Embedding good governance and risk management into decision making

Requirements imposed under Tasmanian legislation

By Kevin Riley, Capital Training Pty Limited

risk banner

The State Service Act 2000 (SS Act) and Financial Management Act 2016 (FM Act) impose requirements on Heads of Tasmanian Agencies.

Among other functions and powers, the SS Act requires that the Head of Agency:

  • Ensure that the Agency is operated as effectively, efficiently and economically as is practicable.
  • Determine, allocate and assign duties to be performed by employees in that Agency.

The FM Act states that the Head of Agency is responsible for the financial management of the Agency in an efficient, effective and economical manner, including in particular, ensuring:

  • The effective and efficient use of resources in achieving the Government's objectives.
  • Appropriate stewardship is maintained over the assets of the Agency, including custody, control and management of, and accounting for, all public property, public money, other property and other money in the possession of, or under the control of, the Agency.
  • Appropriate stewardship is maintained over the incurring of liabilities of the Agency, and that expenditure by the Agency is in accordance with the law.
  • That the Agency's financial management processes, records, procedures, controls and internal management structures are appropriate.
  • The proper collection of all money payable to, or collectable under, any law administered by the Agency.
  • Compliance by the Agency with this Act or any other written law.

These requirements will never be achieved by the Head of Agency alone. Under a delegated decision-making framework, Heads of Agencies will have to have confidence that the governance arrangements established through management committees, delegations, policies and procedures:

  • Are working effectively in supporting decision-making and directing scarce resources towards the Agencies priority outcomes and objectives.
  • Embed active risk management in decision-making processes applied towards directing scarce resources towards the Agencies priority outcomes and objectives.

Practical strategies for embedding governance and active risk management in decision-making processes

It is important that governance and risk management within a decision-making process adds value. Accordingly, the effort expended in the governance arrangements and considering risk needs to be commensurate with the level of risk itself. The following are some practical strategies which encourage the successful embedding of governance and risk management in decision-making processes.

  1. Begin with objectives in mind

    Each activity or process in an Agency will ideally have objectives which link to the priority objectives and outcomes of the Agency. These objectives are the starting point for embedding governance and risk management, as they define the critical measures of success that require governance oversight and against which risks must be most carefully managed.

    For example, when planning for the delivery of critical and essential public services in a post natural disaster environment, the requirement for the rapid deployment of capability in affected areas may be more important than broad, sustained coverage. The rapid deployment will require that governance arrangements over a natural disaster response will have already been considered in advance of the natural disaster, and can be implemented almost at the ‘flick of a switch’. The initial focus of risk management in the natural disaster response activity might start with the risks of not responding quickly enough to meet the needs of citizens, rather than the risks of maintaining service delivery over an extended time frame.

  2. Identify where governance arrangements and risk needs to be managed in an activity

    The nature of governance arrangements and risks in different business processes or activities varies, therefore governance arrangements and risk management need to be tailored. Some considerations for establishing ‘fit-for-purpose’ governance and risk management include:

    • Understanding the Agency’s appetite for risk in the process and activity, and under what circumstances and against which objectives and outcomes the Agency is prepared to accept the level of risk in the process or activity.
    • Ensuring the process is not unacceptably affected by shared risks to which it is exposed from shared objectives with other State or Commonwealth agencies, key stakeholders and entities in critical supply chains. Sometimes these shared risk exposures will not be immediately apparent, however by identifying the extent of shared risk up-front further information can be sought to ensure they are sufficiently understood and controlled through appropriate governance arrangements and risk management process. This is particularly relevant when Agencies sharing a risk have differing risk appetites. Shared risks typically do not respond as well to traditional control procedures. Rather responses to shared risks are typically governance, communication and leadership.
  3. Develop risk processes that are fit-for-purpose and easy to implement

    Where possible, weave the consideration of risk into existing activities or requirements. For example, in assessing risk during a major procurement project, add the consideration of risk into existing project reviews and gateway processes. Where possible, align project risk reporting into established project health status reports or dashboards. This encourages a culture where managing risk in a structured manner is an integral part of day-to-day management.

  4. Build staff awareness and encourage positive risk behaviours

    Embedding governance arrangements and risk management is ultimately about influencing the manner in which decisions are made. However, staff can only embed risk management in their work if they understand and value these arrangements and processes. As each Agency applies governance and risk management in different ways, it is important that staff understand the Agency’s own unique requirements and expectations in addition to the basic theory of risk management.

    Equipping staff to embed governance arrangements and risk management requires:

    • Governance and risk management training relevant to an individual’s role and responsibilities.
    • Providing easy access to generic and Agency specific governance and risk management guidance materials.
    • Establishing collaborative forums where staff can share how they have been able to successfully embed governance arrangements and risk management in their activities. This may include encouraging ‘risk champions’ who can lead by example and mentor their colleagues.
    • Ensure the management of risk, and the application of the entity’s risk management framework is an explicit component of performance management.
  5. Build staff awareness and encourage positive risk behaviours

    How senior executives question and challenge the governance arrangements and management of risk will be influential in determining the value staff perceive in these arrangements and processes. Often referred to as ‘tone from the top’, the senior executive can support the uptake and embedding of governance arrangements and risk management by:

    • Setting a personal example through the visible consideration of governance arrangements and risk in their own personal decision making and ensuring that the Agency’s strategic risks are managed consciously and communicated well.
    • Treating issues and undesirable events as the break-down in governance arrangements or realisation of risks. When things go wrong, asking whether the governance arrangements were operating as expected and ‘fit-for-purpose’ and whether relevant risks, including new and emerging risks had been identified, assessed and whether the treatment strategy was documented and implemented.
    • Rewarding or recognising those who establish appropriate governance arrangements and manage risk well. This includes supporting staff who took informed, sensible risks but may not have achieved the outcome they had hoped for.

Kevin rileyAbout the author
Kevin Riley has over 30 years’ public sector experience in budgeting, financial and risk management. A Fellow with both the Institute of Chartered Accountants Australia and New Zealand and CPA Australia, Kevin was also recognised as a National Fellow of the Institute of Public Administration Australia in 2022 for his outstanding contribution to the practice of public administration over his professional career.

Want to learn more?

Our Governance and Risk Management course by Kevin is designed to equip public sector managers with the tools and frameworks they need to strengthen their governance and risk management practices.

During this course, you will gain practical skills in:

  • Applying the principles of governance and risk management in a public sector context.
  • Conducting risk assessments and identifying effective treatments.
  • Using tools like the ‘risk bow tie’ to better describe and manage risk.
  • Monitoring internal controls to ensure lasting effectiveness.

Learn more and register

Published: 7 September 2025