Risk management

Just starting out?

If you are just starting out in risk management, there is some excellent guidance available, for example from RiskNZ.

Keeping up to date with risks

Cyber security risks: Cyber security risk continues to be a concern for many entities, which can be compounded by incomplete knowledge. Sharing information between government agencies often proves to be too difficult because of privacy and data management concerns.

PwC has a free guide to working with large projects that could be useful to audit committees. 

The websites of the Privacy Commissioner and Government Chief Information Officer also have guidance on risks related to cyber security.

Operational risks: Even when an entity has a strong understanding of its strategic risk, it can still be at risk of an operational failure involving loss through inadequate or failed internal processes, people, and systems or from external events. The composition of an audit committee often determines the level of interest and oversight of operational risks.

People involved with audit committees we talk to tell us that audit operational risks sometimes eventuate because an entity's total assurance framework, Three Lines Model, and enterprise risk management have been incomplete and not fully understood/embedded.

Many events can trigger an operational risk or failure, including:

  • fraud or acts of sabotage or vandalism;
  • human error in processing transactions or carrying out control steps;
  • disruption or system failures (hardware, software, telecommunications);
  • non-compliance with law and regulatory requirements;
  • dispute with employee due to discrimination or harassment;
  • new service and/or change in the current processes;
  • poor oversight of third-party contracts; and
  • security breaches.

Sometimes entities’ processes are inefficient or they seek limited management attestation over operations and key processes that would give assurance about the effectiveness of systems and controls. For instance, great effort has been made to enhance compliance over legislation through the rollout of the compliance tools, such as ComplyWith. However, for some entities, limited attestation is required over the effectiveness of operational controls.

When making changes to processes or structures staff are redeployed or made redundant but with little attempt is made to redesign processes to support changes. This can limit any efficiency gains.

Risk appetite

Entities face a range and diversity of risks. It is crucial for every entity to have mechanisms in place that will allow governors and management to assess the range of risks the entity faces. Just as important is it to have procedures in place to mitigate those risks and to monitor them.

Having an audit committee is one option in risk assessment and mitigation. However, if the audit committee is to take on that responsibility, it needs to be clear about the areas of risk that it has to focus on.

Our auditors tell us that the audit committees of many medium and large size public entities focus on financial reporting, oversight of the external audit process, and corporate risk. (See the results from our survey in the infographics we've prepared.)

Is this focus appropriate? Are other parts of the governance arrangements identifying and testing risk management in other areas? Do audit committee members understand which areas of risk they need to assess? How is this communicated to the audit committee? Where else does responsibility for risk assessment and mitigation lie? How does the entity communicate who is responsible for which risk area to its stakeholders? Does it leave enough time for communicating, or only focus on managing its risks? Are new risks emerging, such as co-ordination risks, and outcome risks compared to more traditional risks, such as financial reporting? How can the audit committee prioritise, given the mismatched expectations? Is a focused work programme a solution and how much communication is needed regarding what has been de-prioritised?

For audit committees to test and challenge and give appropriate assurance and advice to governors, they must understand the nature of the risks as well as the expectations of key stakeholders. The risks managed by public sector entities and their governors, go beyond financial control and compliance matters. Audit committees need to be in a position to understand and communicate about those wider risks, even when their purpose is focus on financial risk and compliance.

Where an entity uses a range of committees and advisors to get assurance about its risks, its governors need to draw together and maintain a strategic perspective of the entity’s risks and how these are managed. Audit committees need to be aware of any other sources of assurance advice governors receive to ensure that they focus only on those risks assigned to them while also assisting governors to take a strategic perspective on all risks.

This grid is useful for working through and communicating risk appetite.


Please continue the conversation with your experiences of determining risk appetite.

Page last updated: 10 December 2021