Public sector entities must include risk management in their everyday activities, Federal Auditor-General Ian McPhee says.

Such organisations “have appreciated for some time that risk management is no longer discretionary and needs to be integrated into their business-as-usual processes,” he told the Risk Management Institution of Australasia’s annual conference in Brisbane last week.

However, more can be done to embed risk management into the public sector’s organisational behaviour, so all employees contribute through more effective engagement.

Steps include being alert to new risks and updating views of known risks.

Mr McPhee says the public sector needs “an army of risk managers, rather than just a few soldiers”.

Entities can create these “armies” by identifying and communicating their approach to managing risk, so all employees are engaged with the issue.

A positive risk culture is a “set of encouraged and acceptable behaviours, discussions, decisions and attitudes towards taking and managing risk”, Mr McPhee says.