Risk management in the public sector
Why and how government organisations assess and manage risks.
Purposes of risk management
Consider your exposure at key stages of any project or process to identify:
- high-risk processes or systems
- ways of reducing risks and minimising impacts
- where to prioritise resources.
Benefits of risk management
Risk management begins with identifying and assessing risks. Both help government organisations to know their risks and how they could impact, for example, their:
- service delivery
- legal exposure
- security and integrity
- customer confidentiality
Core elements of risk management
The core elements of risk management will always follow a similar pattern, such as:
- identification — using expert judgement, stakeholder input, experimentation, experience and historical analysis to identify risks and create a risk register
- analysis — understanding and assessing their initial and final risk ratings
- evaluation — deciding if risk levels are acceptable or not
- treatment — choosing how you will approach each risk, often by deciding to implement controls
- review — scheduling regular checks to see if risks have changed or security controls need to be updated.
Risk assessments and ongoing management of risks
Digital.govt.nz has advice for government organisations assessing and managing the risks to their information systems through:
Advice for public cloud services
For government organisations at any stage of adopting or using public cloud services, Digital.govt.nz offers guidance through the:
- section for public cloud services
- Cloud Capabilities Network
- New Zealand Information Security Manual — Government Communications Security Bureau.
Controls must align with security requirements in New Zealand
Understanding how to classify information is essential to assessing risks and managing them.
Protective Security Requirements
Just as risks are rarely static in nature, they seldom occur in isolation. The Protective Security Requirements (PSR) website lists and explains the security requirements for NZ government organisations in the areas of:
When assessing and managing risks, government organisations must follow these requirements from the PSR.
New Zealand Information Security Manual
Government organisations are required to use controls that match the guidance in the New Zealand Information Security Manual (NZISM).
The NZISM defines mandatory and discretionary controls for the different levels of information classification.