Mitschnacker's picture

I spent the last two days in June in Canberra attending Australia’s only government-focused risk management event “Enterprise Risk Management for Government”. Though probably not the best time of the year to host this kind of event the speaker line-up was impressive: ATO was represented along with DIAC as well as FAHCSIA! Case studies were delivered – among others – by risk managers from Victoria Police, the Metropolitan Fire Brigade of Victoria and even representatives from the Defence Force.

Through these presentations and further discussions with risk managers from city councils and utility companies a common view surfaced among virtually all delegates that great benefits can be gained from adopting an integrated approach to managing risk. The perceived benefits to name just a few include an improved accountability, better resource allocation and – of course – demonstrable compliance with applicable regulatory and other obligations. Risk management was commonly regarded as an important capability, which can be used to help provide informed decision making but also avoid excessive risk aversion. It is important to note that risk can also arise from not taking up opportunities to deliver more cost-effective public services. With this in mind, preparing for uncertainty while harnessing potential opportunities in a risk conscious way can significantly assist agencies to improve performance and deliver outcomes more effectively.

Unsurprisingly all government agencies being present at this event had their own risk management framework in place with relevant policies as well as objectives and responsibilities being well defined. It was not without surprise though to see that all these frameworks were consistently based not on COSO ERM, but rather related to the Australian Standard for Risk Management (AS/NZS 4360). The delegates often referred to it as the most widely used global risk management standard – probably for good reason as the AS/NZS 4360 is about to become integral part of the new global risk management standard ISO31000. Though not a certification standard like 9000 or 14000 this new generic standard will guide all other ISO/IEC standards with respect to the risk management process and also be complemented by a global vocabulary. During the conference I also got word that this standard is likely to be released towards the end of next month.

Process for managing risk (AS/NZS 4360)

Process for managing risk (AS/NZS 4360)

In spite of having these well-defined frameworks, however, most delegates expressed difficulties in developing an appropriate risk culture especially with regard to breaking siloed approaches to risk management in the public sector. In other words, the majority of government agencies had clearly defined the essential elements of effective risk management and thus created a foundation to effectively managing risk, but further down the road have been struggling to embed their risk management frameworks into the organization for lack of a proven implementation approach and supporting technology. I also noticed a widespread overrating of risk identification activities and the administration of risk registers.

This given I stressed during my conversations the importance to recognize that in order to effectively embed a risk management framework over all lines of assurance (business domain, risk management practice, internal audit) and in accordance with the Australian Standard it is essential to implement each of the seven elements (or steps) of the standard depicted above. Merely identifying and administering risks is not sufficient.

Consequently if you need to comply with this standard being an integral part of seemingly all risk management frameworks of Australian government agencies and beyond, each identified risk needs to be controlled and possibly treated while the overall program has to be continuously monitored and reviewed. And it goes without saying - given the size of government agencies and other organizations in the public sector – operationalising this best practice risk management framework requires an appropriate methodology as part of a robust solution capable of supporting all seven steps of the risk management process. Which brings us to the ARIS Solution for GRC. This highly scalable and proven core solution can not only support each of these steps, it also supports the whole end-to-end risk management process in a truly integrated fashion. This is depicted in the graph below.

Comprehensive end-to-end risk management support with ARIS Solution for GRC in line with AS/NZS 4360

Comprehensive end-to-end risk management support with ARIS Solution for GRC in line with AS/NZS 4360

Apart from this excellent fit, the implementation itself is supported by a best-practice approach with built-in accelerators allowing for an efficient roll-out and seamless transition to a higher risk and compliance management maturity level. Now, what does this suggest? I reckon that a process-centric approach to risk management should suggest itself to allow reason to prevail and consult IDS Scheer as one of the recognized world leaders for the domain of process management. And I hope we are on the same page neither believing that risk management is merely about list management nor that compliance is a document, these are continuous processes!

Now you might have wondered what ATO, DIAC or FAHCSIA actually stands for. This is always a problem if a common terminology is missing. In this case a simple Google search will suffice. In the GRC space though it is crucial to develop a common understanding and vocabulary – and Google won’t be of much help here. This is another reason why I do look forward to the upcoming ISO 31000 and its supporting guidance on risk management terminology (ISO/IEC Guide 73:2009). One hint upfront: mitigation is out, treatment is in ;-)

Tags: GRC compliance