Public sector safeguards: effective risk management in government agencies

Australian government agencies, both Commonwealth and State, face many risks. These include cybersecurity threats, financial instability, geopolitical tensions, and climate-related disasters. As these risks become more complex and news cycles continue to shorten, agencies must continue to implement and refine robust risk management techniques to ensure effective governance, policy implementation, and operational resilience. Federal and/or State-level risk management policies guide Australian government agencies in integrating risk management into their governance, operations, and decision-making. To help agencies with implementation, there are several ISO 31000-based methodologies available, such as the NSW Treasury Risk Management Toolkit.

At the same time, however, many agencies operate with extremely limited risk management resources. That means adopting targeted, scalable, and cost-effective risk management approaches. There are four crucial tasks that will help to achieve this goal. But first, let's dig a bit deeper into the risks agencies are facing.

The growing complexity of risk management in government agencies

Government agencies face many types of risks that need careful management, including:

• Cybersecurity, scam and fraud threats: As geopolitical tension, and digital advances rapidly evolve, government agencies are prime targets for cyberattacks, fraud, and data breaches.
• Political and policy risks: Agencies often have mandates that span the political cycle, creating exposure that can impact program delivery.
• Financial and budgetary risks: Fiscal constraints, economic downturns, and inefficient resource allocation can impact public service delivery.
• Operational risks: People risks, challenges in supply chain management (including third party risk), workforce capabilities, and process inefficiencies can lead to service disruptions and, in extreme cases, inquiries.
• Regulatory and compliance risks: Agencies may have an array of regulatory and compliance requirements, as well as notification procedures in the event of a breach.
• Environmental and social risks: Australia faces increasing risks from climate change, natural disasters, and social challenges that require proactive mitigation.

Task 1: Establishing a clear risk appetite with limited resources

The Commonwealth and State level Risk Management policies direct agencies to establish and maintain appropriate systems and internal controls for the oversight and management of risk. Often, however, the responsibility for risk management in a government agency falls to in-house counsel, who typically will have a significant workload and limited resources to devote to the development, implementation, and operationalisation of risk management.

Agencies looking to build basic skills will often begin by setting their risk appetite to help prioritise risk mitigation efforts without overburdening limited risk teams. If your agency is one of those with limited resources and you want to establish foundational capabilities, consider:

• Leveraging available toolkits: Resources, such as the NSW Treasury Risk Management Toolkit, are based on ISO 31000, and offer well refined methodologies and guidelines for the development of core components including;
• Developing a mandate and securing commitment
• Designing the framework for managing risk
• Implementing risk management
• Monitoring and reviewing the framework
• Measures for continual improvement
• Start with a principles-based approach: Focus on qualitative rather than complex quantitative risk appetite statements to guide decision-making. Agencies should consider the thoughtful application of risk tolerance statements in consideration of the administrative capabilities to deliver commensurate reporting (eg. does the data exist, and how can we source it?). Keep in mind that risk appetite statements should evolve as capabilities mature.
• Using existing governance structures: Include risk appetite discussions in the existing governance framework. This will help prevent extra administrative layers, and lessen the governance burden that comes with managing these structures.
• Aligning with whole-of-government risk strategies: Ensure risk appetite statements are consistent with the Commonwealth and State-level risk frameworks. Benchmarking risk appetite statements with other agencies is also highly advisable.
• Leveraging shared services: Where feasible, agencies should consider available capabilities, guidance, and whole-of-government resources to develop and monitor risk appetite statements.

Task 2: Implementing risk frameworks efficiently

A clear risk management framework helps to identify, assess, manage and monitor risks. To deploy one, Australian government agencies should:

• Integrate risk management into everyday operations: Factor in risks during policy development, program design, and procurement choices.
• Use available resources: Agencies can tap into the work of others. They can collaborate with other agencies, intergovernmental risk forums, and industry groups. This helps them generate ideas, develop frameworks, manage emerging risks, and to find talent.
• Use a simplified Three Lines of Defence Model:
• First Line: Operational managers take ownership of key risks as part of their routine responsibilities.
• Second Line: Risk management and compliance functions provide oversight using existing governance structures.
• Third Line: Internal audit provides independent validation but focuses on high-priority areas to optimize resources.
• Prioritise low-cost, high-impact interventions: Focus on cost-effective risk controls, such as process automation, improved training, and strengthened oversight mechanisms.
• Leverage existing procedures: Existing structures, such as compliance obligations management, should form part of the framework. Similarly, Internal Audit [1] play a key role with the independent review and continuous improvement of the risk management framework.

A lean and effective risk framework should help agencies in maintaining strong risk governance and complying with risk mandates.

Task 3: Risk reporting: targeted, streamlined, and productionised

Once appetite and the framework are established, transparent and effective risk reporting is essential for accountability, decision-making, and ongoing monitoring. Risk reporting and Risk Appetite Dashboards play a vital role in a strong risk management framework. Using available tools and practices, such as the NSW Treasury Risk Management Toolkit, and practices from other sectors, will help make development and adoption easier.

In addition, you should consider:

• Streamlining reporting formats: Use standardised risk reporting templates to reduce administrative burdens.
• Automating data collection where possible: Leveraging available data sources, and tools to focus on risk analysis rather than report production.
• Focusing on key risk indicators (KRIs): Identify a small set of critical KRIs aligned with government priorities, rather than tracking excessive metrics.
• Engage stakeholders efficiently: Provide concise, data-driven risk reports to oversight bodies to support effective decision-making.
• Consider the use of a risk register: Which can act as a central store of identified risks, risk assessments, and treatments [2].
• Leverage centralised government risk platforms: Some Commonwealth and State agencies use shared risk management systems, ensuring compliance without duplicating efforts.

Task 4: Stress-testing: An effective tool in a resource constrained model

Stress-testing and scenario planning can be highly effective risk management tools for government agencies. They allow agencies to test parts of their Risk Management framework. They also educate executive bodies, and build muscle memory for crisis situations. They can be scaled against resource capability and be used to execute a wide array of stress events.

To make the most of limited resources, agencies can:

• Develop streamlined stress-testing processes: Processes that can be run with limited resources, pulling in specialists depending on the desired scenario (eg. a cyber event, vs a pandemic, vs a financial shock).
• Prioritise high-impact risks: Commonwealth and State agencies should align stress testing efforts with whole-of-government priorities, such as financial resilience, cybersecurity, and disaster preparedness.
• Use existing governance bodies: By leveraging existing components of the existing governance framework, exercises can be incorporated into BAU governance cadence, rather than be stand-alone exercises.
• Share stress-testing methodologies between Federal and State governments to avoid duplication and maximise efficiency.
• Collaborate with adjacent agencies, to test, for example, contagion effects of stressed scenarios.
• Use the exercise to test and calibrate risk appetite thresholds: demonstrating active management of risk appetite, and testing assumptions on risk tolerance levels.

Using stress-testing effectively can help government agencies prepare for various crises. This leads to faster response times, uncovers new risks, and lessens the impact in the event a crisis occurs.