Security risk management

Risk management is the identification, assessment and prioritisation of risks followed by coordinated and economical application of resources to minimise, monitor, and control the probability and/or impact of unforeseen events.

Security risk management is the specific culture, processes and structures that are directed towards maximising the benefits of security in support of business objectives.

Adopting a risk based approach allows agencies to prioritise activities based on the likelihood and consequence of a risk being realised, to maximise business outcomes while minimising the occurrence or effects of events that may negatively affect outcomes.

Understanding security risk management

Non-corporate Commonwealth entities (agencies) need to develop a security risk management process to identify:

  • specific risks to their people, information and assets
  • the agency’s level of risk tolerance
  • appropriate protections to reduce or remove risks
  • untreatable residual risks (such as doing business on the internet) and accept responsibility for the risk.

An appropriate level of security risk will vary from agency to agency but the process should be transparent and justifiable. Risk avoidance is not risk management.

Regardless of an agency’s functions or security concerns, the central messages for managing security risks are:

  • security risk management is the business of each staff member including contractors in the agency
  • risk management, including security risk management, is part of day-to-day business
  • the process for managing security risk is logical and systematic, and should form part of the standard management process of the agency
  • changes in the threat environment are to be continuously monitored and necessary adjustments made to maintain an acceptable level of risk and a balance between operational needs and security.

Agencies are to:

  • establish the scope of any security risk assessment and identify the people, information and assets to be safeguarded
  • determine the threats to people, information and assets in Australia and abroad, and assess the likelihood and impact of a threat occurring
  • assess the risk based on the adequacy of existing safeguards and vulnerabilities
  • implement any supplementary protective security measures that will reduce the risk to an acceptable level.

Commonwealth risk management policy guide

The goal of the Commonwealth risk management policy is to embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making.

The Commonwealth risk management policy sets out nine elements which non-corporate Commonwealth entities must comply with in order to establish an appropriate system of risk oversight and management.

The nine elements of the Commonwealth risk management policy are to:

  1. Establish a risk management policy.
  2. Establish a risk management framework.
  3. Define responsibility for managing risk.
  4. Embed systematic risk management into business processes.
  5. Develop a positive risk culture.
  6. Communicate and consult about risk.
  7. Understand and manage shared risk.
  8. Maintain risk management capability.
  9. Review and continuously improve the management of risk.