While there are many varied definitions of riskwidely available, often incorporating industry

specific terminology, it is generally accepted thatif we know for certain something is going tohappen it has no risk attached to it. Should there be an element of uncertainty surrounding it,then risk exists.For the purposes of this Guide, risk encompasses both possible threats and opportunities andthe potential impact these may have on the ability ofthe agency to meet its objectives. Thatis, risk relates to both challenges to, and opportunities for, the agency.The Standard separates risk into two types –strategic risk and operational risk. Strategicrisks relate directly to an agency’s strategic planning and management processes. Strategicrisks are those which could significantly impacton the achievement of the agency’s visionand strategic objectives.


Risk management embodies an organizational culture of prudent risk-taking within an agency. It is the process of identifying, assessing and responding to risks, andcommunicating the outcomes of these processes to the appropriate parties in a timelymanner. An effective risk management system:

  • improves planning processes by enablingthe key focus to remain on core business andhelping to ensure continuity of service delivery
  • reduces the likelihood of potentially costly‘surprises’ and assists with preparing forchallenging and undesirable events and outcomes
  • contributes to improved resource allocationby targeting resources to the highest levelrisks
  • improves efficiency and general performance
  • contributes to the development of a positive organizational culture, in which people andagencies understand their purpose, roles and direction
  • improves accountability, responsibility, transparency and governance in relation to bothdecision-making and outcomes.
  • adds value as a key component of decision-making, planning, policy, performance andresource allocation, when subject to continual improvement.


  • a lack of time and resources allocated to risk management
  • a lack of support for a risk management culture from executive management
  • difficulty in identifying and assessing emergingrisks, especially cross-agency risks
  • a lack of independent assurance overthe effectiveness of the risk management
  • framework
  • a lack of clarity over risk ownershipand the responsibility for risk management
  • over- or under-treatment of risks, and
  • unnecessarily complex risk documentation.When risk management has commitment fromexecutive management by encouraging astrong organizational culture and awarenessof risk, an agency should be able to overcomethe factors which inhibit effective risk management.