Skip to main content.

Managing risk in organisations

Material about enterprise risk management, ISO 31000 and related risk management standards, how to develop ERM frameworks and how to implement them in your organisation.

  • Does risk management add value? RMIA Conference 2023

    Dr Dale Cooper was an invited speaker at the Risk Management Institute of Australasia (RMIA) Conference, held in Adelaide Tarntanya on 8-10 May 2023. He outlined the evidence that good enterprise risk management (ERM) contributes to better organisational performance, and that good project risk management contributes to better project outcomes. An extended version of his presentation is available.

    Read more
  • Embedding risk management at the top

    The purpose of risk management is to create and protect value by helping us achieve better business outcomes. It should be part of our day-to-day activities. When it is integrated closely into the way we manage our business, it helps us be more effective and efficient, make better decisions, capture opportunities and avoid unpleasant surprises. This short tutorial describes how we can embed risk management at the executive level, to lead its wider adoption in our operations.

    Read more
  • Controls 4: Monitoring risks and controls

    Monitoring is an important process in most organisations. It is critical for the effectiveness of risk management and control assurance. Risk owners monitor the business environment and indicators associated with the causes of risks to help ensure their perspectives of and assumptions about the risks for which they are responsible remain valid. Control owners, and assurance providers at Line 2 and Line 3 of the three lines of assurance, monitor indicators of control effectiveness, particularly for critical controls.

    Read more
  • Learning lessons and root cause analysis

    Organisations use root cause analysis to learn lessons from both successes and failures, and then to develop plans that will improve performance. This tutorial describes consistent and systematic methods that can be adopted for learning lessons and generating improvements. It describes two methods: fishbone analysis, and cause and effect analysis.

    Read more
  • Bow tie analysis

    Bow tie analysis is a simple process for identifying where new or enhanced controls may be worthwhile. It is a core part of risk treatment planning, particularly where there is a high level of risk or where control effectiveness is assessed as low.

    Read more
  • Controls 5: Developing an assurance program

    This tutorial is for directors and managers who need assurance that critical controls are in place and working, and that they will work in the future if they are needed. To be effective, assurance must be a planned and deliberate activity. This tutorial discusses how to develop an assurance plan that is appropriate for your organisation.

    Read more
  • Process and guidewords for organisational HAZOPs

    When organisations change their structures, there is great value in stress-testing the proposed new arrangements to ensure they will work as intended, and will not generate unintended adverse outcomes. Organisational HAZOPs provide one way of doing this. This technical note outlines the process we use for organisational HAZOPs and the guidewords we recommend for such studies.

    Read more
  • Showing that effective risk management adds value

    We have been advising large businesses and government entities on enterprise risk management (ERM) for many years. Managers often ask us to justify why they should invest in ERM and how they can demonstrate its value in measurable terms. This guidance note distils some of the empirical evidence on the benefits an organisation should expect from an effective ERM framework and process. The way each organisation implements change and assesses its benefits will depend on their context and culture.

    Read more
  • Controls 3: Conducting a simple control self-assessment

    This tutorial is for managers who need assurance that critical controls are in place and working, and that they will work in the future if they are needed. The approach described here will be useful for risk owners, for the key controls associated with their risks; for control owners, for the controls for which they are accountable; and for those managers who conduct assurance activities.

    Read more
  • Controls 2: Introduction to control design

    This tutorial is for line managers who are also risk owners, first to help them to think about where new or modified controls might be necessary, and then to select the most appropriate kinds of controls to address the risks for which they are responsible.

    Read more
  • Controls 1: Introduction to control assurance

    This tutorial introduces important concepts associated with controls and control assurance. The ideas and definitions provided here form a basis for more detailed material discussed in other related Broadleaf tutorials.

    Read more
  • Headline risks – seeing the big picture

    Risk assessments are often undertaken in great detail, or several assessments are conducted on different parts of an organisation, project or program. The detail may be appropriate for tactical decisions and specific risk treatment planning, but there is often too much detail for high-level decisions and important insights about the whole organisation might pass unnoticed. Headline risks provide a high-level summary of what might happen and what the consequences might be. This resource note describes how headline risks can be developed and used, with examples from recent case studies.

    Read more
  • Introductory guide: Preparing for a risk assessment

    This guide is designed for anyone needing to carry out or take part in a risk assessment who is not familiar with the process. Risk assessment is only part of risk management but it is often where people enter the process for the first time.

    Read more
  • Getting the most out of risk assessment

    Dr Stephen Grey made a presentation on recent developments in qualitative risk analysis to the Melbourne Chapter of the Project Management Institute on 29 April 2014. It covered 3 topics; recent developments in approaches to risk management, the benefits a risk assessment can bring to a project team outside of the core risk management activity, and what we can learn from the relationships between risks.

    Read more
  • Governance oversight and the risk management framework

    The risk management framework is the foundation for effective risk management. The new ASX Principle 7 requires organisations to implement a sound framework and for boards to carry out annual assessments of the effectiveness of these frameworks. This means that organisations have to move on from sending reports containing 'lists of risks' to Boards to provide them with information on their framework and its effectiveness. This presentation describes a risk management framework and its components and shows how companies can report to a board on the effectiveness of its approach to risk management.

    Read more
  • Setting priorities for risk treatment and assurance of controls

    In an organisational setting, risk assessment processes often identify many risks, but managers usually have limited time and resources available for dealing with them. Managers need to be able to set priorities to focus their attention on the areas where the application of effort will produce the most effective risk treatment and assure the effectiveness of controls.

    Read more
  • Effective risk management under PGPA

    Broadleaf has developed a range of innovative risk management services to assist Commonwealth entities in meeting their risk management obligations under the new *Public Governance, Performance and Accountability Act 2013* (the PGPA Act).

    Read more
  • Starting points

    The starting point for a discussion about risk management might not always use the language of a formal standard. This material sets out requests and questions we sometimes receive with explanations and links to material that can clarify how to address them.

    Read more
  • Risk assessment and risk treatment

    This tutorial describes a practical approach to risk assessment and risk treatment based on ISO 31000. It stresses the importance of preparation to ensure the assessment is efficient, suitably rigorous and reliable.

    Read more
  • Evaluating the effectiveness of risk management

    This guide describes a systematic way of finding how effective is an organisation’s current approach to managing risk, leading to a realistic improvement program. It stresses how management must be involved in all stages to ensure success.

    Read more
  • Enterprise risk management

    This guide describes how organisations can go about the transition needed to achieve a more encompassing and less silo-based approach to managing risk. It includes practical advice on a simple, seven-step process that we recommend organisations adopt to ensure a successful transition

    Read more
  • A simple guide to risk and its management

    This guide describes the current definition of risk and how risks can be characterised. The risk management process is discussed in the context of that definition and the concepts of risk appetite and risk tolerance are explained. Finally, the guide describes briefly how organisations can put risk management into practice through a framework.

    Read more
  • Starting out with risk management

    If you are interested in developing your risk management practices in general or need to carry out a focussed exercise on a specific project or business venture, you will find a few pointers here.

    Read more