Managing risk in organisations
Material about enterprise risk management, ISO 31000 and related risk management standards, how to develop ERM frameworks and how to implement them in your organisation.
Does risk management add value? RMIA Conference 2023
Dr Dale Cooper was an invited speaker at the Risk Management Institute of Australasia (RMIA) Conference, held in Adelaide Tarntanya on 8-10 May 2023. He outlined the evidence that good enterprise risk management (ERM) contributes to better organisational performance, and that good project risk management contributes to better project outcomes. An extended version of his presentation is available.
Read moreEmbedding risk management at the top
The purpose of risk management is to create and protect value by helping us achieve better business outcomes. It should be part of our day-to-day activities. When it is integrated closely into the way we manage our business, it helps us be more effective and efficient, make better decisions, capture opportunities and avoid unpleasant surprises. This short tutorial describes how we can embed risk management at the executive level, to lead its wider adoption in our operations.
Read moreControls 4: Monitoring risks and controls
Monitoring is an important process in most organisations. It is critical for the effectiveness of risk management and control assurance. Risk owners monitor the business environment and indicators associated with the causes of risks to help ensure their perspectives of and assumptions about the risks for which they are responsible remain valid. Control owners, and assurance providers at Line 2 and Line 3 of the three lines of assurance, monitor indicators of control effectiveness, particularly for critical controls.
Read moreLearning lessons and root cause analysis
Organisations use root cause analysis to learn lessons from both successes and failures, and then to develop plans that will improve performance. This tutorial describes consistent and systematic methods that can be adopted for learning lessons and generating improvements. It describes two methods: fishbone analysis, and cause and effect analysis.
Read moreBow tie analysis
Bow tie analysis is a simple process for identifying where new or enhanced controls may be worthwhile. It is a core part of risk treatment planning, particularly where there is a high level of risk or where control effectiveness is assessed as low.
Read moreControls 5: Developing an assurance program
This tutorial is for directors and managers who need assurance that critical controls are in place and working, and that they will work in the future if they are needed. To be effective, assurance must be a planned and deliberate activity. This tutorial discusses how to develop an assurance plan that is appropriate for your organisation.
Read moreProcess and guidewords for organisational HAZOPs
When organisations change their structures, there is great value in stress-testing the proposed new arrangements to ensure they will work as intended, and will not generate unintended adverse outcomes. Organisational HAZOPs provide one way of doing this. This technical note outlines the process we use for organisational HAZOPs and the guidewords we recommend for such studies.
Read moreShowing that effective risk management adds value
We have been advising large businesses and government entities on enterprise risk management (ERM) for many years. Managers often ask us to justify why they should invest in ERM and how they can demonstrate its value in measurable terms. This guidance note distils some of the empirical evidence on the benefits an organisation should expect from an effective ERM framework and process. The way each organisation implements change and assesses its benefits will depend on their context and culture.
Read moreControls 3: Conducting a simple control self-assessment
This tutorial is for managers who need assurance that critical controls are in place and working, and that they will work in the future if they are needed. The approach described here will be useful for risk owners, for the key controls associated with their risks; for control owners, for the controls for which they are accountable; and for those managers who conduct assurance activities.
Read moreControls 2: Introduction to control design
This tutorial is for line managers who are also risk owners, first to help them to think about where new or modified controls might be necessary, and then to select the most appropriate kinds of controls to address the risks for which they are responsible.
Read moreControls 1: Introduction to control assurance
This tutorial introduces important concepts associated with controls and control assurance. The ideas and definitions provided here form a basis for more detailed material discussed in other related Broadleaf tutorials.
Read moreHeadline risks – seeing the big picture
Risk assessments are often undertaken in great detail, or several assessments are conducted on different parts of an organisation, project or program. The detail may be appropriate for tactical decisions and specific risk treatment planning, but there is often too much detail for high-level decisions and important insights about the whole organisation might pass unnoticed. Headline risks provide a high-level summary of what might happen and what the consequences might be. This resource note describes how headline risks can be developed and used, with examples from recent case studies.
Read moreIntroductory guide: Preparing for a risk assessment
This guide is designed for anyone needing to carry out or take part in a risk assessment who is not familiar with the process. Risk assessment is only part of risk management but it is often where people enter the process for the first time.
Read moreGetting the most out of risk assessment
Dr Stephen Grey made a presentation on recent developments in qualitative risk analysis to the Melbourne Chapter of the Project Management Institute on 29 April 2014. It covered 3 topics; recent developments in approaches to risk management, the benefits a risk assessment can bring to a project team outside of the core risk management activity, and what we can learn from the relationships between risks.
Read moreGovernance oversight and the risk management framework
The risk management framework is the foundation for effective risk management. The new ASX Principle 7 requires organisations to implement a sound framework and for boards to carry out annual assessments of the effectiveness of these frameworks. This means that organisations have to move on from sending reports containing 'lists of risks' to Boards to provide them with information on their framework and its effectiveness. This presentation describes a risk management framework and its components and shows how companies can report to a board on the effectiveness of its approach to risk management.
Read moreDo you have a sound risk management framework?
This presentation by Grant Purdy describes a risk management framework and its components and shows how companies can report to a board on the effectiveness of its approach to risk management.
Read moreSetting priorities for risk treatment and assurance of controls
In an organisational setting, risk assessment processes often identify many risks, but managers usually have limited time and resources available for dealing with them. Managers need to be able to set priorities to focus their attention on the areas where the application of effort will produce the most effective risk treatment and assure the effectiveness of controls.
Read moreEffective risk management under PGPA
Broadleaf has developed a range of innovative risk management services to assist Commonwealth entities in meeting their risk management obligations under the new *Public Governance, Performance and Accountability Act 2013* (the PGPA Act).
Read moreStarting points
The starting point for a discussion about risk management might not always use the language of a formal standard. This material sets out requests and questions we sometimes receive with explanations and links to material that can clarify how to address them.
Read moreRisk assessment and risk treatment
This tutorial describes a practical approach to risk assessment and risk treatment based on ISO 31000. It stresses the importance of preparation to ensure the assessment is efficient, suitably rigorous and reliable.
Read moreEvaluating the effectiveness of risk management
This guide describes a systematic way of finding how effective is an organisation’s current approach to managing risk, leading to a realistic improvement program. It stresses how management must be involved in all stages to ensure success.
Read moreEnterprise risk management
This guide describes how organisations can go about the transition needed to achieve a more encompassing and less silo-based approach to managing risk. It includes practical advice on a simple, seven-step process that we recommend organisations adopt to ensure a successful transition
Read moreA simple guide to risk and its management
This guide describes the current definition of risk and how risks can be characterised. The risk management process is discussed in the context of that definition and the concepts of risk appetite and risk tolerance are explained. Finally, the guide describes briefly how organisations can put risk management into practice through a framework.
Read moreISO 31000:2009 – setting a new standard for risk management
This paper by Grant Purdy, Associate Director, was published in *Risk Analysis*, the journal of the Society for Risk Analysis, June 2010. It outlines how the standard was developed and highlights some of its key features.
Read moreStarting out with risk management
If you are interested in developing your risk management practices in general or need to carry out a focussed exercise on a specific project or business venture, you will find a few pointers here.
Read moreStrategic business risk management
An article by Dr Stephen Grey, Associate Director, published originally in The Mining Chronicle, Vol. 3, No. 2, March 1998.
Read more