Designing processes to manage risk

Using processes to manage risk to a satisfactory level is an essential part of an organisation’s risk management framework.

One process that all decision makers should follow is the risk assessment process. Every organisation should have it as part of its framework for managing risk.

It is not the only process an organisation will need to manage its risks effectively though. A hospital, for instance, will have a range of processes suitable for its objectives; for example, an emergency room checklist to reduce the risk of patients being triaged to the wrong part of the hospital for diagnosis and care.

A mature organisation puts processes in place only when it brings benefits to decision makers and the organisation. It also looks for ways to embed process in management activities, so that managing risk and making decisions are one and the same activity, rather than a ‘compliance’ requirement.

What's a process?

A process is an ordered sequence of steps that prescribes what a person does, or many people do, to achieve a desired end.

What makes a process effective?

An effective process brings at least four benefits to decision makers and the organisation

it produces a reliable outcome, regardless of who does it
it makes it easier to quantify the time and other resources needed to achieve an outcome
it reduces waste and inefficiency
it brings accountability.

A well-designed process is a good example of a management technique that creates and protects value. It's intrinsic to a process that it reduces risk. It does this by reducing the uncertainty that surrounds our actions and behaviours.

If you're thinking of putting in place a process, ask yourself whether doing so will bring benefits of the kinds listed here.

A satisfactory level

Managing risk to a ‘satisfactory level’ implies evaluation and improvement. This means you will need to design processes so that you can report on

whether they were carried out
the outputs' quality
the benefits brought by the outputs to the organisation.

What counts as a ‘satisfactory level’ depends on an organisation’s risk appetite.

When do you need to put a process in place?

Processes can help reduce the uncertainty in chaotic or stressful situations. Evacuation procedures are a great example of this.

Conversely, they can be useful when you have quite simple triggers. This is a common strategy in natural resource management where a management plan is put into action when a threshold value is crossed, for example, in water or air quality.

A process is not the answer to every problem though. Complex situations and ‘wicked problems’ often need other strategies, such as innovation, deliberative engagement and consultation.

As risk practitioners, working with decision makers throughout the organisation, you’ll need to be able to identify when a process will protect or create value, and when it's just an ‘overhead’.

- something needs to be achieved to a certain standard every time it's done
- it matters when certain actors contribute their skill or knowledge in a complicated value chain
- certain actions are done over and over again in every part of the organisation
- activities and functions could be more efficient
- the context is dynamic and a process can provide stability and continuity.

Designing effective processes

There are many design strategies and techniques out there to help you analyse workflows or value chains, or which will help you take a creative, human-centred approach.

Whatever strategies and techniques you use, we recommend you

give time to identifying and analysing the problem you’re trying to solve with the process
specify the benefits you are trying to achieve
test the process and be prepared to change it
involve the people who will be following the process in design and testing
build in the means to evaluate the effectiveness of the process.

Examples

In 2015, a public sector agency in the transport portfolio realised that, with so many of its projects delivered by other Victorian public sector organisations, it was exposed to significant risks in project delivery, reputation and their balance sheet.
To manage them better it developed a process for identifying state-significant and shared risks.
This chart shows the flow of actions :

VMIA - Shared Risk Management Process
PDF 439.42 KB

(opens in a new window)

It’s a good example of a process that introduces stability and continuity in a dynamic context and also helps make sure various actors contribute at the right time.
The agency worked with its public sector partners on the design of the process, before it was reviewed by their executive team and endorsed by their risk committee. Over the course of its working life it was used to structure the management of a number of projects.
Better oversight of the effectiveness of controls was a key benefit, crucial for projects designed with the objective to save lives on Victoria’s roads. The process also led to better sharing of knowledge and information across the transport sector, and contributed to the discovery of risks that had not be considered up till then—such as the potential impacts of the emerging ride-share market on the wider transport system.
Another benefit, not sought when the process was initially being designed, were a better understanding of the board’s risk appetite as the project analysed potential impacts on the organisation.
Other public sector organisations in the portfolio also evaluated their risk appetite and processes to make them consistent with the

VMIA - Shared Risk Management Process
PDF 439.42 KB

(opens in a new window)

, and the whole transport sector mapped out a process for identifying sector-wide risk.
And, finally, the agency’s pioneering work put in play what were then new requirements in the Victorian Government Risk Management Framework (VGRMF)(opens in a new window), and became the foundation for VMIA’s position on managing shared and state-significant risk.
A quality assurance process protects value by making sure that what goes out to users, clients or stakeholders works and won’t harm people, places, systems or the organisation’s reputation.
But what if product failure is unlikely and the consequences, if it happens, are small? In this case, a quality assurance process may an expense that doesn’t protect value. It should only be applied to the goods and services where there is a real risk that the quality might be in question.
Risk assessment is a fundamental process in risk management. To be effective in managing risk though, the results of that process must inform management activities.
A process for escalating risk is one way in which the risk assessment process hooks onto wider management processes in the organisation’s governance. When a risk is assessed it receives an evaluation, which indicates what type of action will be required—in this case, an escalation.
This workflow shows the process for escalating risk as a next step after risk assessment.

VMIA - An example of an escalation procedure
Word 28.23 KB

(opens in a new window)

It's important to point out that the process doesn’t need to be represented graphically—a set of statements about what decision makers need to do in certain circumstances is fine too.
Procuring goods and services is a good example of deliberately entering a space of uncertainty to achieve organisational objectives. Risks and opportunities emerge from
- mapping out proposed value chains
- going to the market with a clear specification of your requirements
- finding suppliers in the market that can deliver in the quantity or to the quality required
- negotiation and agreement
- management of the contract.
The Victorian Government’s buyer’s guide to procurement(opens in a new window) is a process designed to navigate this uncertainty and ensure that the purchase is one that protects and creates value.
You’ll notice this process has a lot of rich information, rather than a diagram showing a simple workflow. It shows how flexible the concept of a process is. Risks to probity, value for money and reputation mean that it's worth investing in that detail.
Detail is also needed when you want people with very diverse skill sets, in teams or organisations with different objectives, to follow a process. When there's a lot of in-house knowledge, shared culture and objectives, and the participants and stakeholders are known, you need a lot less information in the formal process because it is captured ‘informally’ in the context.

Continuous improvement

Like we said at the beginning, a mature organisation puts processes in place only when it brings benefits to decision-makers and the organisation. Use the Risk Maturity Benchmark to help you decide your target and plan the refinements you need so that your processes are fit for purpose. Once you’ve implemented your plan, you can see where you’re at and look at how you can improve again.

Updated 5 June 2025