Is your risk management framework up to scratch?

Man hand stopping wooden blocks from falling


Recently there have been a number of events both national and state based which have had unforeseen and sometimes catastrophic consequences for business. The most obvious is COVID-19 which came hot on the heels of widespread devastating bush fires, flooding and drought. These have, unsurprisingly created a heightened awareness of risk. If your organisation has a Risk Management Framework this article may serve as a refresher for revisiting it. If you don’t have a framework, then you will find some valuable pointers to help you develop one.

Risk is a part of doing business, however an organisation needs to have a clear and agreed understanding of their risk appetite as this helps define the Risk Management Process. Appetites for risk change over time, or the risks themselves may increase or diminish eg. with technological advances etc.

The Risk Framework is an overarching, company-wide document that informs Directors, Senior Management, Statutory Authorities and Auditors on how the company manages all risks within the business. It sets out processes for identifying, assessing, mitigating and controlling risk as well as the level of risk the Board of Directors are willing to accept - otherwise known as the Risk Appetite.

The obvious place to start in the process of reviewing your Risk Management Framework is the recognised Standard for Risk Management - ISO 31000:2018. This provides a set of guidelines for risk management practices e.g.

  • Identification
  • Assessment
  • Control of risk

However, it only provides the basic processes, and you may choose to build on these basic principles to develop your own risk framework into a best practice management system.

If your organisation has Board Directors, it’s important that all Board Directors are fully aware of their fiduciary duty, legal obligations and governance as an Officer of the Company, particularly with regard to their ownership of the Risk Framework and Enterprise Risk Register. Board Directors are actually fully liable under several State and Federal Acts, some with custodial sentences and hefty fines, especially the various Occupational, Health & Safety and Environmental Acts (EPA).

There are numerous Statutory Authorities such as:

  • WorkSafe
  • Environmental Protection Authority
  • Australian Charities and Not-for-Profit Commission (ACNC) 
  • Australian Securities and Investment Commission (ASIC)

Boards and Senior Management must be fully trained in their obligations, responsibilities, and risk management processes to fulfil their statutory requirements under these Acts.

Risks are assessed and documented on Risk Registers that are often developed on three levels using the Consequence and Likelihood Scale, they are:

  1. Enterprise Risk Register (Owned by the Board of Directors)
  2. Operational Risk Register (Owned by Senior Management)
  3. Site Risk Register (Owned by an individual site)

Risk Register refresher:

  • Each risk has a separate risk category e.g., Finance, Legal, OHS, Environment etc. with a matrix that allows for easy assessment of that risk.
  • Risk is firstly assessed with no controls or mitigations in place (Inherent Risk) and assessed again after controls and mitigations are in place (Residual Risk).
  • Every risk has an owner who is responsible for the mitigations and controls and provides an update to the Board of Directors or the CEO no less than twice annually.
  • Operational and Site Risk Registers are managed the same as Enterprise Risk and do fall into the same categories of Risk, however, there will be a multitude of risks that are identified, assessed and controlled.

Steps to review risk framework

There is a structured approach to reviewing your risk framework. Reviews should be completed regularly, at least every 12 months with  focus on risks affecting your greatest asset i.e., employees. Workers’ compensation legislation varies by state and is very complicated and the risks associated with not getting this right can be human and financial.

It may be worth speaking with workers compensation specialists who can review your plans and advise on how best to control your workers compensation premiums which are impacted by how well you manage risk within the business.

Establishing the Context

The business defines the internal and external operating environment in which the firm operates. As COVID-19 has demonstrated, projecting the future environment can be challenging. Knowing it will be different, Directors are required to use their judgment in such matters in the best interests of the company or organisation.

Risk Identification

As well as the traditional business risk assessments, how has COVID-19 already impacted the business, how will it continue to impact the business, what if we go into lockdown again in the future?  Other risks are the impact of Climate Change and Cyber-attack. What can be learned from recent responses to crises, bearing in mind that impacts can be positive and negative. For example, working from home may reduce company costs but home-based risks maybe less within the company’s control.

Risk Analysis and Evaluation

As well as assessing the inherent risk, current controls and the residual risk, it is very important to review the parameters of your Risk Matrix. It is vital that you review the Consequences and Likelihood scale, to ensure it encapsulates the full range of the company’s current operating conditions.

Risk Treatment

Determine the priority of the treatment plans for each level of risk. In the case of a risk like COVID-19 and the uncertainty surrounding a Pandemic, the biggest challenge is putting treatments in place with no precedence and the uncertainty of their effectiveness.

Risk and your employees

Your organisation’s most important asset is its employees. Ensuring employee safety at all times is critical and failure to do so can result in hefty fines or imprisonment.

You must put health and safety practices in place as soon as you start your business. Under Australian WHS laws your business must ensure the health and safety of your workers and not put the health and safety of other people at risk. To do this you must:

  • Provide a safe work environment
  • Provide and maintain safe machinery and structures
  • Provide safe ways of working
  • Ensure safe use, handling and storage of machinery, structures and substances
  • Provide and maintain adequate facilities
  • Ensure processes for the purchase of safe plant and equipment
  • Provide any information, training, instruction or supervision needed for safety

If you would like to speak with specialists about managing employee risk, having a safety audit of your workplace or building strategies to maintain workplace safety, Insurance House’s partner New Age HSE Services are experts in this field. Together with Insurance House’s  Workers Compensation team, they can help reduce your insurance premiums significantly. To find out how we could help you, why not give us a call on 1300 305834 and speak with Mark Farrugia.

You can find more information on Risk Assessments here:


Our advice is general in nature. To read the full General Advice Warning click here.





Back to larger map