)
- appointing a specific committee to evaluate and monitor risk management with regular reports to the board
- asking the auditor, or hiring an external firm, to conduct an independent review.
In some instances, the board’s audit and risk management committee may be given general responsibility for risk management. However, the whole board is always held accountable for overseeing risk management in the public entity and all directors should be fully informed about all significant risks.