View Source

Decisions regarding the risks to be treated and the treatment / mitigation methods follow prioritization by top management. The response strategy to risks must include the improvement of statistical quality among the main objectives. To this end, the effectiveness of the implemented actions must be periodically assessed, also in terms of cost / benefit analysis. The treatment responsibilities are assigned and formalized at operational level.

Case Studies

Australian Bureau of Statistics (ABS)

In ABS (Australian Bureau of Statistics), accountability for risk treatment is determined by the risk owner and is often shared across a range of areas that are best placed to implement controls that can reduce the risk which may sit outside the risk owner's immediate span of control. The ABS bases the approach to risk management on the AS/NZS ISO 31000 standard. The ABS's risk appetite only tolerates high or extreme risks when treatment measures are unable to reduce the level of inherent risk to an acceptable level (i.e. Low or Moderate). Any extreme risk, such as a risk which would seriously threaten the credibility/reputation of the ABS and/or with the potential to result in a parliamentary enquiry, must be brought to the immediate attention of the Executive Leadership Group (ELG). The Senior Management Group (SMG) must be informed of any high risk, including those that may impact/tarnish the reputation of the ABS and/or achievement of program objectives e.g. through sustained media coverage. Treatment measures are essential for high and extreme risks. If strategies to mitigate the risk take time, they must be added as standing Agenda Items to ELG meetings (extreme risks) or SMG meetings (high risks) until the risk is reduced. All low or moderate risks will be managed within the specific area and/or routine procedures. All treatment measures are selected by considering the cost of implementing versus the benefits. In some cases, low and moderate risks might be accepted if the cost of treating the risk outweighs the benefit. Acceptable risks do not require treatment. Unacceptable risks will need to be treated. The Australian Bureau of Statistics (ABS) leads Australia's national statistical service, running hundreds of surveys and publishing thousands of pages of output every year. As with any large and complex organization, problems with processes do arise and the ABS has suffered errors in their data in the past with varying degrees of impact on the public domain. Most errors are detected in-house before publication, however this has at times resulted in intense last-minute work to correct the problems leading to delays in the release of data. Other errors have only been discovered after release, resulting in re-issue of statistical output. As a result of these errors the ABS has endeavored to instigate better Quality management practices through the development and use of the risk mitigation strategy known as ‘Quality gates’. Quality gates are designed to improve the early detection of errors or flaws in production processes.

Statistics Lithuania (SL)

In Statistics Lithuania (SL), according to approved descriptions of procedures, if any risky activity is identified, management is informed and improvement actions are defined and performed by responsible staff. On the base of the situation, improvement actions are implemented as soon as possible or deployed into the improvement action plan.

Process managers, appointed by the order of Director General of Statistics Lithuania, analyze identified risks, determine their causes and possible ways of their elimination, appoint staff responsible for improvements and monitor the effectiveness of improvement actions implemented. The priorities for risk treatment are set by Top management, according to the risk measurement results. The priority is given to the activities, which are the most risky for the process and process results. Usually, process managers are responsible for the risk treatment, if the risk was identified in their process. They analyze the problems, determine their causes and possible ways of their elimination, appoint staff responsible for improvements and monitor the effectiveness of improvement actions implemented.

Especially with reference to the preparation proposals for treatment, in concrete statistical areas cross-institutional commissions and working groups (e. g. group of experts in national accounts) established on the initiative of SL, play important role.

Statistics Sweden

In Statistics Sweden, risk treatment is documented in connection to the risk, specifying the treatment itself and the person responsible for carrying out the action (always a manager at department or unit level, in exceptions it can be the Director general). It also has to have a starting and finishing point. If treatment is more or less constant over time the end date is set to last of December and the action is carried over to the next year as are risks that have not been eliminated. Risks and treatments are included in the regular follow up of operations after each 4 month period with focus on effectiveness and deviations from plan. All risks that are critical require treatment unless they are impossible to prevent and/or too costly to mitigate. High value risks shall, as a rule, result in activities to mitigate the risk, either prevent it from happening or reduce the consequences. Under corporate risks are included the risks managed by the security organization. These risks have treatments that are different in characteristics and more of permanent solutions like insurance policies, contingency plans, fixed installations, firewalls and so on. Also some compliance risks are included here. They are documented in a separate module of the system since they have other needs for follow up purposes than operational risks. All critical risks are to have treatment though and many of the medium and low risks also have treatments.

On corporate level treatments are in general delegated to the director of one or more departments and added to their risk lists. The director’s comment on deviations and effectiveness and the comments are compiled by the risk manager who may suggest changes in risk values based on this. The updated risk report for the agency is presented to the DG, the deputy DG, the Director of the Director General’s Office, the head of internal audit and the Head of Security by the risk manager and after discussions any adjustments are made. Once a year, after the second four month period follow up, the risk report is signed by the DG and a preliminary risk list for the coming year is set up based on the preliminary operational plan for the next year (operational risks at agency level). At the same time the risk list for corporate risks (the internal control plan) is signed by the DG.

The directors of each department are responsible for all risks within their department but can delegate carrying out treatment to unit managers. The units’ risks shall be listed at department level though, since the central follow up only covers the department level and all operational risk are to be put forward to the Director general and be more easily analyzed by the risk manager. This means that the units’ risk lists are generated from the departments’ risk lists and they cannot add risks themselves at unit level according to the routine currently used.