This policy is a key document, essential for guiding the board’s strategic decisions and informing the day-to-day operations of Skills Insight. It outlines Skills Insight’s risk management process and sets out the responsibilities of the Board, the CEO, and the Executive and others within the organisation in managing risks effectively.

Where necessary, more detailed risk management procedures will be developed to cover specific areas of Skills Insight operations.

This policy has been established on the foundation of Skills Insight values, behaviours, and strategies and all actions must be consistent with them. In the event of any conflict between this policy and the values, behaviours and strategies of Skills Insight, we request that you promptly notify the CEO for resolution.


Risks have been described in terms of combination of the consequences of an event occurring and its likelihood of occurring. Risk is the chance of something happening that will harm Skills Insight, its staff or stakeholders, opportunities, plans and strategies. Risk management is described as the culture, processes and structures that are directed towards reducing risk whilst realising potential opportunities.

Skills Insight risk management system is designed to identify the risks it faces and to describe the measures in place to keep those risks to an acceptable minimum. All operations and opportunities carry some degree of risk, and this risk needs to be recognised and mitigated to the extent reasonable possible consistent with the risk appetite of the organisation.

Skills Insight’s risk assessment matrix (below)is used as the benchmark in planning and implementing the risk management measures. It takes into consideration the nature, scale and complexity of the initiatives that carry risk. The risk management process consists of the following main elements:

Identify: identify and document risks associated with existing or planned activities.

Assess: the primary goal is to document the effect of all identified risks and to assess them by assessing:

  • Likelihood
  • Impact of each risk
  • Controls and effectiveness of controls
  • Rank the risks accordingly

Plan: preparation of management responses to mitigate risks.
Implement: risk responses are actioned.
Monitor and review: monitor and review the performance of the risk management system and changes to business activities and initiatives.
Communicate: provide regular reports to the board of directors.

Risks are effectively managed by Skills Insight through the effective implementation of various controls, which include:

  • Board approved risk management policy and risk register
  • Documented policies and procedures
  • Implementation of risk-based systems and processes
  • Ongoing monitoring of regulatory obligations
  • Checklists to guide activities and project plans to record actions, and
  • Internal and external reporting.


Compliance measures are used as a tool to address identified risks. The risk management system is based on a structured and systemic process which takes into account Skills Insight’s internal and external risks.

The main elements of the risk management process are as follows:

  • Communicate and consult – communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process and concerning the process as a whole.
  • Establish the context – establish the external, internal and risk management context in which the rest of the process will take place – the criteria against which risk will be evaluated should be established and the structure of the analysis defined.
  • Identify risks – identify where, when, why and how events could prevent, degrade, delay or otherwise harm the achievement of Skills Insight’s objectives
  • Record risks – document the risks that have been identified in the risk register.
  • Analyse risks – identify and evaluate existing controls. Determine consequences and likelihood and hence the level of risk by analysing the range of potential consequences and how these could occur.
  • Evaluate risks – compare estimated levels of risk against the pre-established criteria and consider the balance between potential benefits and adverse outcomes. This enables decisions to be made about the extent and nature of treatments required and about priorities.
  • Treat risks – develop and implement specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs.
  • Monitor and review – it is necessary to monitor the effectiveness of all steps of the risk management process. This is important for continuous improvement. Risks and effectiveness of treatment measures need to be monitored so that changing circumstances do not alter priorities.

Skills Insight’s risks may come from any internal or external event which, if it occurs, may affect the ability to operate efficiently and effectively.

  • External risks – those risks that are outside the control of Skills Insight. They include risks such as market conditions, digital disruption, cyber-security, privacy and data breaches, sustainability, climate change and legislative change.
  • Internal risks – those risks that specifically relate to Skills Insight’s business itself and as such as generally within its control. They include risks such as employee related risks, including conduct related risks, strategic risks, and financial risks.

Risks are effectively managed by Skills Insight through the effective implementation of various controls, which include:

  • Board approved risk management policy
  • Maintenance of risk register, and
  • Regular review of risks and controls, particularly as the organisation changes.


The methodology adopted by Skills Insight for managing and treating its risks can be defined as follows:

  1. Document a risk management framework (i.e., the context)
  2. Identify the general activities involved in running the organisation (i.e., risk categories)
  3. Identify the risks involved in undertaking the specific business activity by asking the questions: a) What could happen? b) How and why could it happen?
  4. Rate the likelihood of the organisations activity not being properly performed. Likelihood is assessed to the assumption that there are no existing risk management and compliance processes in place. It is assessed as either Almost Certain, Likely, Possible, Unlikely and Rare.
  5. Rate the consequence of not properly performing the business activity. It is assessed as Catastrophic, Major, Medium, Minor, and Insignificant
  6. Assign the inherent risk rating based on a combination of the risk rating. Low and medium risks may be considered acceptable and therefore minimal further work on these risks may be required. The rating may be assessed as Very High, High, Moderate and Low.


The following risk assessment matrix has been applied to each identified risk.



The Board of Skills Insight has responsibility to:

  • review the Skills Insight’s risk management policy and risk register for appropriateness and that Skills Insight is operating with due regard to the risk appetite set by the Board, and Skills Insight effectively identifies all areas of potential risk
  • ensure adequate policies and processes have been designed and implemented to manage identified risks
  • ensure suitable management structures and actions are in place to manage compliance and business behaviour and actions, and
  • proper remedial action is undertaken to redress areas of weakness.

Chief Executive Officer

The CEO of Skills Insight has responsibility under this policy for:

  • Monitoring compliance with this policy
  • Reporting to the Board on compliance with this policy
  • Developing, implementing, and monitoring systems, management of policies and procedures relevant to the business, including facilitating review by the Executive on a regular basis, and
  • Maintaining the risk register.

General responsibilities

All staff members are responsible for effective management of risk including the identification of potential risks. Management is responsible for the development of risk mitigation plans and the implementation of risk reduction strategies. Risk management processes are integrated with planning processes and management activities.

Where there is legislation in place for the management of specific risks (such as Occupational Health and Safety) this Risk Management policy does not relieve Skills Insight of its responsibility to comply with that legislation. Managers are accountable for strategic risk management within areas under their control, including the promotion and training of risk management processes to staff.


This policy should be read in conjunction with the following codes, policies and guidelines:

  • The Jobs and Skills Councils Code of Conduct and Program Guidelines
  • Skills Insight Governance Manual
  • Skills Insight Risk Appetite Statement and Risk Register