Skip to main content

Risk management in the public sector

Why and how government organisations assess and manage risks.

Purposes of risk management

Consider your exposure at key stages of any project or process to identify:

  • high-risk processes or systems
  • ways of reducing risks and minimising impacts
  • where to prioritise resources.

Benefits of risk management

Risk management begins with identifying and assessing risks. Both help government organisations to know their risks and how they could impact, for example, their:

  • service delivery
  • reputation
  • legal exposure
  • security and integrity
  • customer confidentiality
  • investment.

Core elements of risk management

The core elements of risk management will always follow a similar pattern, such as:

  • identification — using expert judgement, stakeholder input, experimentation, experience and historical analysis to identify risks and create a risk register
  • analysis — understanding and assessing their initial and final risk ratings
  • evaluation — deciding if risk levels are acceptable or not
  • treatment — choosing how you will approach each risk, often by deciding to implement controls
  • review — scheduling regular checks to see if risks have changed or security controls need to be updated.

Risk assessments and ongoing management of risks

Digital.govt.nz has advice for government organisations assessing and managing the risks to their information systems through:

Advice for public cloud services

For government organisations at any stage of adopting or using public cloud services, Digital.govt.nz offers guidance through the:

Controls must align with security requirements in New Zealand

Understanding how to classify information is essential to assessing risks and managing them.

Classify information

Protective Security Requirements

Just as risks are rarely static in nature, they seldom occur in isolation. The Protective Security Requirements (PSR) website lists and explains the security requirements for NZ government organisations in the areas of:

When assessing and managing risks, government organisations must follow these requirements from the PSR.

Mandatory requirements — PSR

New Zealand Information Security Manual

Government organisations are required to use controls that match the guidance in the New Zealand Information Security Manual (NZISM).

The NZISM defines mandatory and discretionary controls for the different levels of information classification.

About information security — NZISM

More information

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated