Risk Policy – A core element of emerging risk management best-practice

Clear risk policy is a critical element of good governance.  This is true for organisations.  It is true for business and government sectors.  It is also true for communities and society at large.

If the words “risk” and “policy” are taken to have their generally accepted meanings:

  • Effective leaders provide clear policy direction on acceptable levels of risk and uncertainty.  Most organisations have a very low tolerance for safety risks in their workplaces.  However some other kinds of risk (such as the risk of project delays due to poor weather) may be tolerated to a much greater extent.  At a society level, there may be a very low tolerance for risks associated with the health and well being of older people but a much greater tolerance for the risk that young people may be hurt playing sport.  Risk polices have powerful, practical implications for resource prioritisation and for governance systems.  Lack of “risk appetite” policy leaves organisations and Governments vulnerable to sub-optimisation and to inconsistency of focus.
  • Effective leaders provide clear direction on the uncertainty (risk) management approach(es) to be applied.  In some simple contexts it may be appropriate to apply ISO31000 as the default risk management approach for the whole organisation, sector or system.    However this will not be effective in many contexts and is certainly not enough when seeking to maximise the positive outcomes for Australia over coming decades.  In complex contexts it is critical that a “systems” approach is taken that embraces uncertainty and focuses on how best to achieve core outcomes over time despite constantly changing uncertainties and priorities.   Lack of clear policy on risk management approach(es) leaves organisations, communities and society vulnerable to emerging events as they unfold and ultimately to sub-optimised outcomes and to avoidable disasters.
  • Effective leaders build organisations and systems to deal with inherent vulnerabilities.  A risk is only a risk if a vulnerability exists and there is also an associated threat.  There is enormous advantage to be gained, especially in highly complex social systems, in making sure that we first understand vulnerabilities.  This allows us to work on those vulnerabilities over time  as part of what we do by modifying our systems as a whole.   This permanently reduces or manages those vulnerabilities regardless of the threats that may (or may not) be seen or understood as they emerge.

The Australian Risk Policy Institute (ARPI) is working at the forefront of risk policy in Australia and globally.