Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It's easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Risk management in the public sector

Why and how government organisations assess and manage risks.

Purposes of risk management

Consider your exposure at key stages of any project or process to identify:

high-risk processes or systems
ways of reducing risks and minimising impacts
where to prioritise resources.

Benefits of risk management

Risk management begins with identifying and assessing risks. Both help government organisations to know their risks and how they could impact, for example, their:

service delivery
reputation
legal exposure
security and integrity
customer confidentiality
investment.

Core elements of risk management

The core elements of risk management will always follow a similar pattern, such as:

identification — using expert judgement, stakeholder input, experimentation, experience and historical analysis to identify risks and create a risk register
analysis — understanding and assessing their initial and final risk ratings
evaluation — deciding if risk levels are acceptable or not
treatment — choosing how you will approach each risk, often by deciding to implement controls
review — scheduling regular checks to see if risks have changed or security controls need to be updated.

Risk assessments and ongoing management of risks

Digital.govt.nz has advice for government organisations assessing and managing the risks to their information systems through:

Advice for public cloud services

For government organisations at any stage of adopting or using public cloud services, Digital.govt.nz offers guidance through the:

Controls must align with security requirements in New Zealand

Understanding how to classify information is essential to assessing risks and managing them.

Classify information

Protective Security Requirements

Just as risks are rarely static in nature, they seldom occur in isolation. The Protective Security Requirements (PSR) website lists and explains the security requirements for NZ government organisations in the areas of:

When assessing and managing risks, government organisations must follow these requirements from the PSR.

Mandatory requirements — PSR

New Zealand Information Security Manual

Government organisations are required to use controls that match the guidance in the New Zealand Information Security Manual (NZISM).

The NZISM defines mandatory and discretionary controls for the different levels of information classification.

About information security — NZISM

More information

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It's easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you're unable to turn on JavaScript — email your feedback to govt.nz@dia.govt.nz .

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 10 October 2022

Risk management in the public sector

Purposes of risk management

Benefits of risk management

Core elements of risk management

Risk assessments and ongoing management of risks

Advice for public cloud services

Controls must align with security requirements in New Zealand

Protective Security Requirements

New Zealand Information Security Manual

More information

Utility links and page information