Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The Auditor-General ANAO Report No.6 2017–18
Performance Audit
The Management of Risk by Public Sector Entities
Across Entities
Australian National Audit Office
© Commonwealth of Australia 2017
ISSN 1036–7632 (Print) ISSN 2203–0352 (Online) ISBN 978-1-76033-282-2 (Print) ISBN 978-1-76033-283-9 (Online)
Except for the content in this document supplied by third parties, the Australian National Audit Office logo, the Commonwealth Coat of Arms, and any material protected by a trade mark, this document is licensed by the Australian National Audit Office for use under the terms of a Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/3.0/au/.
You are free to copy and communicate the document in its current form for non-commercial purposes, as long as you attribute the document to the Australian National Audit Office and abide by the other licence terms. You may not alter or adapt the work in any way.
Permission to use material for which the copyright is owned by a third party must be sought from the relevant copyright owner. As far as practicable, such material will be clearly labelled.
For terms of use of the Commonwealth Coat of Arms, visit the It’s an Honour website at https://www.pmc.gov.au/government/its-honour.
Requests and inquiries concerning reproduction and rights should be addressed to:
Senior Executive Director Corporate Management Branch Australian National Audit Office 19 National Circuit BARTON ACT 2600
Or via email: [email protected].
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 2
Canberra ACT 15 August 2017
Dear Mr President Dear Mr Speaker
The Australian National Audit Office has undertaken an independent performance audit across entities titled The Management of Risk by Public Sector Entities. The audit was conducted in accordance with the authority contained in the Auditor-General Act 1997. I present the report of this audit to the Parliament. Following its presentation and receipt, the report will be placed on the Australian National Audit Office’s website—http://www.anao.gov.au.
Yours sincerely
Grant Hehir Auditor-General
The Honourable the President of the Senate The Honourable the Speaker of the House of Representatives Parliament House Canberra ACT
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities
3
AUDITING FOR AUSTRALIA
The Auditor-General is head of the Australian National Audit Office (ANAO). The ANAO assists the Auditor-General to carry out his duties under the Auditor-General Act 1997 to undertake performance audits, financial statement audits and assurance reviews of Commonwealth public sector bodies and to provide independent reports and advice for the Parliament, the Australian Government and the community. The aim is to improve Commonwealth public sector administration and accountability.
For further information contact: Australian National Audit Office GPO Box 707 Canberra ACT 2601 Phone: (02) 6203 7300 Fax: (02) 6203 7777 Email: [email protected]
ANAO reports and information about the ANAO are available on our website: http://www.anao.gov.au
Audit team Russell Coleman
Alex Doyle Deanne Allan
Renée Hall Michelle Page
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 4
Contents Summary ........................................................................................................................................................ 7
Background ............................................................................................................................................... 7 Conclusion ................................................................................................................................................. 9 Supporting findings .................................................................................................................................. 10 Areas for improvement and key learnings ............................................................................................... 12 Summary of entity responses .................................................................................................................. 13
Audit findings .............................................................................................................................................. 15
1. Background ............................................................................................................................................. 16 Introduction .............................................................................................................................................. 16 Commonwealth Risk Management Policy ............................................................................................... 16 Surveys of risk management practices in the Australian Public Sector .................................................. 19 Audit coverage ......................................................................................................................................... 24 Entities selected for inclusion in the audit ............................................................................................... 24 Audit objective and scope ....................................................................................................................... 27
2. Application of the Commonwealth Risk Management Policy .................................................................. 28 Have entities implemented the Commonwealth Risk Management Policy? ........................................... 29 Did entities update their risk policy and framework in a timely manner following the issue of the
Commonwealth Risk Management Policy?........................................................................................ 35 Are entities’ risk management frameworks developed with relevant stakeholder consultation,
including arrangements to consult in a timely and effective manner? ............................................... 38 Are responsibilities and accountabilities for risk management clearly defined? ..................................... 38 Are entities’ risk appetite and risk tolerance defined? ............................................................................. 39 Is risk considered as part of key business decisions and operations? ................................................... 41 Have entities established arrangements to manage shared risks? ........................................................ 43 Do entities have relevant capability to underpin the management of risk? ............................................. 44 Are entities’ risk management frameworks reviewed to continuously improve the management of
risks? .................................................................................................................................................. 47 Was risk addressed in entity corporate plans? ....................................................................................... 51 Areas for improvement ............................................................................................................................ 53
Appendix 1 Responses from the selected entities ................................................................................. 56 Appendix 2 The Commonwealth Risk Management Policy requirements ............................................. 64 Appendix 3 ANAO assessment of the selected entities’ application of the Commonwealth Risk
Management Policy elements ............................................................................................. 66 Appendix 4 Health’s Enterprise Risk Appetite statement ...................................................................... 89
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
5
Summary Background
The Public Governance, Performance and Accountability Act 2013 (PGPA Act) places a 1.duty on Accountable Authorities1 of Commonwealth entities to establish and maintain appropriate systems of risk oversight and management for the entity.2 To promote a coherent approach to discharging these duties and to assist Commonwealth entities to understand the requirements for managing risk, the Australian Government released the Commonwealth Risk Management Policy (Commonwealth Policy) on 1 July 2014 as an element of the Public Management Reform Agenda (PMRA).
One of the guiding principles of the PMRA reforms is that ‘engaging with risk is a 2.necessary first step in improving performance’, and one of the lasting benefits that the reforms are seeking to deliver is ‘a more mature approach to risk across the Commonwealth’.3 The effective management of risks assists Commonwealth entities and companies to:
set and achieve strategic objectives; comply with legal and policy obligations; improve decision making; and allocate and utilise resources. The Joint Committee of Public Accounts and Audit (JCPAA) highlighted, in its recent 3.
report on Commonwealth Risk Management, that risk management should be an integral part of the way the Australian public sector conducts business.4
Commonwealth Risk Management Policy The Commonwealth Policy defines risk as ‘the effect of uncertainty on objectives’ and risk 4.
management as the ‘coordinated activities to direct and control an organisation with regard to risk’.5 The goal of the Commonwealth Policy is to embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making.6
The Commonwealth Policy advises that risk culture is the set of shared attitudes, values 5.and behaviours that characterise how an entity considers risk in its day-to-day activities. A positive risk culture: promotes an open and proactive approach to managing risk that considers both
1 An Accountable Authority for a Commonwealth entity is generally the person or group of persons that has responsibility for, and control over, the entity’s operations. Sub-section 12(2) of the PGPA Act sets out the person(s) or body that is the Accountably Authority of a Commonwealth entity.
2 The Public Governance, Performance and Accountability Act 2013, section 16. 3 Explanatory Memorandum to the Public Governance, Performance and Accountability Bill 2013, paragraphs 16
and 18. 4 JCPAA, Report 461 Commonwealth Risk Management, Inquiry based on Auditor-General’s report 18 (2015-16),
May 2017, paragraph 1.2. 5 Department of Finance, Commonwealth Risk Management Policy, Finance, 2014, paragraph 2. 6 ibid., paragraph 7.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
7
threat and opportunity; and is one where risk is appropriately identified, assessed, communicated and managed across all levels of the entity.7
Non-corporate Commonwealth entities, which include departments of state and most 6.regulatory bodies, must comply with the Commonwealth Policy. Corporate Commonwealth entities are not required to comply with the policy, but are expected to review and align their risk management frameworks and systems with the policy as a matter of good practice.
The Commonwealth Policy mandates 22 specific requirements organised in nine policy 7.elements. The policy elements are summarised in Box 1 and reproduced in Appendix 2.
Box 1: Policy Elements—Commonwealth Risk Management Policy
Element 1: Establishing a risk management policy – four requirements
Element 2: Establishing a risk management framework – nine requirements
Element 3: Defining responsibility for managing risk – three requirements
Element 4: Embedding systematic risk management into business processes
Element 5: Developing a positive risk culture
Element 6: Communicating and consulting about risk
Element 7: Understanding and managing shared risk
Element 8: Maintaining risk management capability
Element 9: Reviewing and continuously improving the management of risk
Audit objective and criteria The objective of the audit was to assess how effectively selected public sector entities 8.
manage risk. To form a conclusion against the audit objective, the ANAO adopted the following high-level audit criteria:
the selected entities’ risk management policies and frameworks meet the requirements of the Commonwealth resource management framework, including the Commonwealth Risk Management Policy;
the selected entities’ business operations and key business processes are informed by considerations of risk; and
the selected entities have established a supporting risk culture. This performance audit is one of three audits in the ANAO’s work program that address 9.
key aspects of the implementation of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). These audits have been identified by the Joint Committee of Public Accounts and Audit (JCPAA) as priorities of the Parliament and will assist in keeping the Parliament, government and the community informed on implementation of the resource, risk and performance management frameworks introduced by the PGPA Act.
7 ibid., paragraphs 17–18.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 8
Summary
Four non-corporate Commonwealth entities were selected for inclusion in the audit: the 10.Department of Employment (Employment), the Department of Health (Health), the Australian Communications and Media Authority (ACMA), and the Australian Fisheries Management Authority (AFMA).
Conclusion The four entities involved in the audit have met or mostly met the majority of the 11.
22 specific requirements of the Commonwealth Risk Management Policy, with further work required by three entities (Health, ACMA and AFMA) to fully realise the Policy’s goal of embedding risk management as part of the entity’s culture, where the shared understanding of risk leads to well-informed decision making.
Employment has a mature and integrated approach to the identification and management of risk and has implemented a range of measures to build its risk capability, including an enterprise-wide risk management system. There is entity-level oversight of the operation of the risk management policy and framework through an internal governance committee which has reported regularly to the department’s Executive Committee on the adequacy of the risk framework and associated processes.
Health has an ongoing program to strengthen and fully operationalise its risk management framework and capability, following reviews in 2014 and 2016 which identified scope for improvement. Key risks are regularly considered by Health’s Executive Committee in its consideration of specific departmental strategies and plans. There remains scope for a more structured approach to reporting on and reviewing enterprise-level risks and the status of risk controls and treatments.
ACMA’s key risks are reviewed quarterly by the senior executive as part of a regular cycle, and the Authority is in the process of reviewing its risk management policy. ACMA included a risk tolerance statement in its 2015 risk management guide but has not yet developed a risk appetite statement. ACMA’s risk management guidance provides a high-level description of risk management, but limited practical guidance on how staff should manage risk.
Sustainability risks were regularly considered by the AFMA Commission in its consideration of specific fisheries management strategies and plans. As with Health, there remains scope for a more structured approach to reporting on and reviewing enterprise-level risks, controls and treatments. Risk management guidance available on the Authority’s intranet was minimal and not up to date, and AFMA does not have formal learning and development programs in risk management for staff. The Authority should address these impediments to the development of a positive risk management culture.
Each of the selected entities has continued to develop its risk management policies, 12.framework and capability since the release of the Commonwealth Policy in July 2014. As a result of these efforts Employment has met, and Health and ACMA have mostly met, the requirement of policy element five and the overarching goal of the Commonwealth Policy—relating to the development of a positive and embedded risk culture. AFMA has partly met the requirement of policy element five and the overarching policy goal.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
9
A number of areas for improvement have been identified for the selected entities, and 13.more general matters which may also warrant attention by other Commonwealth entities. The two categories of learnings address: for the selected entities, measures which would improve compliance with the policy requirements; and, for all public sector entities, key learnings focusing on strengthening risk management capability, culture and performance.
Supporting findings
Implementation The four selected entities have met or mostly met the majority of the 22 mandated 14.
requirements of the Commonwealth Risk Management Policy (Commonwealth Policy)8:
the Department of Employment (Employment) met 19 and mostly met two of the requirements (total 21/22 or 95 per cent);
the Department of Health (Health) met 10 and mostly met 10 of the requirements (total 20/22 or 91 per cent);
the Australian Communications and Media Authority (ACMA) met six and mostly met 10 of the requirements (total 16/22 or 73 per cent); and
the Australian Fisheries Management Authority (AFMA) met 13 and mostly met two of the requirements (total 15/22 or 68 per cent).
Risk policy and framework Each of the selected entities released an updated risk policy and framework within 15.
12 months of the release of the Commonwealth Risk Management Policy. The selected entities have also continued to update elements of their policy and framework (Employment and AFMA) or have plans to do so (Health and ACMA).
Stakeholder consultation The selected entities’ risk management frameworks were developed with extensive 16.
internal consultation, including with audit committees. There remains scope for entities to include, in their risk framework documentation, their arrangements for communicating, consulting and reporting on risk to both their internal and external stakeholders.
Responsibilities For three entities, responsibilities for managing and reporting on risk are clearly identified 17.
(Employment, Health and AFMA). ACMA has documented some, but not all, responsibilities.
8 The Commonwealth Policy mandates the implementation of 22 specific requirements organised in nine elements.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 10
Summary
Defining risk appetite and tolerance Three of the selected entities developed new or revised risk appetite and tolerance 18.
statements following the release of the Commonwealth Policy (Employment, Health and AFMA). One entity included a risk tolerance statement in its 2015 risk management guide, but has not developed a risk appetite statement (ACMA).
Considering risk in business decisions and operations The risk framework and key risks were regularly considered at senior levels within the 19.
selected entities. There is scope for a more structured approach to reporting on and reviewing enterprise-level risks and the status of risk controls and treatments (Health and AFMA). At present there is limited management reporting to the Executive Committee (Health) or Commission (AFMA) on enterprise-level risks, and no reporting on operational risks to the Audit and Risk Committee (Health and AFMA).
The ANAO’s review of a selection of business activities in each entity indicates that risk 20.management also informs normal business operations. Risk was considered when key business decisions were made or advice was provided to senior management or government in the areas selected for review.
Managing shared risk The identification and management of shared risks is one of the least mature elements of 21.
entities’ implementation of the Commonwealth Policy. Shared risks are not routinely identified and managed as such in the context of entities’ risk management policies and frameworks (Health, ACMA and AFMA).
Risk management capability The selected entities have implemented a range of measures to build their risk 22.
management capability. Key measures include:
regular internal reporting on the entity’s risk profile and risk framework (Employment and ACMA);
risk management guidance, templates and dedicated risk hot lines or email addresses (Employment, Health and ACMA);
staff resources dedicated to risk management (Employment, Health); custom-built risk management systems (Employment); and learning and development programs which address risk management, including
eLearning modules (Employment, Health and ACMA).
Review activity The selected entities’ risk management policies include a commitment to regularly 23.
review the risk framework, and each of the entities has continued to review its risk management policies and framework since the Commonwealth Policy was released in July 2014.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
11
Corporate plans The selected entities were at different levels of maturity in their implementation of the 24.
corporate plan requirement relating to risk, with further work required in all entities to fully embed the requirement.
Areas for improvement and key learnings Based on the audit findings, the Australian National Audit Office has identified areas for 25.
improvement on a range of matters which warrant further attention by the selected entities, and key learnings that could be applied by other public sector entities. The two categories of learnings presented in Box 2 and Box 3 address the Commonwealth Policy’s goal of embedding risk management as part of an entity’s culture, where the shared understanding of risk leads to well informed decision making.
Box 2: Areas for improvement for the selected entities
Defining the entity’s risk appetite in the risk management policy (ACMA). Enhancing risk management capability (Health, ACMA and AFMA). Improving the identification and management of shared risks (all entities). Developing arrangements for communicating, consulting and reporting on risk with
internal and external stakeholders (all entities). Improving arrangements to regularly review risks, risk management frameworks and
the application of risk management practices (Health, ACMA and AFMA). Seeking formal assurance from managers in preparing entity responses to the
Comcover survey of risk maturity (all entities). Fully embedding the corporate plan requirement relating to risk (all entities). Assigning responsibility for risk management to individuals or positions, rather than
work areas (Health, ACMA and AFMA).
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 12
Summary
Box 3: Key learnings that could be applied by other public sector entities
Regular management reporting on risk—including enterprise-level risks and the status of risk controls and treatments—helps provide assurance on risk management.
Regular and structured review of risk—including enterprise-level risks and the status of risk controls and treatments by governance committees, the executive board and the audit committee—contributes to embedding systematic risk management into business processes.
Updating guidance and templates to reflect the entity’s risk appetite and tolerance supports the development of a positive risk culture.
Providing practical guidance on how staff should manage risk contributes to building internal risk management capability.
Establishing strategies to improve participation in risk-related learning and development programs, including the completion of eLearning modules, helps maintain risk management capability.
In considering shared risks, focus on shared outcome risks rather than low level transactional risks.
Recording and analysing risk incidents and lessons learned can provide valuable insights to management and the audit committee on risk management performance and the effectiveness of the risk management framework.
Consider mechanisms to measure risk management performance.
Summary of entity responses The Department of Employment, the Department of Health, the Australian 26.
Communications and Media Authority, the Australian Fisheries Management Authority, and the Department of Finance were provided with a copy of the proposed audit report, and the Australian Public Service Commission was provided with an extract of the proposed report for comment. A summary of the responses received from entities is provided below, with the full responses provided at Appendix 1.
Department of Employment The Department of Employment (the Department) welcomes the overall findings of the Australian National Audit Office’s (the ANAO) Performance Audit of the Management of Risk by Public Sector Entities (the audit).
The Department recognises risk management is a cornerstone of good corporate governance and organisational success. Managing risk well enables us to achieve our outcomes and promotes the efficient, effective and ethical use of Australian Government resources. The audit concludes the Department has a mature and integrated approach to the identification and management of risk and has implemented a range of measures to build its risk capability. The Department has consciously invested in its risk management framework and I am pleased the ANAO has identified the positive returns from this investment.
The process of mature risk management is ongoing and we will take action in relation to areas for improvement identified in the audit that relate to the Department.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
13
Department of Health I am pleased that the ANAO found that the Department of Health (Health) has met a substantial number of the requirements of the Commonwealth Risk Management Policy. The report demonstrates the progress Health has made to improve its risk management approach and shift to a more risk aware culture. Shifting an organisation’s risk culture requires significant commitment from all levels within the organisation and takes time.
In April 2017, Health’s Accountability Authority endorsed and released a revised Risk Management Policy. This Policy articulates our approach to building a culture of effective risk engagement, where each of us has the skills and confidence to identify and manage risks appropriately.
The report has highlighted several areas for improvement in order to strengthen the systems and culture that are required to embed a risk aware culture. Health agrees with these findings and will implement actions to facilitate improvement in these areas.
Australian Communications and Media Authority The findings are timely as the ACMA Risk Management Framework is currently under review and we will keep the ANAO’s findings front of mind while making refinements to this framework.
As part of our review, we have already taken steps to address some of the areas for improvement identified by the ANAO. Our Executive Group is releasing a revised Risk Appetite Statement and we are working to ensure our agency has the capability to engage effectively with risk.
The Executive Group has started the discussion to establish an enduring policy position on the identification and management of shared risk.
We have appointed a Chief Risk Officer to drive improvements to the Risk Management Framework and provide additional support to staff.
There is a strong culture of risk management within the ACMA. The insights provided by the ANAO will help us to refine our Risk Management Framework in a way that best supports and builds on that culture.
Australian Fisheries Management Authority The Australian Fisheries Management Authority (AFMA) acknowledges the supported findings and areas of improvement outlined in this report. AFMA has recently reviewed our Risk Management Policy and Risk Management Guidelines and the report will greatly assist in their full implementation.
Department of Finance The Department of Finance supports the findings of this report.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 14
Audit findings
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
15
1. Background Introduction
The Public Governance, Performance and Accountability Act 2013 (PGPA Act) places a duty 1.1on Accountable Authorities9 of Commonwealth entities to establish and maintain appropriate systems of risk oversight and management for the entity.10 To promote a coherent approach to discharging these duties and to assist Commonwealth entities to understand the requirements for managing risk, the Australian Government released the Commonwealth Risk Management Policy (Commonwealth Policy) on 1 July 2014 as an element of the Public Management Reform Agenda (PMRA).
One of the guiding principles of the PMRA reforms is that ‘engaging with risk is a necessary 1.2first step in improving performance’, and one of the lasting benefits that the reforms are seeking to deliver is ‘a more mature approach to risk across the Commonwealth’.11 The effective management of risks assists Commonwealth entities and companies to:
set and achieve strategic objectives; comply with legal and policy obligations; improve decision making; and allocate and utilise resources.
The Joint Committee of Public Accounts and Audit (JCPAA) highlighted, in its recent report 1.3on Commonwealth Risk Management, that risk management should be an integral part of the way the Australian public sector conducts business.12
Commonwealth Risk Management Policy The Commonwealth Policy defines risk as ‘the effect of uncertainty on objectives’ and risk 1.4
management as the ‘coordinated activities to direct and control an organisation with regard to risk’.13 The Commonwealth Policy has 22 requirements organised in nine policy elements. The nine elements of the Commonwealth Policy are presented in Figure 1.1.
9 An Accountable Authority for a Commonwealth entity is generally the person or group of persons that has responsibility for, and control over, the entity’s operations. Sub-section 12(2) of the PGPA Act sets out the person(s) or body that is the Accountably Authority of a Commonwealth entity.
10 The Public Governance, Performance and Accountability Act 2013, section 16. 11 Explanatory Memorandum to the Public Governance, Performance and Accountability Bill 2013, paragraphs 16
and 18. 12 JCPAA, Report 461 Commonwealth Risk Management, Inquiry based on Auditor-General’s report 18 (2015–16),
May 2017, paragraph 1.2. 13 Department of Finance, Commonwealth Risk Management Policy, Finance, 2014, paragraph 2.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 16
Background
Figure 1.1: Elements of the Commonwealth Risk Management Policy
Note: Elements 1–3 of the Commonwealth Policy are comprised of multiple requirements. The mandatory
requirements of the Commonwealth Policy are outlined at Appendix 2. Source: ANAO presentation of the Commonwealth Risk Management Policy.
The goal of the Commonwealth Policy is to embed risk management as part of the culture 1.5of Commonwealth entities where the shared understanding of risk leads to well informed decision making.14 Element five of the policy also provides that an entity’s risk management framework must support the development of a positive risk culture.
The policy advises that risk culture is the set of shared attitudes, values and behaviours 1.6that characterise how an entity considers risk in its day-to-day activities. A positive risk culture: promotes an open and proactive approach to managing risk that considers both threat and opportunity; and is one where risk is appropriately identified, assessed, communicated and managed across all levels of the entity.15
Professor Peter Shergold AC has observed that the PGPA Act ‘represents a significant and 1.7positive step towards developing better risk practice and culture. The risk management policy established under the PGPA Act is designed to assist Accountable Authorities … to engage positively with risk, in order to embed risk practice into business processes’.16
14 ibid., paragraph 7. 15 ibid., paragraphs 17–18. 16 Australian Public Service Commission, Learning from Failure, August 2015, p. 37.
Commonwealth Risk Management
Policy Elements
1. Establishing
a risk management
policy 2.
Establishing a risk
management framework
3. Defining
responsibility for managing
risk
4. Embedding
systematic risk management into business
processes
5. Developing a positive risk
culture
6. Communicating
and consulting about risk
7. Understanding and managing
shared risk
8. Maintaining
risk management
capability
9. Reviewing and continuously
improving the management
of risk
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
17
Non-corporate Commonwealth entities, which include all departments of state, must 1.8comply with the Commonwealth Policy. Corporate Commonwealth entities are not required to comply with the policy, but are expected to review and align their risk management frameworks and systems with the policy as a matter of good practice.
A review of the Commonwealth Policy was originally scheduled to occur in 2015—a year 1.9after its release. This was deferred following recognition that entities needed time to align their frameworks to the Commonwealth Policy. The review is now scheduled to align with the review of the PGPA Act.17
Related requirements The PGPA Act also introduced the requirement that entities produce annual corporate 1.10
plans and report on entity performance in annual performance statements. The PGPA Rule 2014, made pursuant to the Act, provides that an entity’s corporate plan must provide a summary of the risk oversight and management systems of the entity for each reporting period covered by the plan (section 16E).
The PGPA Rule 2014 also provides that the functions of an entity’s audit committee must 1.11include reviewing the appropriateness of the accountable authority’s system of risk oversight and control.18
Comparison with the Australian/New Zealand Risk Standard and risk management frameworks in other jurisdictions
The Commonwealth Risk Management Policy references relevant risk standards19 and is 1.12consistent with the standard jointly published by Standards Australia and Standards New Zealand, Risk management—principles and guidelines.20
Other jurisdictions in Australia and internationally also publish public sector risk 1.13management policies and/or guidance to assist entities. This material is framed by each jurisdiction’s legislative framework and policy responsibilities. The Commonwealth Policy and associated guidance is broadly consistent with the risk management material published by other jurisdictions that was reviewed by the ANAO.21 For example, defining risk appetite and/or tolerance, the importance of communication, consultation and shared risks are common elements of policy and guidance in a number of jurisdictions, such as NSW and Canada.
17 A review of the PGPA Act is required under section 112 of that Act. The effect of section 112 is to require the Finance Minister, in consultation with the Joint Committee of Public Accounts and Audit, to conduct a review of the PGPA Act and the PGPA Rules as soon as practicable after 1 July 2017.
18 The ANAO survey of the PGPA Rule is discussed in ANAO Report No.33 2016–17 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2016.
19 While not mandatory, an entity’s risk management framework and systems should be aligned with and reflect existing standards and guidance such as AS/NZS ISO 31000:2009–Risk management–principles and guidelines.
20 AS/NZS ISO 31000:2009 was published in 2009 and is identical with ISO 31000:2009 Risk Management—Principles and Guidelines published by the International Organization for Standardization.
21 The ANAO reviewed the risk management policy and guidance published by New South Wales, Victoria, Western Australia, Queensland, South Australia, the United Kingdom, Canada and New Zealand.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 18
Background
While risk management is not new to the Commonwealth public sector22, the 1.14implementation of a mandated risk management policy is a new development and not one that has been adopted and tested in comparable administrative systems. The United Kingdom for instance released a risk management framework in January 2017, which provides high level guidance rather than a mandated policy.23 Similarly, the Canadian and New Zealand Governments each have a broad, principled framework for the management of risk rather than a policy with mandatory requirements.
Surveys of risk management practices in the Australian Public Sector Australian Government entities are required to submit a self-assessment of their risk 1.15
management capability for the purposes of Comcover’s annual Risk Management Benchmarking Survey. In addition the Australian Public Service Commission (APSC) undertakes the annual Australian Public Service (APS) employee census and the annual agency survey, which have included questions on risk management.
Risk Management Benchmarking Survey The Department of Finance (Comcover)24 has conducted an annual benchmarking 1.16
program since 2001. The Risk Management Benchmarking Survey is a tool to assist entities self-assess their risk management capability against each of the nine elements outlined in the Commonwealth Policy (see Figure 1.1).
The 2016 Risk Management Benchmarking Survey (the survey) was open for completion 1.17from 18 January to 4 March 2016. A total of 143 Australian Government (non-Corporate) entities participated in the survey in 2016 by submitting a self-assessment rating of their risk management capability using a six level risk maturity model, as illustrated in Figure 1.2.
22 In the Foreword to the 2014 Commonwealth Policy, the Minister for Finance observed that the nine policy elements would assist accountable authorities to build on their existing risk management framework. Whole-of-government guidance on risk management has been available to the Australian Public Service for some decades—see, for example, guidance published by the Australian Public Service Management Advisory Board (MAB) and its supporting Management Improvement Advisory Committee (MIAC), MAB/MIAC Report No.22, Guidelines for Managing Risk in the Australian Public Service, AGPS, October 1996.
23 United Kingdom Cabinet Office, Management of Risk in Government Framework–a framework for boards and examples of what has worked in practice, January 2017, available at <https://www.gov.uk/government/publications/management-of-risk-in-government-framework> [accessed 3 April 2017]
24 Comcover is the Australian Government's self-managed insurance fund in the Department of Finance, that provides insurance and risk management services to Commonwealth General Government Sector entities. A key function of Comcover is to assist entities to build their capability to manage risk across the Australian Government. Comcover has stated that it aims to enable entities to obtain the knowledge, skills and expertise that will assist them to successfully implement and integrate risk management within their organisation.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
19
Figure 1.2: Six level risk maturity model rating
Note: While a risk maturity rating level indicates where there is still scope to improve risk management capabilities,
it is not a ‘compliance rating’. Source: Risk Management Benchmarking Program 2016: Comcover’s Key Findings Report.
Entities are encouraged to adopt risk maturity ratings that are fit for purpose for their 1.18organisation. Not all entities are expected to achieve an ‘optimal’ rating, and entity maturity levels are not a ‘compliance’ rating.
In the 2016 survey, 67 per cent of entities self-reported a maturity level of Systematic or 1.19Integrated, and 30 per cent of entities reported achievements of Advanced or Optimal maturity. Comcover observed in its key findings report that a general shift towards higher overall risk maturity levels across the entities in 2016 from 2015 (Figure 1.3) indicates that many entities have made progress in building their risk management capability over the last year.
The distribution of the maturity levels achieved by participating entities in the 2016 1.20benchmarking survey is illustrated in Figure 1.3.
Figure 1.3: Distribution of maturity levels achieved by participating entities— Comcover risk benchmarking survey
Source: ANAO reproduction of data presented in the Risk Management Benchmarking Program 2016: Comcover’s
Key Findings Report.
1
13
45
64
32
11 3
38
58
41
20
25
50
75
Fundamental Developed Systematic Integrated Advanced Optimal
Num
ber o
f Ent
ities
Maturity level (increases left to right)
2015 Benchmarking Survey 2016 Benchmarking Survey
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 20
Background
Comcover has observed that the findings of the 2016 survey indicate that 88 per cent of 1.21entities have a risk management policy that has been endorsed by their accountable authority and is aligned with their corporate plan and objectives. According to Comcover, the survey indicates that ‘while there are pockets of well embedded risk management practice, there is still room to improve how well risk management is embedded into strategic planning, governance arrangements and program delivery.’
Comcover noted that the 2016 survey results indicate that the highest performing 1.22elements of the Commonwealth Policy across the population of entities were:
Element 1 – Establishing a risk management policy; Element 3 – Defining responsibility for managing risk; and Element 4 – Embedding systematic risk management into business processes.
Comcover further noted that the 2016 survey results indicated that the Commonwealth 1.23Policy elements that were the lowest scoring elements across the population of entities were:
Element 5 – Developing a positive risk culture; Element 7 – Understanding and managing shared risk; and Element 8 – Maintaining risk management capability.
Key insights and the maturity distribution across the surveyed population of entities for 1.24each element of the Commonwealth Risk Management Policy are illustrated in Figure 1.4.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
21
Figure 1.4: Key insights and maturity distribution across the surveyed population for each element of the Commonwealth Risk Management Policy
Source: Risk Management Benchmarking Program 2016: Comcover’s Key Findings Report.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 22
Background
Australian Public Service Commission data The Australian Public Service Commission (APSC) surveys APS agencies and employees 1.25
annually on a range of workforce management issues. Both surveys have included a number of questions relating to risk management.
The self-assessments by APS agencies indicate that: 1.26
48 per cent of surveyed entities had plans to improve risk management during 2016; 39 per cent of surveyed entities considered that no action was necessary to improve risk
management in their entity; 19 per cent of surveyed entities reported that no barriers existed to improving risk
management capability in 2016; and the main challenges to improving risk management capability were:
resource availability and consistency of risk management practices (17 per cent); limited resource availability (15 per cent); and enhancing risk management frameworks and practices (11 per cent); and
surveyed employees were less positive in 2016 compared with 2015 about entities’ risk management practices.
A summary of the results of the APS employee census is presented in Figure 1.5. 1.27
Figure 1.5: Summary results for all employees surveyed by the APSC in 2016
Source: ANAO analysis of 2016 APS employee census responses.
0%
25%
50%
75%
100%
I am aware of myentity's policies for
managing risk or knowwhere to find them
In my entity, risks aremanaged proactively
In my immediate workarea employees
respond to risk in amanner consistent with
my entity's riskmanagement policies
and processes
In general, my entityhas effective risk
management policiesand procedures
Agree Neither Agree or Disagree Disagree
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
23
Audit coverage This performance audit is one of three audits in the ANAO’s work program that address 1.28
key aspects of the implementation of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The other two audits are:
Report No.54 2016–17 Corporate Planning in the Australian Public Sector. This performance audit is the second in a series of audits that assessed progress in implementing the corporate planning requirement under the PGPA Act. The first in the series was Report No.6 2016–17 Corporate Planning in the Australian Public Sector; and
Report No.58 2016–17 Implementation of the Annual Performance Statements Requirements 2015–16. This audit assessed the performance statements included in the 2015–16 Annual Reports of the Department of Agriculture and Water Resources and the Australian Federal Police.
These audits have been identified by the Joint Committee of Public Accounts and Audit as 1.29priorities of the Parliament and will assist in keeping the Parliament, government and the community informed on implementation of the resource, risk and performance management frameworks introduced by the PGPA Act.
Entities selected for inclusion in the audit Four non-corporate Commonwealth entities were selected for inclusion in the audit: 1.30
two departments of state—the Department of Employment (Employment) and the Department of Health (Health); and
two regulatory bodies— the Australian Communications and Media Authority (ACMA) and the Australian Fisheries Management Authority (AFMA).
Table 1.1 contains additional information about the selected entities. 1.31
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 24
Background
Table 1.1: Information about the selected entities Department of Employment
The Department of Employment (Employment) is a large entity, with around 1985 staff at 30 June 2016. Employment had a total budget of approximately $2.4 billion in 2015–16. Employment’s role is to provide national policies and programs that help Australians find and keep employment, work in safe, fair and productive workplaces, and improve the employment-related performance of enterprises in Australia. The department has identified the following enterprise level risks: Loss of confidence in the department as a result of the failure to manage portfolio issues in a
manner consistent with government policy and public sector management standards [Reputational risk].
A change to resources or capabilities renders the Department unable to deliver on budget, on time and to expectations [Implementation and service delivery risk].
Insufficient stakeholder engagement undermines policy development and outcomes [Customer service risk].
A major system failure results in the department being unable to deliver core business priorities [Information technology risk].
A need to meet urgent priorities with constrained resources undermines strategic thinking, collaboration and program assurance, leading to diminished policy innovation and delivery [Strategic thinking risk].
A fraud event is not prevented or detected [Fraud risk].
Department of Health
The Department of Health (Health) is a large entity, with around 5037 staff at 30 June 2016. Health had a total budget of approximately $54.3 billion in 2015–16. Health is responsible for achieving the Australian Government’s health priorities through evidence-based policy, program administration, research, regulatory activities and partnerships with other government entities, consumers and stakeholders. The department has identified the following enterprise level risks: The department’s regulatory policies and practices are not able to adequately protect the health and
safety of the community and/or, reduce excessive regulatory burden on business, healthcare professionals and consumers [Regulatory risk].
Inadequate assessment and management of the health and wellbeing of our people and in particular departmental inspectors, investigators and laboratory staff, resulting in diminished productivity, disengagement or injury [People risk].
Failure to recognise and respond to inappropriate influence or corruption of a public official leading to loss of confidence in the department and diversion of resources from intended purposes [Fraud risk].
The department’s health system strategy and implementation (short, medium and long term) is insufficient to mitigate the growth in outlays [Policy risk].
Inadequate capability and tools to collect and utilise data sets and health system information to optimise health, ageing and sport policy outcomes [Policy risk].
Co-ordination and integration of policy and programs across the department and external partners are insufficient, leading to poor outcomes for the community and/or an adverse budgetary effect [Delivery risk].
Failure to learn through measuring and evaluating policies, programs and service outcomes [Delivery risk].
Failure to ensure resources are allocated to the highest priorities of the Minister and the Department in a responsive and adaptive way [Governance risk].
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
25
Department of Health (continued)
Failure to promptly recognise the impact of poor data management, IT capacity and lack of skilled staff on the delivery of health and ageing services [Delivery risk].
Failure to recognise or respond promptly, proactively and effectively to an interruption of delivery of Commonwealth funded health and ageing services to the community [Delivery risk].
Governance arrangements don't support the provision of timely, accurate and robust advice [Governance risk].
Poor IT stability and security leads to ineffective and inefficient Health administration or unauthorised access to personal data [Information risk].
Australian Communications and Media Authority
The Australian Communications and Media Authority (ACMA) is a small entity, with around 446 staff at 30 June 2016. ACMA had a total budget of approximately $93.4 million in 2015–16. ACMA sits within the Department of Communications and the Arts portfolio. ACMA’s mandate is to deliver a communications and media environment that balances the needs of industry and the Australian community through regulation, education and advice. The Authority’s purpose is to ensure communications and media work is in Australia’s public interest and is achieved with a judicious blend of communication, facilitation and regulation. The department has identified the following enterprise level risks: Fails to identify and develop relevant responses to a rapidly changing and evolving media and
communications environment [Environmental responsiveness risk]. Regulatory strategy, priorities and approach are not consistent with the expectations or objectives of
the government’s media and communications regulation and strategy [Regulatory strategy risk]. Fails to provide well-considered and timely advice to government to support sound media and
communications regulation outcomes for all Australians [Relationship with government risk]. ACMA is perceived as ineffective or irrelevant by key regulated entities in industry, hampering its
ability to achieve regulatory outcomes [Relationship with industry risk]. Public lose confidence in the ACMA’s ability to perform its statutory role in the communications and
media sectors, reducing its effectiveness [Relationship with consumers/citizens risk]. Failure of the ACMA’s organisational capability (research, engagement, response, corporate
support) affects its ability to achieve effective regulatory outcomes; or leads to a perception that the ACMA does not make a relevant contribution to the Australian media and communications environment, reducing its effectiveness [Organisational capability risk].
Regulatory strategy and/or delivery (use of components of regulatory toolkit) is either inappropriate or ineffective [Ineffective regulatory delivery risk].
Australian Fisheries Management Authority
The Australian Fisheries Management Authority (AFMA) is a small entity, with around 181 staff at 30 June 2016. AFMA had a total budget of approximately $40 million in 2015–16. AFMA sits within the Department of Agriculture portfolio, and was established in 1992 to manage Australia’s Commonwealth fisheries and apply the provisions of the Fisheries Administration Act 1991 and the Fisheries Management Act 1991. AFMA has offices in three locations—Canberra, Darwin and Thursday Island. AFMA’s 2016 Corporate Plan describes the composition of the risk management framework but does not identify enterprise level risks.
Source: ANAO analysis of data in entities’ 2016–17 Corporate Plans.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 26
Background
Audit objective and scope The objective of the audit was to assess how effectively selected public sector entities 1.32
manage risk. To form a conclusion against the audit objective, the ANAO adopted the following high-level audit criteria:
the selected entities’ risk management policies and frameworks meet the requirements of the Commonwealth resource management framework, including the Commonwealth Risk Management Policy;
the selected entities’ business operations and key business processes are informed by considerations of risk; and
the selected entities have established a supporting risk culture. In undertaking the audit, the ANAO: 1.33
sought representations from entity management on entities’ performance in relation to the audit objective;
reviewed relevant documents, including the risk management policies and frameworks of the four entities;
interviewed staff and reviewed relevant risk management records in a sample of business areas; and
interviewed the chairs of entity audit committees. In addition, the ANAO has drawn on: 1.34
information obtained by the Australian Public Service Commission (APSC) through its data collections; and
interviews with Department of Finance staff and records held by Finance in the context of its responsibilities as the policy owner of the resource management framework and Comcover’s risk management responsibilities.
The ANAO applied part of its methodology developed for the recent series of audits of 1.35Corporate Planning in the Australian Public Sector.25 The relevant part of the methodology was used to assess the maturity of the risk oversight and management section of entities’ corporate plans.26
The audit was conducted in accordance with the ANAO Auditing Standards at a cost to the 1.36ANAO of approximately $526 000.
The team members for this audit were Russell Coleman, Alex Doyle, Deanne Allan, 1.37Renée Hall and Michelle Page.
25 See paragraph 1.26 above. 26 See paragraphs 2.63 to 2.68.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
27
2. Application of the Commonwealth RiskManagement Policy Areas examined The ANAO assessed implementation of the July 2014 Commonwealth Risk Management Policy (Commonwealth Policy) by the Department of Employment (Employment), the Department of Health (Health), the Australian Fisheries Management Authority (AFMA) and the Australian Communications and Media Authority (ACMA). The ANAO also assessed if the selected entities have met the goal of the Commonwealth Policy, which is to embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making. Conclusion Each of the selected entities has continued to develop its risk management policies, framework and capability since the release of the Commonwealth Policy in July 2014. As a result of these efforts Employment has met, and Health and ACMA have mostly met, the requirement of policy element five and the overarching goal of the Commonwealth Policy—relating to the development of a positive and embedded risk culture. AFMA has partly met the requirement of policy element five and the overarching Policy goal. Areas for improvement The ANAO has not made any recommendations in this audit, but has highlighted a range of matters which warrant further attention by the selected entities. The matters highlighted in this audit may also warrant attention by other Commonwealth entities. Specific matters which warrant further attention by the selected entities relate to:
defining the entity’s risk appetite in the risk management policy (ACMA);
enhancing risk management capability (Health, ACMA and AFMA);
improving the identification and management of shared risks (all entities);
developing arrangements for communicating, consulting and reporting on risk with internal and external stakeholders (all entities);
improving arrangements to regularly review risks, risk management frameworks and the application of risk management practices (Health, ACMA and AFMA);
seeking formal assurance from managers in preparing entity responses to the Comcover survey of risk maturity (all entities);
fully embedding the corporate plan requirement relating to risk (all entities); and
assigning responsibility for risk management to individuals or positions, rather than work areas (Health, ACMA and AFMA).
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities
28
Application of the Commonwealth Risk Management Policy
Have entities implemented the Commonwealth Risk Management Policy?
The four selected entities have implemented the majority of the 22 mandated requirements of the Commonwealth Policy:
the Department of Employment (Employment) met 19 and mostly met two of the requirements (total 21/22 or 95 per cent);
the Department of Health (Health) met 10 and mostly met 10 of the requirements (total 20/22 or 91 per cent);
the Australian Communications and Media Authority (ACMA) met six and mostly met 10 of the requirements (total 16/22 or 73 per cent); and
the Australian Fisheries Management Authority (AFMA) met 13 and mostly met two of the requirements (total 15/22 or 68 per cent).
The Minister for Finance issued the Commonwealth Risk Management Policy 2.1(Commonwealth Policy) on 1 July 2014. Non-corporate Commonwealth entities must implement the Commonwealth Policy, which has 22 specific requirements organised in nine policy elements.
2.2 The ANAO’s review of the selected entities’ implementation of the Commonwealth Policy indicated that entities have met or mostly met the following percentage of requirements: Employment, 95 percent; Health, 91 percent; ACMA, 73 percent; AFMA, 68 percent. Table 2.1 summarises the number of requirements met or mostly met by the selected entities.
Table 2.1: Number of mandated requirements met or mostly met by selected entities Entity Met Mostly met Total Percentage
(n=22)
Employment 19 2 21 95
Health 10 10 20 91
ACMA 6 10 16 73
AFMA 13 2 15 68
Source: ANAO analysis.
Table 2.2 presents the ANAO’s summary assessment of the selected entities’ 2.3implementation of the nine policy elements of the Commonwealth Risk Management Policy.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities
29
Table 2.2: ANAO’s summary assessment of selected entities’ implementation of the Commonwealth Risk Management Policy
Elements of the Commonwealth Risk Management Policy ANAO assessment
Element 1: Establishing a risk management policy—four requirements
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) Element 2: Establishing a risk management framework—nine requirements
Department of Employment
Department of Health
Australian Communications and Media Authority (ACMA)
Australian Fisheries Management Authority (AFMA)
Element 3: Defining responsibility for managing risk—three requirements
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) Element 4: Embedding systematic risk management into business processes
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) KEY: Not met—no requirements met
Partly met—some requirements met
Mostly met—most requirements met
Met—all requirements met
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 30
Application of the Commonwealth Risk Management Policy
Elements in the Commonwealth Risk Management Policy ANAO assessment
Element 5: Developing a positive risk culture
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) Element 6: Communicating and consulting about risk
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) Element 7: Understanding and managing shared risk
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) Element 8: Maintaining risk management capability
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) Element 9: Reviewing and continuously improving the management of risk
Department of Employment Department of Health Australian Communications and Media Authority (ACMA) Australian Fisheries Management Authority (AFMA) KEY: Not met—no requirements met
Partly met—some requirements met
Mostly met—most requirements met
Met—all requirements met Source: ANAO analysis.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
31
The ANAO’s review of the selected entities’ implementation of the Commonwealth Policy 2.4indicated that specific matters which warrant further attention relate to:
defining the entity’s risk appetite in the risk management policy (ACMA); enhancing risk management capability (Health, AFMA and ACMA); improving the identification and management of shared risks (all entities); developing arrangements for communicating and consulting on risk with external
stakeholders (all entities); improving arrangements to regularly review risks, risk management frameworks and the
application of risk management practices (Health, AFMA and ACMA); seeking formal assurance from managers in preparing the responses to the Comcover
survey of risk maturity (all entities); fully embedding the corporate plan requirement relating to risk (all entities); and assigning responsibility for risk management to individuals or positions, rather than work
areas (Health, ACMA and AFMA). To assess the selected entities’ implementation of the overarching goal of the 2.5
Commonwealth Policy27 and its policy element five—developing a positive risk culture28—the ANAO had regard to: entities’ implementation of the Commonwealth Policy requirements (summarised in Table 2.2 above); risk management in a selection of business activities in each entity; and the consideration of risk by senior leaders.
The ANAO’s review of a selection of business activities29 indicates that risk management 2.6informs normal business operations in the selected entities. Risk was considered when key business decisions were made or advice was provided to senior management or government by the areas selected for review. Further, the risk framework and key risks were regularly considered at senior levels within the selected entities (see paragraph 2.33).
In summary, the ANAO’s review indicated that Employment has met, and Health and 2.7ACMA have mostly met, the requirement of policy element five and the overarching goal of the Commonwealth Policy. AFMA has partly met the requirement of policy element five and the overarching Policy goal.
The selected entities’ implementation of the Commonwealth Risk Management Policy is 2.8discussed in more detail later in this chapter.
27 As discussed, paragraph 7 of the Commonwealth Policy states that ‘The goal of the Commonwealth Risk Management Policy is to embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making.’
28 The Commonwealth Policy advises that risk culture is the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities (paragraph 17). A positive risk culture: promotes an open and proactive approach to managing risk that considers both threat and opportunity; and is one where risk is appropriately identified, assessed, communicated and managed across all levels of the entity (paragraph 18).
29 Footnote 37 summarises the ANAO’s methodology for assessing risk management at an operational level within the selected entities.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 32
Application of the Commonwealth Risk Management Policy
Comcover Risk Management Benchmarking surveys In 2015 and 2016, Comcover conducted a Risk Management Benchmarking survey that 2.9
provided participating entities the opportunity to assess their level of maturity against each of the nine elements of the Commonwealth Risk Management Policy and to obtain an overall level of maturity based on their responses to the surveys. The six level risk maturity model is illustrated in Figure 2.1.
Figure 2.1: Six level risk maturity model rating
Source: Risk Management Benchmarking Program 2016: Comcover’s Key Findings Report.
While entities’ maturity levels and targets indicate where there remains scope for 2.10improvement in risk management capabilities, they are not a compliance rating. Accountable authorities are responsible for entity risk settings having regard to their business and operating environment. Maturity levels and targets may therefore differ between entities, and are not mandated.
Selected entities’ self-assessment Table 2.3 presents the selected entities’ self-assessment of their risk maturity levels 2.11
against the nine elements of the Commonwealth Policy for 2016, and their target level of maturity for the following year.
Table 2.3: Entities’ 2016 self–assessment of their risk maturity levels, and targets for 2017, against the nine elements of the Commonwealth Policy.
Elements in the Commonwealth Risk Management Policy
Entities’ 2016 Self-Assessment of Risk Maturity
Levels
Employment Health ACMA AFMA
Element 1. Establishing a risk management policy
2016 Result Optimal Advanced Advanced Systematic
2017 Target Optimal Integrated Advanced Advanced
Element 2. Establishing a risk management framework
2016 Result Optimal Integrated Advanced* Systematic
2017 Target Advanced Integrated Advanced Advanced
Element 3. Defining responsibility for risk management
2016 Result Optimal Advanced Integrated Systematic
2017 Target Optimal Integrated Integrated Integrated
Element 4. Embedding systematic risk management into business processes
2016 Result Optimal Integrated Advanced Systematic
2017 Target Advanced Integrated Advanced Integrated
Element 5. Developing a positive risk culture
2016 Result Optimal Integrated Advanced Developed
2017 Target Advanced Integrated Advanced Integrated
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
33
Elements in the Commonwealth Risk Management Policy
Entities’ 2016 Self-Assessment of Risk Maturity
Levels
Employment Health ACMA AFMA
Element 6. Communicating and consulting about risk
2016 Result Advanced Systematic Integrated Systematic
2017 Target Optimal Integrated Advanced Integrated
Element 7. Understanding and managing shared risk
2016 Result Advanced* Developed Advanced* Fundamental
2017 Target Advanced Integrated Advanced Integrated
Element 8. Managing risk management capability
2016 Result Advanced Developed Systematic Developed
2017 Target Integrated Integrated Advanced Integrated
Element 9. Reviewing and continuously improving the management of risk
2016 Result Advanced Integrated Integrated Systematic
2017 Target Advanced Integrated Advanced Integrated
Note: * Entities self-assessed as Advanced, while the ANAO’s assessment was ‘partly met’. Source: Risk Management Benchmarking Program 2016: Comcover’s Key Findings Report.
The ANAO’s review indicates that there is broad alignment on the majority of elements 2.12between the ANAO’s assessment of the selected entities’ implementation of the Commonwealth Risk Management Policy (Table 2.2) and entities’ 2016 self-assessment of their risk maturity levels (Table 2.3).30
As part of its review, the ANAO sought information to support the selected entities’ 2.13responses to the 2016 survey.
Entities provided the ANAO with a range of documentation that supported the majority of 2.14their survey responses. To strengthen the level of assurance provided to senior leaders, entities could consider:
improving the level of documentation they maintain in support of responses to future surveys; and
obtaining formal management sign-offs to support entity responses to survey questions that relate to risk management practices in operational areas.
Key Findings Report on 2016 Risk Management Benchmarking Survey The Key Findings Report prepared for Comcover, following the 2016 Risk Management 2.15
Benchmarking Survey, summarised the key observations relating to the self-assessment of 143 Australian Government (non-Corporate) entities. The report’s key findings are in Box 4.
30 In three instances (* in Table 2.3), entities self-assessed as Advanced, while the ANAO’s assessment was partly met.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 34
Application of the Commonwealth Risk Management Policy
Box 4: Summary of key findings from the 2016 benchmarking survey
The majority of entities’ risk management policies include the core components [Element 1].
Opportunities exist to expand risk identification techniques [Element 2]. Limited use of key risk indicators in risk identification, analysis and reporting
[Element 2]. Key risk management roles and responsibilities are not often defined [Element 3]. Few entities utilise a function to be solely or primarily responsible for risk management
[Element 3]. Unexpected performance around embedding systematic risk management into business
processes [Element 4, 5 and 8]. Few entities have regular processes for assessing risk culture [Element 5]. Limited communication of risk information to external parties [Element 6 and 8]. The highest proportion of entities scored a maturity of Fundamental [Element 7]. Limited capability development and maintenance activities targeted to risk management
[Element 8]. Insufficient training is provided to some key risk management groups [Element 8]. Measuring, assessing and reporting risk management performance [Element 9].
Source: Risk Management Benchmarking Program 2016: Comcover’s Key Findings Report.
Did entities update their risk policy and framework in a timely manner following the issue of the Commonwealth Risk Management Policy?
Each of the selected entities released an updated risk policy and framework within 12 months of the release of the Commonwealth Risk Management Policy. The selected entities have also continued to update elements of their policy and framework (Employment and AFMA) or have plans to do so (Health and ACMA).
As discussed, the Commonwealth Risk Management Policy was issued on 1 July 2014 by 2.16the Minister for Finance. Elements One and Two of the Commonwealth Policy require entities to establish a risk management policy and framework.
Key issue dates of entities’ risk management policy and framework (Employment, Health 2.17and AFMA), guide and instructions (ACMA) are illustrated in Figure 2.2 and discussed in the following paragraphs.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
35
Figure 2.2: Issue dates of entities’ risk management policy and framework
Source: ANAO analysis.
2014
2015
2016
2017
July
January
November
December
August
October
Public Governance, Performance and
Accountability Act and 2014 PGPA Rule takes effect.
Commonwealth Risk Management Policy issued.
Employment Secretary’s Instruction on Risk Management
Draft Risk Management guidance released for
consultation.
HealthRisk Management Policy
February
Employment Risk Management Policy and Framework
AFMARisk Management Framework
ACMARisk Management Guide and Instructions
September Employment Updated Risk Management Policy and Framework
AFMA Risk Management Policy
HealthUpdated Risk Management Policy and Framework
AFMA Operational Risk Management Guidelines
February
Updated draft risk management guide and
information sheets released for consultation.
March
The Commonwealth Risk Management Policy
Guidelines published.
Supplementary risk management information
sheets published.
ISSUED BY AUDITEESISSUED BY FINANCE
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 36
Application of the Commonwealth Risk Management Policy
Each entity released an updated risk policy and framework within 12 months of the release 2.18of the Commonwealth Policy:
Employment had issued its first departmental risk management policy and framework in December 2013. In July 2014—and in response to the release of the Commonwealth Policy—the department released a Secretary’s Instruction on its risk management policy and framework. The department updated its 2013 risk management policy and framework in February 2015. This update reflected the department’s most recent thinking around risk appetite and tolerance. The department had identified that the application of the risk matrix released in 2013 was resulting in some risks being rated as ‘high’ that were not significant risks. In September 2016, the risk policy and framework were revised further to include a detailed Risk Appetite Statement.
Health issued a revised departmental risk management policy and framework in October 2014, three months after the release of the Commonwealth Policy. The department’s 2014 risk management policy states that the policy should be reviewed and updated annually.31 In December 2016, Health released a new Risk Appetite following extensive internal consultation.
ACMA issued a revised risk management guide and management instruction in July 2015, 12 months after the release of the Commonwealth Policy. ACMA’s 2015 risk management guidance states that the policy should be reviewed and updated annually. The guide was due to be reviewed in the second half of 2016. ACMA advised the ANAO that it has decided to await the outcomes of this audit before finalising its review.
AFMA issued a revised risk management framework in February 2015, seven months after the release of the Commonwealth Policy. AFMA’s 2013 risk management framework states that the framework should be reviewed in February and August each year. The authority released an updated risk management policy, which included a risk appetite statement, in November 2016. AFMA issued risk management operational guidelines in February 2017.
Elements One and Two of the Commonwealth Policy have a number of additional detailed 2.19requirements which overlap to some extent with other elements of the Commonwealth Policy. These requirements relate to building a risk management framework and culture and include:
internal and external consultations; embedding risk management into business processes; managing shared risks; and reviewing and improving the risk management framework.
The application of these specific requirements is discussed in the remainder of this chapter 2.20in the context of the relevant element.
31 Health advised the ANAO that the next review and update is scheduled for early 2017.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities
37
Are entities’ risk management frameworks developed with relevant stakeholder consultation, including arrangements to consult in a timely and effective manner?
The selected entities’ risk management frameworks were developed with extensive internal consultation, including with audit committees. There remains scope for entities to include, in their risk framework documentation, their arrangements for communicating, consulting and reporting on risk to both their internal and external stakeholders.
An entity’s risk management framework is required to include how the entity will report 2.21risks to both internal and external stakeholders. Each entity must also implement arrangements to communicate and consult about risk in a timely and effective manner to both internal and external stakeholders (See Elements Two and Six of the Commonwealth Policy).
Each of the selected entities’ frameworks was developed with extensive internal 2.22consultation, including with entities’ audit committees32, although entity frameworks do not explicitly outline arrangements for communicating and consulting about risk with internal and external stakeholders. None of the selected entities outlined arrangements for reporting on risk to stakeholders. Entities advised the ANAO that in practice consultation on risk occurs as part of the routine consultation and interaction with external stakeholders (for all entities), research and scientific expert groups (ACMA and AFMA) and other Commonwealth entities (for all entities).
There is scope for entity frameworks to outline arrangements for communicating, 2.23consulting and reporting on risk to internal and external stakeholders (all entities). These arrangements could be considered as part of the regular review of an entity’s risk policy and framework.
Are responsibilities and accountabilities for risk management clearly defined?
For three entities, responsibilities for managing and reporting on risk are clearly identified (Employment, Health and AFMA). ACMA has documented some, but not all, responsibilities.
The Commonwealth Policy requires that responsibilities for managing risk be defined 2.24within an entity’s risk management policy (see Elements One and Three of the Commonwealth Policy).
For Employment, Health and AFMA, the responsibilities for managing and reporting on risk 2.25are clearly outlined as part of their risk management framework. Their risk frameworks address key responsibilities relating to:
the review and update of the risk management policy and framework, and individual risk plans and risk treatments; and
32 The PGPA Rule 2014 provides that the functions of an entity’s audit committee must include reviewing the appropriateness of the accountable authority’s system of risk oversight and control. The ANAO survey of the PGPA Rule is discussed in Audit Report No.33 2016–17 Financial Statement Audit.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 38
Application of the Commonwealth Risk Management Policy
descriptions of key positions, including senior executives, program/policy/project managers and risk owners; department committees (such as the Executive Committee and the Audit Committee); and business areas.
The responsibilities for managing and reporting on departmental risks are less well defined 2.26for ACMA. ACMA had documented specific expectations of some of its executive and senior management staff, including for the review of risk registers and controls. There would also be benefit in defining the responsibilities of the Governance Board and its supporting committees, and the Strategic Risk and Planning Section.
Each of the selected entities’ risk management frameworks provide that responsibility for 2.27risk plans, individual risks and risk treatments should be assigned to an individual person or position. This approach is consistent with the Australian/New Zealand Standard Risk Management–principles and guidelines. In practice there was variability in the application of this approach within some entities, and responsibilities were often assigned to work areas. Entities should consistently assign responsibility to individuals or positions, in line with the requirement of their frameworks (Health, ACMA and AFMA).
Are entities’ risk appetite and risk tolerance defined?
Three of the selected entities developed new or revised risk appetite and tolerance statements following the release of the Commonwealth Policy (Employment, Health and AFMA). One entity included a risk tolerance statement in its 2015 risk management guide, but has not developed a risk appetite statement (ACMA).
The Commonwealth Policy requires that entities define their risk appetite and tolerance 2.28(see Element One).33 According to Comcover, the development of a risk appetite statement that incorporates risk tolerances that are tailored to an entity’s particular circumstances would be an important milestone in enhancing an entity’s risk management framework.34 The statement would: provide a platform to assist in making informed decisions; provide the potential for consistent risk management practices; and help to guide discussions on risks and risk treatments.35
Documenting an entity’s risk appetite and tolerance is a necessary first step to developing 2.29a risk framework that reflects the entity’s particular circumstances and which can directly assist in decision making.
Employment, Health and AFMA have developed new or revised risk appetite and tolerance 2.30statements as a key element of their respective risk management frameworks introduced following the release of the Commonwealth Policy.
33 According to the Commonwealth Policy (p. 21), risk appetite is the amount of risk an entity is willing to accept or retain to achieve its objectives—it is a statement or series of statements that describes the entity’s attitude toward risk taking. Risk tolerance is defined as the levels of risk taking that are acceptable in order to achieve a specific objective or manage a category of risk.
34 Department of Finance, Information Sheet: Defining Risk Appetite and Tolerance, Finance, 2016. 35 ibid.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
39
Employment’s current risk management policy and framework were issued in September 2016. A revised risk appetite statement was a key element of the framework, and includes risk tolerances for a range of risk categories and sub-categories. The statement is readily accessible from the department’s Intranet.
Health conducted a review of its risk appetite and risk tolerance from October 2014 to late 2016, and released an updated risk appetite statement in December 2016. The updated risk appetite statement classifies risks against seven risk themes: people, fraud, policy, delivery, governance, regulatory and information. Health’s enterprise-level risks have been updated and are aligned with the seven risk themes (see Appendix 4 for Health’s enterprise risk appetite statement).
AFMA released an updated risk management policy in November 2016 which included its risk appetite and risk tolerance statements. AFMA’s policy describes five ascending levels of appetite: averse; minimal; cautious; open; and hungry. According to AFMA’s risk policy, ‘AFMA is generally open to risk, in that it is willing to consider all options and choose the one most likely to result in successful delivery while also providing an acceptable level of reward and value for money.’ However, within this broad approach, a number of key risk areas have different risk appetites.
Good practice example 1. Employment’s and Health’s risk appetite statements
The development of Employment’s 2015 risk appetite statement involved extensive internal consultation and was funded, in part, by the Department of Finance (Comcover) as a pilot with the objective of using the statement as an example of good practice to assist other entities develop their own statements. Comcover considered the project would benefit other entities, and has published a case study featuring the department’s statement, accessible from Comcover’s website.a
Health’s risk appetite statement is illustrated at Appendix 4. The statement is presented as an infographic on one page for ease of reference. It includes information on the enterprise risk appetite, risk themes and scaling, and supporting a risk aware culture. It is effective in communicating expectations to departmental staff.
Available at <http://www.finance.gov.au/comcover/policy/resources.html> [Accessed 28 February 2017]. Note a:
ACMA included a risk tolerance statement in its 2015 risk management guide, but has not 2.31developed a risk appetite statement. ACMA’s risk tolerance statement is adopted from the Work Health and Safety Act 2011 and details the principle of managing risks to a level that is ‘as low as reasonably practicable’ (ALARP).36
36 Managing risks to an ALARP-level is one of the fundamental principles of health and safety management, and the term ‘reasonably practicable’ is used in the Work Health and Safety Act 2011 (Subdivision 2, Section 18) and the Work Health and Safety Regulations 2011 (Part 3.1, section 35).
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 40
Application of the Commonwealth Risk Management Policy
Is risk considered as part of key business decisions and operations?
The risk framework and key risks were regularly considered at senior levels within the selected entities. There is scope for a more structured approach to reporting on and reviewing enterprise-level risks and the status of risk controls and treatments (Health and AFMA). As discussed at paragraph 2.42, at present there is limited management reporting to the Executive Committee (Health) or Commission (AFMA) on enterprise-level risks, and no reporting on operational risks to the Audit and Risk Committee (Health and AFMA).
The ANAO’s review of a selection of business activities in each entity indicates that risk management also informs normal business operations. Risk was considered when key business decisions were made or advice was provided to senior management or government in the areas selected for review.
The Commonwealth Policy requires that each entity must ensure that the systematic 2.32management of risk is embedded in key business processes (Element 4).
The risk framework and key risks were regularly considered at senior levels within the 2.33selected entities—including the executive committee (Employment and Health), senior executive (ACMA) and the Commission (AFMA). Further, the ANAO’s review of a selection of business activities in each entity indicated that their activities were informed by considerations of risk. Risk was considered when key business decisions were made or advice was provided to senior management or government by the areas selected for review.37
Employment’s Risk and Implementation Committee (ERIC) met six times each year in 2014, 2015 and 2016 to consider and oversight the operations of the department’s risk management policy and framework, and reported quarterly to the department’s executive committee on the adequacy of the risk framework and associated processes. Following a 2016 review of governance committees, ERIC was disbanded in December 2016 and the Finance and Business Services Committee (FABS) was given responsibility to advise the Secretary on: risks identified in relation to the department’s ability to meet its business goals, as per the Risk Management Framework; and work to improve the department’s risk and policy framework, and lead the application of risk management across the department. At its meeting in March 2017, the FABS: noted that the department’s Executive had participated in a workshop to review entity strategic risks in February 2017; and considered an entity-level risk monitoring report. The department’s Performance and Integrity Sub Committee for Employment Services (PISCES) provides a high-level forum to support and advise on maximising the performance and integrity of all contracted
37 To assess risk management at an operational level, the ANAO reviewed risk management in selected divisions of Employment, Health and ACMA. The selected divisions had the highest number of risks and/or the highest severity of risks recorded in the entities’ enterprise risk register. The selected divisions were: Workers Compensation Policy Branch, and Job Seekers Compliance Section (Employment); The Office of the Gene Technology Regulator, Health Provider Compliance Division, and Population Health and Sports Division (Health); and Content, Consumer and Citizen Division (ACMA). AFMA has only three branches—Corporate, Fisheries Management and Fisheries Operations. The ANAO selected the Fisheries Management Branch for review on the basis of the highest identified risks in the risk register.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
41
employment services under jobactive.38 The department’s Audit Committee also regularly receives updates from management on aspects of the department’s risk framework and obtains presentations from time to time from responsible departmental managers on the management of risks in respect of specific programs or activities. The operational divisions reviewed by the ANAO employed the department’s enterprise-wide risk management system (RiskActive) to assist in managing risk.39
Key risks were regularly considered by Health’s executive committee in its consideration of specific departmental strategies and plans. There is scope for a more structured approach to reporting on and reviewing enterprise-level risks and the status of risk controls and treatments. The three operational divisions examined by the ANAO had established a range of local mechanisms to monitor, report on and manage risk.
ACMA’s key risks were reviewed quarterly by the senior executive as part of a regular cycle. Staff were also able to show that an assessment of risk informed local decision making processes, and that risk conversations at the senior and middle management levels took place. At an operational level, delegations for decision making relating to broadcasting and datacasting investigations were based on the assessed level of risk of each investigation.
Sustainability risks were regularly considered by the AFMA Commission in its consideration of specific fisheries management strategies and plans. Available records indicated that the operational branch selected for review had produced a range of risk assessments and guidance on risk management. There is scope for a more structured approach to reporting on and reviewing enterprise-level risks, controls and treatments.
Good practice example 2. De-prioritise and de-fund low-level activities
The Australian Communications and Media Authority’s senior executive decided in May 2016 to adopt a risk-based approach to resource allocation for the 2016–17 financial year. The Authority’s division and branch heads were asked to identify potential activities and to rate the risk of removing those activities. Items that were rated as ‘low risk’ were accepted and removed from ACMA’s activities, resulting in savings of $1.998 million across ACMA.
The ANAO’s review of the selected entities’ records, and discussions with a range of 2.34
officials, indicated that project and program risks are routinely discussed at regular management and work place meetings, and with other entities and contracted service providers, although records of such operational meetings are often not maintained by entities.
38 Which include Work for Dole, New Enterprise Incentive Scheme (NEIS), Harvest Labour Services and the Harvest Labour Information Service and Work for the Dole Coordinators.
39 The system is discussed further in paragraph 2.45 of this audit report.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 42
Application of the Commonwealth Risk Management Policy
Good practice example 3: Conducting risk premortems
The Department of Employment promotes the use of risk premortems as a way for work areas to identify and openly discuss risks to a new project or activity. A premortem begins with the assumption that a project has been implemented and the project has failed. The work group then identifies the reasons for the failure. In this way the group is able to constructively focus on the key risks involved in meeting the objectives of a program or activity. Conducting risk premortems is also a simple way to openly discuss causes of failure, without ascribing blame. It allows more junior officers and people familiar with differing facets of a project to voice their concerns in a non-judgemental forum.
Have entities established arrangements to manage shared risks?
The identification and management of shared risks is one of the least mature elements of entities’ implementation of the Commonwealth Policy. Shared risks are not routinely identified and managed as such in the context of entities’ risk management policies and frameworks (Health, ACMA and AFMA).
The Commonwealth Policy provides that an entity must establish a risk management 2.35framework which includes how the entity contributes to managing any shared or cross-jurisdictional risks, and must implement arrangements to understand and contribute to the management of shared risks (Elements Two and Seven).
The Commonwealth Policy defines a shared risk as a risk with no single owner, where 2.36more than one entity is exposed to or can significantly influence the risk.40 Shared risks are those extending beyond a single entity, which require shared oversight and management. Accountability and responsibility for the management of shared risks should include any risks that extend across entities and may involve other sectors, the community, industry or other jurisdictions.41
The Comcover 2016 Benchmarking Survey noted that understanding how to identify what 2.37is a shared risk is a concept that entities find challenging. Understanding and managing shared risk is important for effective policy and program design and implementation.
A useful starting point in considering shared risk is to focus on shared outcome risks, 2.38rather than low-level transactional risks. A risk management strategy can usefully identify areas where an entity is reliant on others to achieve its outcomes, or whose actions and activities will impact on the achievement of entity outcomes.
Entities have in place arrangements, such as steering and consultative committees, which 2.39contribute to managing risks that relate to programs and activities which involve other entities or external parties. These risks are not routinely identified and managed as shared risks in the context of entities’ risk management policies and frameworks.
40 Department of Finance, Commonwealth Risk Management Policy, July 2014, p. 21. 41 ibid., paragraph 20.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
43
Employment did not routinely categorise and manage shared risks other than risks relating to the Shared Services Centre.42 It is not evident that other risks are recognised in departmental risk registers and managed as shared risks, and risk reporting does not include reporting on shared risks.
Health’s risk management policy defines shared risks and the department’s risk register templates make provision for recording them. The ANAO’s review identified that some of the assigned shared risks were intra-entity—such as risks shared with other areas of the department—whereas the Commonwealth Policy defines a shared risk as one extending beyond the entity.
ACMA does not refer to shared risk in its risk guidance and instruction, and there is no explanation of how shared risks should be identified and managed. In practice, ACMA and its portfolio department have created a shared risk register for their joint steering committee. ACMA advised the ANAO that arrangements for identifying and managing shared risks will be developed as part of a planned review of the risk framework.
AFMA is in the early stages of implementing its risk guidelines and its approach to external consultation and shared risks. AFMA’s 2017 risk management guidelines addressed the issue of establishing shared risks through external consultation processes:
External consultation will establish shared risks through engagement with other Commonwealth agencies, cross-jurisdictional entities, industry and interest groups. Once every 12 months AFMA’s Risk Manager will engage with external stakeholders to establish the register of shared risks and report the findings to the Audit and Risk Committee and the AFMA Commission.
Do entities have relevant capability to underpin the management of risk?
The selected entities have implemented a range of measures to build their risk management capability. Key measures include:
regular internal reporting on the entity’s risk profile and risk framework (Employment and ACMA);
risk management guidance, templates and dedicated risk hot lines or email addresses (Employment, Health and ACMA);
staff resources dedicated to risk management (Employment, Health); custom-built risk management systems (Employment); and learning and development programs which address risk management, including
eLearning modules (Employment, Health and ACMA).
42 The Shared Services Centre (SSC) was administered jointly by the Department of Employment, and the Department of Education and Training (Education) and provided a variety of services to each department and other government entities. As part of machinery of government changes in September 2016, some functions moved to the Finance portfolio, such as governance arrangements for joint services.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 44
Application of the Commonwealth Risk Management Policy
The Commonwealth Risk Management Policy provides that entities must maintain an 2.40appropriate level of capability to both implement the entity’s risk management framework and manage its risks (Element Eight).
The ANAO reviewed the following aspects of the selected entities’ risk management 2.41capability:
governance and reporting arrangements; supporting guidance, systems and processes; and learning and development programs, individual performance development, and awards
and incentives.
Governance and reporting arrangements The risk management policies developed by Employment, Health and AFMA outline 2.42
governance arrangements for risk management, including a summary of key roles and responsibilities for internal committees and individual management positions with risk responsibilities. At the time of the audit, there was:
limited management reporting to the executive committee (Health) or Commission (AFMA) on the status of enterprise-level risks, as part of a structured process of regular review of enterprise-level risks, controls and treatments; and
no reporting of operational (division-level) risks to the Audit and Risk Committee, including the status of risk controls and treatments (Health and AFMA).43 44
ACMA’s Executive Group receives a quarterly report on risk management. These reports 2.43discuss current risks and emerging risks and risks that have been retired and removed. These reports also provide an update on risk metrics (such as the number of risks and the level of risks) and a summary of other relevant information. Divisional reports on the operation of the risk management framework and processes are also submitted to the Audit Committee every quarter.
Employment records indicate that risks, risk plans and risk treatments are actively 2.44managed by risk owners, and there is regular reporting to the senior executive and audit committee on the status of risks and risk treatments.45
Supporting guidance, systems and processes Employment has placed extensive risk management guidance on its Intranet to assist staff 2.45
to manage risks and risk treatments. The department operates and maintains an integrated, enterprise-wide risk management systems to assist in managing its risks—RiskActive. The system
43 In the absence of consolidated reporting on risk, Health’s Audit and Risk Committee relies on ad hoc presentations from Branch and Division-level representatives on their risk management.
44 AFMA has developed a work plan for an enterprise risk register. The authority advised the ANAO in June 2017 that a working model of the enterprise risk register and risk reports was reviewed by the Executive, Audit and Risk Committee on 6 June 2017, and is scheduled for review by the AFMA Commission on 28 June.
45 The ANAO’s review also indicated that the detailed risk treatments in risk plans (as recorded in RiskActive) are used to determine the allocation of resources.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
45
is mature and provides the department with the capability to record, manage and report on risks, risk treatments, risk events and risk plan owners.46
Health requires that risk registers should be used by operational divisions to identify and 2.46classify risks, and to list controls and risk treatments. Health does not have in place arrangements to provide assurance that risk registers are regularly reviewed in accordance with the department’s risk management policy.
ACMA’s risk management guidance provides a high-level description of risk management, 2.47but limited practical guidance on how staff should manage risk. ACMA has a formal process for divisions to identify, manage and report risks. Templates are provided to the divisions, and support is provided when required to assist with the process.
Risk management guidance available on AFMA’s Intranet was minimal and not up to 2.48date.47 This is an impediment to the development of a positive risk management culture. Other risk-related guidance available on the Intranet focussed on project management, and did not include guidance for business as usual activities. Project management templates, including a register, were available to identify, monitor and report on project risks.
Learning and development Employment’s learning and development program includes offerings on risk management 2.49
including a number of risk management eLearning modules.48 Departmental officials are regular participants in risk management forums and seminars organised by Comcover and departmental officials are encouraged to attend and participate in external risk management seminars and courses. Risk management is also identified as one of the criteria used to judge the recipients of the Secretary’s award for innovation.
Health and ACMA have a variety of learning and development programs available for staff, 2.50including eLearning courses developed by Comcover and entity-specific workshops.
Health held a variety of Comcover Risk workshops for its senior executives on risk, controls and shared risk in 2016 and 2017. Health also introduced an e-learning module in January 2017, but there has been limited uptake of this training module49; and
79 per cent of ACMA employees had completed the compulsory risk management e-learning module in 2016 with plans to add risk-specific guidance to its induction program.
AFMA does not have formal learning and development programs in risk management for 2.51staff, a further impediment to the development of a positive risk management culture. The ANAO
46 As at December 2016, departmental systems included 540 risk plans, 2558 risks, 6806 risk treatments and 242 risk plan owners.
47 In December 2016 AFMA’s Intranet included links to its Risk Management Framework 2013 document and Chief Executive Instructions. AFMA advised the ANAO in February 2017 that revised guidance had not yet been released internally.
48 Of a total of over 1950 Employment staff (at 30 June 2016)—240 staff had accessed the eLearning module, Risk Essentials. Of these, 213 were recorded as having ‘passed’ the module. Fifty-three staff were recorded as having accessed the eLearning module, RiskActive.
49 Of a total of over 5000 Health staff (at 30 June 2016)—32 staff had completed the e-learning module, and 29 staff had attended a risk management workshop.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 46
Application of the Commonwealth Risk Management Policy
was advised by AFMA that work had commenced to implement a training package for staff on the Public Governance, Performance and Accountability (PGPA) Act 2013, including a risk management module.50
Are entities’ risk management frameworks reviewed to continuously improve the management of risks?
The selected entities’ risk management policies include a commitment to regularly review the risk framework, and each of the entities has continued to review its risk management policies and framework since the Commonwealth Policy was released in July 2014.
The Commonwealth Policy provides that each entity must review its risks, its risk 2.52management framework and the application of its risk management practices on a regular basis, and implement improvements arising out of such reviews (see Element Nine).
Review The selected entities’ risk management policies include a commitment to regularly review 2.53
the risk framework.
As discussed in paragraph 2.18, Employment has twice revised or updated its risk policy since 2014 (in 2015 and 2016).
Aspects of Health’s risk management were reviewed as part of the 2014 Health Capability Review, which observed that the department needed to foster a culture that appropriately embraces and manages risks within agreed tolerances.51 In response, the department initiated a review of the risk management component of the Health Capability Program in July 2016. The 2016 review commented that more work needed to be done. The department has an ongoing program to address the recommendations of the two reviews. A key focus of the capability program is to fully operationalise the department’s risk management framework.
As discussed in paragraph 2.43, ACMA has established processes for executive review of division-level risks and conducted reviews of its risk registers in 2015 and 2016;
AFMA conducted a review of the authority’s risk management framework in June 2015, and has implemented or partially implemented seven of the ten recommendations arising from the review (at February 2017).
Regular review of entities’ risk frameworks and practices improves the effectiveness of risk 2.54management, and should be factored into internal planning processes.
50 At the time of the audit, Learnhub was being implemented as an e-learning tool that provided a range of courses across the APS, including the Introduction to Risk in the Commonwealth. The course is sponsored and maintained by Comcover and is designed to increase awareness of risk across the Commonwealth Public Sector and encourage better practice in public sector risk management.
51 Australian Public Service Commission, Capability Review: Department of Health, October 2014, p. 12.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
47
Escalating and recording issues The selected entities did not systematically record and analyse risk incidents, issues and 2.55
events to inform their periodic evaluation of the risk management framework, and there was variability in processes for escalating risk.
Employment has developed a process for the escalation of high and extreme risks. Departmental staff interviewed by the ANAO indicated that in their experience, senior management adopted a supportive and constructive approach when risk events and incidents are reported. Departmental procedures include a requirement for ‘plan events’ to be recorded in RiskActive and for such events to trigger a review of the relevant Risk Plan. The guidance outlines detailed actions to be taken depending on whether the event was, or was not, previously identified as a risk.52 The ANAO’s review of a selection of risk events indicates that a number of the events recorded are events or developments that have occurred but are not related to the risks or risk treatments outlined in the relevant risk plan and it was not evident that risk events routinely triggered a review of the risk plan.
Health has limited guidance in the risk template which advises staff on the escalation of high and extreme risks. Departmental staff interviewed by the ANAO indicated that in their experience the attitude to reporting and escalating risks has improved significantly in the past two years, and the focus is now on identifying issues, finding solutions and learning lessons from the risk events.
The ANAO was advised by ACMA that it is developing a new risk escalation process. ACMA does not record risk incidents to assist in monitoring the adequacy of its risk framework. However, some of the ACMA End Project Reports reviewed by the ANAO identified project risks and noted whether the risks materialised or not.
AFMA’s risk guidance documented a pathway for the annual review and escalation of risks, but did not provide guidance for the escalation of high and extreme risks as they emerged. AFMA employees interviewed by the ANAO indicated that reporting on risks occurred on a case-by-case basis, and as needed.
Recording and analysing risk incidents and lessons learned can provide valuable insights to 2.56management and the audit committee on risk management performance and the effectiveness of the risk management framework.
52 The ANAO’s sample review of RiskActive identified that 78 risk events were recorded against 40 risk plans at the time of audit.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 48
Application of the Commonwealth Risk Management Policy
Reporting on risk management performance The selected entities do not have mechanisms in place to measure risk management 2.57
performance:
Employment’s records do not indicate that the department assesses and reports on the performance of the risk management framework in accordance with the approach outlined in the risk management policy.53
Health, ACMA and AFMA advised the ANAO that they rely on the results from the annual Comcover Benchmarking survey to assess the performance of their risk management frameworks. With the exception of this survey, these entities do not have any mechanisms in place to measure risk management performance.54
Other reporting on risk management performance The Australian Public Service Commission (APSC) surveys APS agencies and employees 2.58
annually on a range of workforce management issues. Both surveys have included a number of questions relating to risk management. The 2016 APS employee census included four questions relating to entities’ risk management.
Figure 2.3 presents the survey results for the selected entities (blue) compared to the 2.59results for all agencies surveyed (red). This analysis indicates that a higher proportion of employees in Employment, ACMA and AFMA agreed with the risk-related statements in the 2016 survey, when compared with the combined results for all entities surveyed. A lower proportion of Health employees agreed with those statements.
53 The department’s risk management policy states that the performance of the risk management framework is assessed against the achievement of four objectives: organisational resilience; positive risk culture; integrated and consistent application; and informed and effective decision making. The department advised the ANAO in July 2017 that it has commenced planning for a review against the approach outlined in the policy, and has made reference to the relevant objectives in regular risk reporting.
54 Further, ACMA has not described performance measures for its risks or controls, as outlined in its risk management guidance.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
49
Figure 2.3: Staff responses to the risk-related questions in the 2016 APS employee census, compared to the overall score for all entities surveyed
Source: ANAO analysis of data provided by the APSC.
The relatively high level of agreement indicated by Employment staff to the four questions 2.60is consistent with the department’s implementation of an integrated risk management system across the department, as reported in this audit. The relatively low level of agreement indicated by Health staff is consistent with that department’s state-of-play in fully operationalising its risk framework across the department, as reported in this audit.
All the selected entities (Employment, Health, ACMA and AFMA) advised the ANAO that 2.61the data provided by the APSC is not used in a substantive sense as part of management reporting and/or to assist in the review of their enterprise risk management framework.
Health also conducts a Pulse Survey every six months, which aims to complement the 2.62annual APSC survey. A summary of relevant results is presented in Table 2.4.
Table 2.4: Results for the risk-related question in Health’s 2016 pulse surveys Question: In my branch, there is a willingness to take appropriate risks with decisions
Survey date Disagree (per cent) Mixed (per cent) Agree (per cent)
March 2016 26 32 42
October 2016 21 29 50
Source: ANAO, drawing on Department of Health records.
70 54
62 59
79
59 68
61
I am aware of my entity's policies for
managing risk or know where to find them
In my entity, risks are managed proactively
In my immediate work area employees
respond to risk in a manner consistent with
my entity's risk management policies
and processes
In general, my entity has effective risk
management policies and procedures
100%
%
25%
50%
75%
All entities surveyed (average)
781
559 664 659
65 547
656 552
80 69
571 72
Empl
oym
ent
Hea
lth
AC
MA
AFM
A
Empl
oym
ent
Hea
lth
AC
MA
AFM
A
Empl
oym
ent
Hea
lth
AC
MA
AFM
A
Empl
oym
ent
Hea
lth
AC
M
AFM
A
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 50
Application of the Commonwealth Risk Management Policy
Was risk addressed in entity corporate plans?
The selected entities were at different levels of maturity in their implementation of the corporate plan requirement relating to risk, with further work required in all entities to fully embed the requirement.
The PGPA Rule requires entity corporate plans to include a summary of the risk oversight 2.63and management systems of the entity for each reporting period covered by the plan (including the measures that will be implemented to ensure compliance with the finance law).
The 2016 Finance Guidance noted that: 2.64
As a strategic planning document, the corporate plan needs to demonstrate that effective systems of risk oversight and management have been implemented. Entities should explain how their approach to managing risk will support the achievement of their purposes.55
The 2017 Finance Guidance similarly noted that: 2.65
Entities should explain how risk management will underpin their approach to achieving their purposes… As a strategic planning document, the corporate plan should demonstrate that effective risk management priorities have been considered and implemented.56
As part of the audit, the ANAO assessed the maturity of the risk oversight and 2.66management section of the selected entities’ 2016–17 corporate plans using the methodology used in the ANAO’s Report No.6 (2016–17) Corporate Planning in the Australian Public Sector and Report No.54 (2016–17) Corporate Planning in the Australian Public Sector.
The ANAO’s assessment of the maturity of the risk oversight and management section of 2.67the selected entities’ 2016–17 corporate plan is presented in Table 2.5.
55 Department of Finance, Resource Management Guide No. 132 - Corporate plans for Commonwealth entities, Finance, July 2016, paragraph 79.
56 Department of Finance, Resource Management Guide No. 132 - Corporate plans for Commonwealth entities, Finance, January 2017, paragraph 83.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
51
Table 2.5: Assessment of the maturity of the risk oversight and management section of the selected entities’ 2016–17 corporate plan
Risk oversight and management Department of Employment The discussion of risk is generally at a high level and it is difficult to directly link the discussion to the department’s purposes. The environment section of the plan includes some commentary on risk including five ‘consequence families that represent the department’s key areas of concern should risks occur’.
Department of Health The discussion of risk mainly outlines how the department intends to improve its risk management framework. The risk section does not link to the department’s purpose but does outline at a high level a governance structure that the plan suggests ‘enables consideration of risk in all core business decisions’. The plan does not identify risk categories or specific risks.
ACMA The discussion of risk addresses three main risks—ecological risks, compliance risks and operational risks—and summarises the Authority’s risk framework and governance arrangements. The plan also provides internet links to more detailed documents available from the Authority’s website. On its face, the plan is reasonably mature; the issue is that some of the information referred to is not supported by evidence. In particular, risk management plans were not evident and the Risk Management Committee did not meet for over two years.
AFMA The discussion of risk includes a summary of the seven strategic risks facing the Authority, summarises the governance arrangements for the management of risk, and briefly outlines the Authority’s risk tolerance and its approach to the assessment of risk.
Key
The discussion of risk does not address how the entity’s approach to managing risk will support the achievement of the entity’s purposes.
The discussion of risk does not clearly address how the entity’s approach to managing risk will support the achievement of the entity’s purposes.
The discussion of risk is linked to the achievement of an entity’s purposes but does not outline the sources of risk or the key risks that impact the achievement of an entity’s purposes.
The discussion of risk is linked to the achievement of an entity’s purposes and outlines the sources of risk or the key risks that impact the achievement of an entity’s purposes.
Source: ANAO analysis.
The selected entities were at different levels of maturity in their implementation of the 2.68corporate plan requirement relating to risk, with further work required in all entities to fully embed the requirement. There would be benefit in the selected entities reviewing the Department of Finance’s guidance on preparing corporate plans, which indicates that a mature approach to addressing risk in the corporate plan may include a discussion of:
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 52
Application of the Commonwealth Risk Management Policy
how the key sources of risk to an entity’s purposes are being managed in the context in which the entity operates, the activities undertaken and the purposes the entity seeks to achieve;
the capability and environment components of the corporate plan, and how those components impact the risk profile of the entity;
key sources of emerging risks that may impact its ability to achieve its purposes in the future; and
the risks an entity faces in the context in which the entity operates, the activities undertaken and the purposes it seeks to achieve.57 58
Areas for improvement The ANAO has not made any recommendations in this audit, but has highlighted a range of 2.69
matters relating to the audited entities’ risk management which warrant further attention. The matters highlighted below may also warrant attention by other Commonwealth entities.
Specific matters which warrant further attention by the selected entities relate to: 2.70
defining the entity’s risk appetite in the risk management policy (ACMA); enhancing risk management capability (Health, ACMA and AFMA); improving the identification and management of shared risks (all entities); developing arrangements for communicating, consulting and reporting on risk with
internal and external stakeholders (all entities); improving arrangements to regularly review risks, risk management frameworks and the
application of risk management practices (Health, ACMA and AFMA); seeking formal assurance from managers in preparing responses to the Comcover survey
of risk maturity (all entities); fully embedding the corporate plan requirement relating to risk (all entities); and assigning responsibility for risk management to individuals or positions, rather than work
areas (Health, ACMA and AFMA).
Grant Hehir Auditor-General
Canberra ACT 15 August 2017
57 Department of Finance, Resource Management Guide No. 132 - Corporate plans for Commonwealth entities, Finance, July 2016, paragraphs 80 to 83.
58 The Department of Employment advised the ANAO in July 2017 that during the preparation of its 2017-18 corporate plan it had undertaken work to further embed the corporate plan requirement relating to risk, and had received positive feedback on draft content provided to the Department of Finance for comment.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
53
Appendices
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
55
Appendix 1 Responses from the selected entities
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 56
Appendix 1
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
57
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 58
Appendix 1
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
59
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 60
Appendix 1
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
61
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 62
Appendix 1
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
63
Appendix 2 The Commonwealth Risk Management Policy requirements
Element 1: Establishing a risk management policy – four requirements An entity must establish and maintain an entity specific risk management policy that:
(a) defines the entity’s approach to the management of risk and how this approach supports its strategic plans and objectives;
(b) defines the entity’s risk appetite and risk tolerance; (c) contains an outline of key accountabilities and responsibilities for managing and
implementing the entity’s risk management framework; and (d) is endorsed by the entity’s accountable authority.
Element 2: Establishing a risk management framework – nine requirements An entity must establish a risk management framework which includes:
(a) an overarching risk management policy (Element One); (b) an overview of the entity’s approach to managing risk; (c) how the entity will report risks to both internal and external stakeholders; (d) the attributes of the risk management culture that the entity seeks to develop, and the
mechanisms employed to encourage this; (e) an overview of the entity’s approach to embedding risk management into its existing
business processes; (f) how the entity contributes to managing any shared or cross jurisdictional risks; (g) the approach for measuring risk management performance; and (h) how the risk management framework and entity risk profile will be periodically reviewed
and improved.
The risk management framework must be endorsed by the entity’s accountable authority.
Element 3: Defining responsibility for managing risk – three requirements Within the risk management policy, the accountable authority of an entity must define the responsibility for managing risk by:
(a) defining who is responsible for determining an entity’s appetite and tolerance for risk; (b) allocating responsibility for implementing the entity’s risk management framework; and (c) defining entity roles and responsibilities in managing individual risks.
Element 4: Embedding systematic risk management into business processes Each entity must ensure that the systematic management of risk is embedded in key business processes.
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 64
Appendix 2
Element 5: Developing a positive risk culture An entity’s risk management framework must support the development of a positive risk culture.
Element 6: Communicating and consulting about risk Each entity must implement arrangements to communicate and consult about risk in a timely and effective manner to both internal and external stakeholders.
Element 7: Understanding and managing shared risk Each entity must implement arrangements to understand and contribute to the management of shared risks.
Element 8: Maintaining risk management capability Each entity must maintain an appropriate level of capability to both implement the entity’s risk management framework and manage its risk.
Element 9: Reviewing and continuously improving the management of risk Each entity must review its risks, its risk management framework and the application of its risk management practices on a regular basis, and implement improvements arising out of such reviews. Source: The Commonwealth Risk Management Policy, 1 July 2014.
ANAO Report No.6 2017–18
The Management of Risk by Public Sector Entities
65
App
endi
x 3
AN
AO
ass
essm
ent o
f the
sel
ecte
d en
titie
s’ a
pplic
atio
n of
the
Com
mon
wea
lth R
isk
Man
agem
ent P
olic
y el
emen
ts
Dep
artm
ent o
f Em
ploy
men
t
Polic
y el
emen
ts
AN
AO
ass
essm
ent
Elem
ent 1
: Has
Em
ploy
men
t est
ablis
hed
and
mai
ntai
ned
an e
ntity
-spe
cific
risk
man
agem
ent p
olic
y th
at:
a) d
efin
es th
e en
tity’
s ap
proa
ch to
the
man
agem
ent o
f ris
k an
d ho
w th
is
appr
oach
sup
ports
its
stra
tegi
c pl
ans
and
obje
ctiv
es
Met
Em
ploy
men
t’s 2
016
risk
man
agem
ent p
olic
y ou
tline
s th
e de
partm
ent’s
ove
rall
appr
oach
to ri
sk m
anag
emen
t.
Empl
oym
ent h
as e
stab
lishe
d a
risk
man
agem
ent f
ram
ewor
k th
at: d
etai
ls th
e de
partm
ent’s
app
roac
h to
the
man
agem
ent o
f ris
ks (r
isk
man
agem
ent p
olic
y); p
rovi
des
guid
ance
on
man
agin
g en
terp
rise
and
oper
atio
nal
risks
(Sec
reta
ry’s
Inst
ruct
ions
); an
d se
ts th
e de
partm
ent’s
ove
rall
risk
appe
tite
and
risk
tole
ranc
e (r
isk
appe
tite
and
risk
tole
ranc
e st
atem
ents
).
Empl
oym
ent i
ssue
d its
firs
t dep
artm
enta
l ris
k m
anag
emen
t pol
icy
and
fram
ewor
k in
Feb
ruar
y 20
13. I
n Ju
ly
2014
—an
d in
resp
onse
to th
e re
leas
e of
the
Com
mon
wea
lth P
olic
y—th
e de
partm
ent r
elea
sed
a S
ecre
tary
’s
Inst
ruct
ion
on it
s ris
k m
anag
emen
t pol
icy
and
fram
ewor
k. T
he d
epar
tmen
t upd
ated
its
2013
risk
man
agem
ent
polic
y an
d fra
mew
ork
in F
ebru
ary
2015
. Thi
s up
date
refle
cted
the
depa
rtmen
t’s m
ost r
ecen
t thi
nkin
g ar
ound
ris
k ap
petit
e an
d to
lera
nce.
The
dep
artm
ent h
ad id
entif
ied
that
the
appl
icat
ion
of th
e ris
k m
atrix
rele
ased
in
2013
was
resu
lting
in s
ome
risks
bei
ng ra
ted
as ‘h
igh’
that
wer
e no
t sig
nific
ant r
isks
. In
Sep
tem
ber 2
016,
the
risk
polic
y an
d fra
mew
ork
wer
e re
vise
d fu
rther
to in
clud
e a
deta
iled
risk
appe
tite
stat
emen
t.
b) d
efin
es th
e en
tity’
s ris
k ap
petit
e an
d ris
k to
lera
nce
Met
In
Sep
tem
ber 2
016,
Em
ploy
men
t iss
ued
a re
vise
d ris
k ap
petit
e an
d ris
k to
lera
nce
stat
emen
t tha
t out
lined
a
deta
iled
appr
oach
to th
e de
partm
ent’s
ove
rall
risk
appe
tite
and
tole
ranc
e in
the
man
agem
ent o
f ris
ks.
c) c
onta
ins
an o
utlin
e of
key
ac
coun
tabi
litie
s an
d re
spon
sibi
litie
s fo
r man
agin
g an
d im
plem
entin
g th
e en
tity’
s ris
k m
anag
emen
t fra
mew
ork
Met
Em
ploy
men
t’s ri
sk m
anag
emen
t pol
icy
outli
nes
the
assi
gned
key
role
s an
d re
spon
sibi
litie
s fo
r the
gov
erna
nce
of ri
sk. T
he S
ecre
tary
’s In
stru
ctio
ns (1
.1, R
isk
Man
agem
ent)
com
plem
ent t
he ri
sk m
anag
emen
t pol
icy
and
prov
ide
guid
ance
on
the
depa
rtmen
t’s ri
sk m
anag
emen
t fra
mew
ork.
d) i
s en
dors
ed b
y th
e en
tity’
s ac
coun
tabl
e au
thor
ity.
Met
Th
e ris
k po
licy
and
fram
ewor
k w
ere
endo
rsed
by
the
Dep
artm
ent’s
Exe
cutiv
e C
omm
ittee
, cha
ired
by th
e Se
cret
ary.
Dep
artm
ent o
f Em
ploy
men
t
Elem
ent 2
: Has
Em
ploy
men
t est
ablis
hed
a ris
k m
anag
emen
t fra
mew
ork
whi
ch in
clud
es:
a) t
he o
vera
rchi
ng ri
sk m
anag
emen
t po
licy
(Ele
men
t 1)
Met
Se
e co
mm
ents
rega
rdin
g E
lem
ent 1
(a).
b) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
man
agin
g ris
k M
et
Empl
oym
ent’s
risk
man
agem
ent f
ram
ewor
k re
fers
to th
e S
ecre
tary
’s In
stru
ctio
n on
risk
man
agem
ent w
hich
ou
tline
s th
e de
partm
ent’s
app
roac
h to
the
man
agem
ent o
f ris
ks, i
nclu
ding
the
key
role
s an
d re
spon
sibi
litie
s in
m
anag
ing
risks
by:
the
Exec
utiv
e; g
over
nanc
e co
mm
ittee
s; th
e R
isk,
Ass
uran
ce a
nd P
erfo
rman
ce S
ectio
n (R
APS)
; and
all
depa
rtmen
tal o
ffici
als.
c) h
ow th
e en
tity
will
repo
rt ris
ks to
bot
h in
tern
al a
nd e
xter
nal s
take
hold
ers
Mos
tly m
et
Empl
oym
ent’s
risk
man
agem
ent f
ram
ewor
k w
as d
evel
oped
with
ext
ensi
ve in
tern
al c
onsu
ltatio
n, in
clud
ing
with
th
e au
dit c
omm
ittee
. The
fram
ewor
k do
es n
ot e
xplic
itly
outli
ne a
rran
gem
ents
for c
omm
unic
atin
g, c
onsu
lting
an
d re
porti
ng a
bout
risk
with
inte
rnal
and
ext
erna
l sta
keho
lder
s. E
mpl
oym
ent a
dvis
ed th
e AN
AO th
at in
pr
actic
e co
nsul
tatio
n on
risk
occ
urs
as p
art o
f its
rout
ine
cons
ulta
tion
and
inte
ract
ion
with
ext
erna
l sta
keho
lder
s an
d ot
her C
omm
onw
ealth
ent
ities
.
d) t
he a
ttrib
utes
of t
he ri
sk
man
agem
ent c
ultu
re th
at th
e en
tity
seek
s to
dev
elop
, and
the
mec
hani
sms
empl
oyed
to e
ncou
rage
th
is
Met
Th
e fra
mew
ork
outli
nes
the
attri
bute
s of
the
depa
rtmen
t’s ri
sk m
anag
emen
t cul
ture
. The
fram
ewor
k al
so
outli
nes
the
way
the
depa
rtmen
t int
ends
to m
easu
re it
s ris
k cu
lture
thro
ugh:
sta
ff ce
nsus
resu
lts; i
nter
nal a
nd
exte
rnal
aud
its; m
easu
res
of c
ompl
ianc
e; re
gula
r rev
iew
s an
d m
onito
ring
of ri
sk p
ract
ices
thro
ugho
ut th
e de
partm
ent;
and
enga
gem
ent w
ith tr
aini
ng o
ffere
d.
e) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
em
bedd
ing
risk
man
agem
ent i
nto
its e
xist
ing
busi
ness
pro
cess
es
Met
Th
e fra
mew
ork
outli
nes
how
the
depa
rtmen
t pro
pose
s to
em
bed
risk
man
agem
ent i
nto
its e
xist
ing
busi
ness
pr
oces
ses,
incl
udin
g: a
ssur
ance
mec
hani
sms;
and
pro
cess
es re
latin
g to
the
dire
ctio
n, o
vers
ight
and
app
rova
l of
risk
s.
f) ho
w th
e en
tity
cont
ribut
es to
m
anag
ing
any
shar
ed o
r cro
ss
juris
dict
iona
l ris
ks
Met
Th
e 20
16 ri
sk m
anag
emen
t fra
mew
ork
refe
rs to
the
depa
rtmen
t’s a
ppro
ach
to re
cogn
isin
g an
d m
anag
ing
shar
ed ri
sks,
spe
cific
ally
men
tioni
ng th
e Sh
ared
Ser
vice
s C
entre
, oth
er g
over
nmen
t age
ncie
s an
d th
ird-p
arty
em
ploy
men
t pro
vide
rs.
g) t
he a
ppro
ach
for m
easu
ring
risk
man
agem
ent p
erfo
rman
ce
Met
Th
e fra
mew
ork
indi
cate
s th
at th
e pe
rform
ance
of t
he d
epar
tmen
t’s ri
sk m
anag
emen
t fra
mew
ork
is a
sses
sed
agai
nst t
he a
chie
vem
ent o
f fou
r ris
k m
anag
emen
t obj
ectiv
es: o
rgan
isat
iona
l res
ilienc
e; p
ositi
ve ri
sk c
ultu
re;
inte
grat
ed a
nd c
onsi
sten
t app
licat
ion;
and
info
rmed
and
effe
ctiv
e de
cisi
on m
akin
g.
Dep
artm
ent o
f Em
ploy
men
t
h) h
ow th
e ris
k m
anag
emen
t fra
mew
ork
and
entit
y ris
k pr
ofile
will
be
perio
dica
lly re
view
ed a
nd im
prov
ed.
Met
Th
e fra
mew
ork
outli
nes
how
the
fram
ewor
k w
ill b
e re
view
ed.
i) Th
e ris
k m
anag
emen
t fra
mew
ork
is
endo
rsed
by
the
entit
y’s
acco
unta
ble
auth
ority
.
Met
Se
e co
mm
ents
rega
rdin
g E
lem
ent 1
(d).
Elem
ent 3
: Has
the
acco
unta
ble
auth
ority
of E
mpl
oym
ent d
efin
ed th
e re
spon
sibi
lity
for m
anag
ing
risk,
by:
a) d
efin
ing
who
is re
spon
sibl
e fo
r de
term
inin
g th
e en
tity’
s ap
petit
e an
d to
lera
nce
for r
isk
Met
Th
e de
partm
ent’s
risk
app
etite
and
tole
ranc
e st
atem
ent w
as a
ppro
ved
by th
e Ex
ecut
ive
Com
mitt
ee a
nd is
sued
by
the
Secr
etar
y in
line
with
the
Sec
reta
ry’s
Inst
ruct
ions
.
b) a
lloca
ting
resp
onsi
bilit
y fo
r im
plem
entin
g th
e en
tity’
s ris
k m
anag
emen
t fra
mew
ork
Met
The
Ris
k, A
ssur
ance
and
Per
form
ance
Sec
tion
(RA
PS) w
ithin
the
Assu
ranc
e an
d Bu
sine
ss S
ervi
ces
Bran
ch is
re
spon
sibl
e fo
r im
plem
entin
g th
e de
partm
ent’s
ent
erpr
ise
risk
man
agem
ent f
ram
ewor
k, a
nd e
nsur
ing
the
fram
ewor
k an
d ris
k pr
ofile
rem
ain
curr
ent a
nd re
leva
nt.
c) d
efin
ing
entit
y ro
les
and
resp
onsi
bilit
ies
in m
anag
ing
indi
vidu
al ri
sks.
Met
Th
e ris
k m
anag
emen
t pol
icy
outli
nes
resp
onsi
bilit
ies
for r
isk
man
agem
ent,
with
furth
er d
etai
l con
tain
ed in
the
Sec
reta
ry’s
Inst
ruct
ions
.
Dep
artm
ent o
f Em
ploy
men
t
Elem
ent 4
: Has
Em
ploy
men
t ens
ured
that
the
syst
emat
ic m
anag
emen
t of r
isk
is e
mbe
dded
in k
ey b
usin
ess
proc
esse
s?
M
et
Empl
oym
ent’s
Ris
k an
d Im
plem
enta
tion
Com
mitt
ee (E
RIC
) met
six
tim
es e
ach
year
in 2
014,
201
5 an
d 20
16 to
co
nsid
er a
nd o
vers
ight
the
oper
atio
ns o
f the
dep
artm
ent’s
risk
man
agem
ent p
olic
y an
d fra
mew
ork,
and
re
porte
d re
gula
rly to
the
depa
rtmen
t’s e
xecu
tive
com
mitt
ee o
n th
e ad
equa
cy o
f the
risk
fram
ewor
k an
d as
soci
ated
pro
cess
es.
ERIC
was
dis
band
ed in
Dec
embe
r 201
6. E
mpl
oym
ent r
ecor
ds in
dica
te th
at it
s ris
k re
spon
sibi
litie
s w
ere
divi
ded
betw
een
the
Audi
t Com
mitt
ee—
resp
onsi
ble
for r
isk
assu
ranc
e—an
d th
e Fi
nanc
e an
d Bu
sine
ss S
ervi
ces
(FAB
S) C
omm
ittee
—re
spon
sibl
e fo
r ris
k fra
mew
ork
impl
emen
tatio
n, m
onito
ring
and
impr
ovem
ent (
see
Elem
ent 9
bel
ow).
The
depa
rtmen
t’s P
erfo
rman
ce a
nd In
tegr
ity S
ub C
omm
ittee
for E
mpl
oym
ent S
ervi
ces
(PIS
CES
) pro
vide
s a
high
-leve
l for
um to
sup
port
and
advi
se o
n m
axim
isin
g th
e pe
rform
ance
and
inte
grity
of a
ll co
ntra
cted
em
ploy
men
t ser
vice
s un
der j
obac
tive.
The
dep
artm
ent’s
Aud
it C
omm
ittee
als
o re
gula
rly re
ceiv
es u
pdat
es fr
om
man
agem
ent o
n as
pect
s of
the
depa
rtmen
t’s ri
sk fr
amew
ork
and
obta
ins
pres
enta
tions
from
tim
e to
tim
e fro
m
resp
onsi
ble
depa
rtmen
tal m
anag
ers
on th
e m
anag
emen
t of r
isks
in re
spec
t of s
peci
fic p
rogr
ams
or a
ctiv
ities
. Th
e op
erat
iona
l div
isio
ns re
view
ed b
y th
e A
NAO
em
ploy
ed th
e de
partm
ent’s
ent
erpr
ise-
wid
e ris
k m
anag
emen
t sy
stem
(Ris
kAct
ive)
to a
ssis
t in
man
agin
g ris
k.
Elem
ent 5
: Doe
s Em
ploy
men
t’s ri
sk m
anag
emen
t fra
mew
ork
supp
ort t
he d
evel
opm
ent o
f a p
ositi
ve ri
sk c
ultu
re?
M
et
To a
sses
s th
e se
lect
ed e
ntiti
es’ i
mpl
emen
tatio
n of
the
over
arch
ing
goal
of t
he C
omm
onw
ealth
Pol
icy
and
its
polic
y el
emen
t fiv
e—de
velo
ping
a p
ositi
ve ri
sk c
ultu
re—
the
ANAO
had
rega
rd to
: ent
ities
’ im
plem
enta
tion
of th
e C
omm
onw
ealth
Pol
icy
requ
irem
ents
; ris
k m
anag
emen
t in
a se
lect
ion
of b
usin
ess
activ
ities
in e
ach
entit
y; a
nd
the
cons
ider
atio
n of
risk
by
seni
or le
ader
s.
Empl
oym
ent m
et 1
9 an
d m
ostly
met
two
of th
e re
quire
men
ts (t
otal
21/
22 o
r 95
per c
ent).
Th
e AN
AO’s
revi
ew o
f a s
elec
tion
of b
usin
ess
activ
ities
(see
foot
note
37)
indi
cate
s th
at ri
sk m
anag
emen
t in
form
s no
rmal
bus
ines
s op
erat
ions
in th
e se
lect
ed e
ntiti
es. R
isk
was
con
side
red
whe
n ke
y bu
sine
ss d
ecis
ions
w
ere
mad
e or
adv
ice
was
pro
vide
d to
sen
ior m
anag
emen
t or g
over
nmen
t by
the
area
s se
lect
ed fo
r rev
iew
. Th
e ris
k m
anag
emen
t fra
mew
ork
and
key
risks
wer
e re
gula
rly c
onsi
dere
d at
sen
ior l
evel
s (s
ee c
omm
ents
re
gard
ing
Elem
ent 4
abo
ve).
Dep
artm
ent o
f Em
ploy
men
t
Elem
ent
6: H
as E
mpl
oym
ent
impl
emen
ted
arra
ngem
ents
to
com
mun
icat
e an
d co
nsul
t ab
out
risk
in a
tim
ely
and
effe
ctiv
e m
anne
r to
bot
h in
tern
al a
nd e
xter
nal s
take
hold
ers?
M
ostly
met
The
depa
rtmen
t has
: ext
ensi
ve ri
sk m
anag
emen
t gui
danc
e av
aila
ble
on it
s In
trane
t; pr
ovid
es a
ssis
tanc
e on
risk
m
anag
emen
t to
staf
f thr
ough
an
inte
rnal
hot
line;
and
man
agem
ent r
epor
ting
arra
ngem
ents
that
rein
forc
e th
e im
porta
nce
of ri
sk m
anag
emen
t.
The
deve
lopm
ent o
f the
new
Ris
k Ap
petit
e an
d To
lera
nce
Stat
emen
t and
the
supp
ortin
g m
etho
dolo
gy in
volv
ed
exte
nsiv
e in
tern
al c
onsu
ltatio
n.
It is
not
evi
dent
that
the
deve
lopm
ent o
f the
abo
ve a
rtefa
cts
invo
lved
con
sulta
tion
with
ext
erna
l sta
keho
lder
s.
Empl
oym
ent a
dvis
ed th
e A
NAO
that
in p
ract
ice
cons
ulta
tion
on ri
sk o
ccur
s as
par
t of t
he d
epar
tmen
t’s ro
utin
e co
nsul
tatio
n an
d in
tera
ctio
n w
ith e
xter
nal s
take
hold
ers
and
othe
r Com
mon
wea
lth e
ntiti
es.
Elem
ent 7
: Has
Em
ploy
men
t im
plem
ente
d ar
rang
emen
ts to
und
erst
and
and
cont
ribut
e to
the
man
agem
ent o
f sha
red
risks
?
Pa
rtly
met
Dep
artm
enta
l rec
ords
indi
cate
that
sha
red
risks
wer
e id
entif
ied
and
man
aged
in re
latio
n to
the
Shar
ed S
ervi
ces
Cen
tre, p
rior t
o its
tran
sfer
to th
e D
epar
tmen
t of F
inan
ce.
Empl
oym
ent d
id n
ot ro
utin
ely
cate
goris
e an
d m
anag
e sh
ared
risk
s ot
her t
han
risks
rela
ting
to th
e Sh
ared
Se
rvic
es C
entre
. It i
s no
t evi
dent
that
oth
er ri
sks
are
reco
gnis
ed in
dep
artm
enta
l ris
k re
gist
ers
and
man
aged
as
shar
ed ri
sks,
and
risk
repo
rting
doe
s no
t inc
lude
repo
rting
on
shar
ed ri
sks.
See
als
o co
mm
ents
rega
rdin
g El
emen
t 2 (f
).
Elem
ent 8
: Has
Em
ploy
men
t mai
ntai
ned
an a
ppro
pria
te le
vel o
f cap
abili
ty to
bot
h im
plem
ent t
he e
ntity
’s ri
sk m
anag
emen
t fra
mew
ork
and
man
age
its ri
sks?
M
et
The
depa
rtmen
t has
ext
ensi
ve g
uida
nce
and
tool
s av
aila
ble
to s
taff
to a
ssis
t with
the
man
agem
ent o
f ris
k.
Trai
ning
cou
rses
, inc
ludi
ng e
Lear
ning
mod
ules
are
ava
ilabl
e to
all
staf
f. Th
e de
partm
ent h
as a
ded
icat
ed R
isk,
As
sura
nce
and
Perfo
rman
ce S
ectio
n w
ithin
the
Assu
ranc
e an
d B
usin
ess
Serv
ices
Bra
nch
that
pro
vide
s su
ppor
t to
oper
atio
nal a
reas
on
man
agin
g th
eir r
isks
. Th
e de
partm
ent o
pera
tes
and
mai
ntai
ns a
n en
terp
rise-
wid
e ris
k m
anag
emen
t sys
tem
s to
ass
ist i
n m
anag
ing
its
risks
—R
iskA
ctiv
e. T
he s
yste
m is
mat
ure
and
prov
ides
the
depa
rtmen
t with
the
capa
bilit
y to
reco
rd, m
anag
e an
d re
port
on ri
sks,
risk
trea
tmen
ts, r
isk
even
ts a
nd ri
sk p
lan
owne
rs.
Dep
artm
ent o
f Em
ploy
men
t
Elem
ent 9
: Doe
s Em
ploy
men
t rev
iew
its
risks
, its
risk
man
agem
ent f
ram
ewor
k an
d th
e ap
plic
atio
n of
its
risk
man
agem
ent p
ract
ices
on
a re
gula
r ba
sis,
and
impl
emen
t im
prov
emen
ts a
risin
g ou
t of s
uch
revi
ews?
M
et
The
fram
ewor
k ha
s be
en u
pdat
ed a
t lea
st a
nnua
lly—
in J
uly
2014
, Feb
ruar
y 20
15, a
nd S
epte
mbe
r 201
6.
Empl
oym
ent’s
Ris
k an
d Im
plem
enta
tion
Com
mitt
ee (E
RIC
) rev
iew
ed th
e de
partm
ent’s
stra
tegi
c ris
ks a
t lea
st
quar
terly
and
risk
pla
n ow
ners
wer
e re
quire
d to
revi
ew ri
sks
on a
regu
lar b
asis
. ER
IC re
ceiv
ed re
gula
r rep
orts
on
the
depa
rtmen
t’s ri
sk p
rofil
e an
d on
whe
ther
risk
pla
n ow
ners
and
trea
tmen
t ow
ners
wer
e m
eetin
g th
eir
resp
onsi
bilit
ies.
Fo
llow
ing
a 20
16 re
view
of g
over
nanc
e co
mm
ittee
s, E
RIC
was
dis
band
ed in
Dec
embe
r 201
6 an
d th
e Fi
nanc
e an
d Bu
sine
ss S
ervi
ces
Com
mitt
ee (F
ABS)
was
giv
en re
spon
sibi
lity
to a
dvis
e th
e Se
cret
ary
on: r
isks
iden
tifie
d in
rela
tion
to th
e de
partm
ent’s
abi
lity
to m
eet i
ts b
usin
ess
goal
s, a
s pe
r the
Ris
k M
anag
emen
t Fra
mew
ork;
and
w
ork
to im
prov
e th
e de
partm
ent’s
risk
and
pol
icy
fram
ewor
k, a
nd le
ad th
e ap
plic
atio
n of
risk
man
agem
ent
acro
ss th
e de
partm
ent.
At it
s m
eetin
g in
Mar
ch 2
017,
the
FAB
S: n
oted
that
the
depa
rtmen
t’s E
xecu
tive
had
parti
cipa
ted
in a
wor
ksho
p to
revi
ew e
ntity
stra
tegi
c ris
ks in
Feb
ruar
y 20
17; a
nd c
onsi
dere
d an
ent
ity-le
vel r
isk
mon
itorin
g re
port.
The
FAB
S te
rms
of re
fere
nce
requ
ire it
to re
port
to th
e Ex
ecut
ive
on a
qua
rterly
bas
is a
nd
stat
e th
at th
e co
-cha
irs w
ill pr
ovid
e an
ora
l upd
ate
to th
e Ex
ecut
ive
as n
eede
d.
Dep
artm
ent o
f Hea
lth
Polic
y el
emen
ts
AN
AO
ass
essm
ent
Elem
ent 1
: Has
Hea
lth e
stab
lishe
d an
d m
aint
aine
d an
ent
ity-s
peci
fic ri
sk m
anag
emen
t pol
icy
that
:
a) d
efin
es th
e en
tity’
s ap
proa
ch to
the
man
agem
ent o
f ris
k an
d ho
w th
is
appr
oach
sup
ports
its
stra
tegi
c pl
ans
and
obje
ctiv
es
Met
H
ealth
’s 2
014
risk
man
agem
ent p
olic
y ou
tline
s th
e de
partm
ent’s
ove
rall
appr
oach
to ri
sk m
anag
emen
t.
Hea
lth is
sued
a re
vise
d de
partm
enta
l ris
k m
anag
emen
t pol
icy
and
fram
ewor
k in
Oct
ober
201
4, th
ree
mon
ths
afte
r the
rele
ase
of th
e C
omm
onw
ealth
Pol
icy.
The
dep
artm
ent’s
201
4 ris
k m
anag
emen
t pol
icy
stat
es th
at th
e po
licy
shou
ld b
e re
view
ed a
nd u
pdat
ed a
nnua
lly. I
n D
ecem
ber 2
016,
Hea
lth re
leas
ed a
new
risk
app
etite
fo
llow
ing
exte
nsiv
e in
tern
al c
onsu
ltatio
n.
b) d
efin
es th
e en
tity’
s ris
k ap
petit
e an
d ris
k to
lera
nce
Met
In
Dec
embe
r 201
6, H
ealth
issu
ed a
n up
date
d en
terp
rise
risk
appe
tite
stat
emen
t tha
t det
aile
d ap
proa
ch to
the
depa
rtmen
t’s o
vera
ll ris
k ap
petit
e an
d to
lera
nce
in th
e m
anag
emen
t of r
isks
.
c) c
onta
ins
an o
utlin
e of
key
ac
coun
tabi
litie
s an
d re
spon
sibi
litie
s fo
r man
agin
g an
d im
plem
entin
g th
e en
tity’
s ris
k m
anag
emen
t fra
mew
ork
Met
H
ealth
’s ri
sk m
anag
emen
t pol
icy
outli
nes
the
assi
gned
key
role
s an
d re
spon
sibi
litie
s fo
r the
gov
erna
nce
of ri
sk.
d) i
s en
dors
ed b
y th
e en
tity’
s ac
coun
tabl
e au
thor
ity.
Mos
tly m
et
The
risk
man
agem
ent p
olic
y an
d fra
mew
ork
wer
e en
dors
ed b
y th
e Fi
nanc
e, R
isk
and
Secu
rity
Com
mitt
ee,
whi
ch is
cha
ired
by a
Dep
uty
Sec
reta
ry. T
he C
omm
ittee
is a
sub
-com
mitt
ee o
f the
dep
artm
ent’s
exe
cutiv
e co
mm
ittee
, cha
ired
by th
e Se
cret
ary.
It w
as n
ot e
vide
nt th
at th
e 20
14 p
olic
y w
as e
ndor
sed
by th
e S
ecre
tary
; ho
wev
er, t
he D
ecem
ber 2
016
risk
appe
tite
stat
emen
t was
end
orse
d by
the
Secr
etar
y.
Elem
ent 2
: Has
Hea
lth e
stab
lishe
d a
risk
man
agem
ent f
ram
ewor
k w
hich
incl
udes
:
a) t
he o
vera
rchi
ng ri
sk m
anag
emen
t po
licy
(Ele
men
t 1)
Met
Se
e co
mm
ents
rega
rdin
g E
lem
ent 1
(a).
b) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
man
agin
g ris
k M
et
Hea
lth e
ncou
rage
s st
aff t
o en
gage
with
, und
erst
and
and
appr
opria
tely
man
age
its ri
sks.
Spe
cific
ally
, the
de
partm
ent s
eeks
to e
ngag
e w
ith h
ighe
r lev
els
of ri
sk a
nd lo
ok fo
r inn
ovat
ion,
in re
latio
n to
its
polic
y de
velo
pmen
t and
del
iver
y ou
tcom
es w
here
the
pote
ntia
l rew
ards
may
pro
vide
impr
ovem
ents
to th
e he
alth
and
w
ell-b
eing
of t
he A
ustra
lian
publ
ic.
Dep
artm
ent o
f Hea
lth
c) h
ow th
e en
tity
will
repo
rt ris
ks to
bot
h in
tern
al a
nd e
xter
nal s
take
hold
ers
Mos
tly m
et
Hea
lth’s
risk
man
agem
ent f
ram
ewor
k w
as d
evel
oped
with
ext
ensi
ve in
tern
al c
onsu
ltatio
n, in
clud
ing
with
the
audi
t com
mitt
ee. T
he fr
amew
ork
does
not
exp
licitl
y ou
tline
arr
ange
men
ts fo
r com
mun
icat
ing,
con
sulti
ng a
nd
repo
rting
abo
ut ri
sk w
ith in
tern
al a
nd e
xter
nal s
take
hold
ers.
Hea
lth a
dvis
ed th
e A
NAO
that
in p
ract
ice
cons
ulta
tion
on ri
sk o
ccur
s as
par
t of i
ts ro
utin
e co
nsul
tatio
n an
d in
tera
ctio
n w
ith e
xter
nal s
take
hold
ers
and
othe
r Com
mon
wea
lth e
ntiti
es.
d) t
he a
ttrib
utes
of t
he ri
sk m
anag
emen
t cu
lture
that
the
entit
y se
eks
to
deve
lop,
and
the
mec
hani
sms
empl
oyed
to e
ncou
rage
this
Met
Th
e po
licy
lists
lead
ersh
ip, c
omm
unic
atio
n, in
tegr
atio
n an
d re
spon
sibi
lity
as b
eing
the
key
driv
ers
of a
pos
itive
ris
k cu
lture
.
e) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
em
bedd
ing
risk
man
agem
ent i
nto
its e
xist
ing
busi
ness
pro
cess
es
Mos
tly m
et
The
polic
y st
ates
that
‘Ris
k m
anag
emen
t is
an e
ssen
tial e
lem
ent o
f sou
nd b
usin
ess
plan
ning
, cha
nge
man
agem
ent a
nd d
ecis
ion
mak
ing
in th
e de
partm
ent’.
The
pol
icy
coul
d be
mor
e ex
plic
it ab
out h
ow th
is w
ill be
ac
hiev
ed.
f) ho
w th
e en
tity
cont
ribut
es to
m
anag
ing
any
shar
ed o
r cro
ss
juris
dict
iona
l ris
ks
Mos
tly m
et
Hea
lth’s
risk
man
agem
ent p
olic
y di
scus
ses
the
impo
rtanc
e of
iden
tifyi
ng a
nd m
anag
ing
shar
ed ri
sks.
The
de
partm
ent’s
risk
regi
ster
tem
plat
e in
clud
es a
fiel
d fo
r the
iden
tific
atio
n of
sha
red
risks
and
a n
umbe
r of
Div
isio
nal r
isk
regi
ster
s in
clud
ed a
num
ber o
f sha
red
risks
. Th
ere
was
som
e co
nfus
ion
abou
t the
def
initi
on o
f sha
red
risk.
Som
e of
the
risks
iden
tifie
d as
sha
red
risks
wer
e ris
ks th
at w
ere
shar
ed w
ith o
ther
are
as o
f the
dep
artm
ent.
Ther
e is
no
guid
ance
on
man
agin
g sh
ared
risk
s an
d no
form
al re
porti
ng o
f sha
red
risks
. The
dep
artm
ent w
as n
ot a
ble
to d
emon
stra
te h
ow s
hare
d ris
ks h
ave
been
m
anag
ed, o
nce
they
wer
e id
entif
ied
in R
isk
Man
agem
ent P
lans
.
g) t
he a
ppro
ach
for m
easu
ring
risk
man
agem
ent p
erfo
rman
ce
Met
Th
e po
licy
stat
es th
at p
erfo
rman
ce w
ill be
mea
sure
d by
the
annu
al C
omco
ver b
ench
mar
king
sur
vey.
C
onsi
dera
tion
coul
d al
so b
e gi
ven
to o
ther
mec
hani
sms
for m
easu
ring
risk
man
agem
ent p
erfo
rman
ce, s
uch
as
the
deve
lopm
ent o
f key
per
form
ance
indi
cato
rs a
nd th
e co
nduc
t of s
urve
ys th
at a
ddre
ss ri
sk c
ultu
re.
h) h
ow th
e ris
k m
anag
emen
t fra
mew
ork
and
entit
y ris
k pr
ofile
will
be
perio
dica
lly re
view
ed a
nd im
prov
ed.
Met
Th
e fra
mew
ork
outli
nes
how
the
fram
ewor
k w
ill b
e re
view
ed.
i) Th
e ris
k m
anag
emen
t fra
mew
ork
is
endo
rsed
by
the
entit
y’s
acco
unta
ble
auth
ority
.
Mos
tly m
et
See
com
men
ts re
gard
ing
Ele
men
t 1 (d
).
Dep
artm
ent o
f Hea
lth
Elem
ent 3
: Has
the
acco
unta
ble
auth
ority
of H
ealth
def
ined
the
resp
onsi
bilit
y fo
r man
agin
g ris
k, b
y:
a) d
efin
ing
who
is re
spon
sibl
e fo
r de
term
inin
g th
e en
tity’
s ap
petit
e an
d to
lera
nce
for r
isk
Met
Th
e po
licy
stat
es th
at H
ealth
’s m
anag
emen
t and
gov
erna
nce
com
mitt
ees
are
requ
ired
to a
rticu
late
the
risk
appe
tite
for i
ncre
asin
g ris
k an
d ris
k bo
unda
ries.
b) a
lloca
ting
resp
onsi
bilit
y fo
r im
plem
entin
g th
e en
tity’
s ris
k m
anag
emen
t fra
mew
ork
Mos
tly m
et
The
Ris
k M
anag
emen
t Pol
icy
stat
es th
at th
e O
ffice
of t
he C
hief
Fin
anci
al O
ffice
r is
resp
onsi
ble
for m
anag
ing
and
impl
emen
ting
Hea
lth’s
Ris
k M
anag
emen
t Pol
icy
and
Fram
ewor
k. H
owev
er th
e Fi
nanc
e B
usin
ess
Rul
es
stat
e th
at th
e In
tegr
ity B
ranc
h is
resp
onsi
ble
for t
his
role
.
c) d
efin
ing
entit
y ro
les
and
resp
onsi
bilit
ies
in m
anag
ing
indi
vidu
al ri
sks.
Met
Th
e ris
k m
anag
emen
t pol
icy
outli
nes
resp
onsi
bilit
ies
for r
isk
man
agem
ent.
Elem
ent 4
: Has
Hea
lth e
nsur
ed th
at th
e sy
stem
atic
man
agem
ent o
f ris
k is
em
bedd
ed in
key
bus
ines
s pr
oces
ses?
M
ostly
met
Ke
y ris
ks w
ere
regu
larly
con
side
red
by H
ealth
’s e
xecu
tive
com
mitt
ee in
its
cons
ider
atio
n of
spe
cific
de
partm
enta
l stra
tegi
es a
nd p
lans
, and
the
thre
e op
erat
iona
l div
isio
ns e
xam
ined
by
the
ANAO
had
est
ablis
hed
a ra
nge
of lo
cal m
echa
nism
s to
mon
itor,
repo
rt on
and
man
age
risk.
Hea
lth’s
201
5 re
view
of r
isk
man
agem
ent
prac
tices
obs
erve
d th
at th
e m
anag
emen
t of r
isk
acro
ss th
e de
partm
ent w
as m
ore
likel
y to
be
deal
t with
ap
prop
riate
ly w
here
ther
e w
as a
stro
ng le
gisl
ativ
e re
quire
men
t, as
in th
e re
gula
tory
wor
k of
the
Offi
ce o
f the
G
ene
Tech
nolo
gy R
egul
ator
, and
less
so
in th
e op
erat
iona
l are
as.
Dep
artm
ent o
f Hea
lth
Elem
ent 5
: Doe
s H
ealth
’s ri
sk m
anag
emen
t fra
mew
ork
supp
ort t
he d
evel
opm
ent o
f a p
ositi
ve ri
sk c
ultu
re?
M
ostly
met
To
ass
ess
the
sele
cted
ent
ities
’ im
plem
enta
tion
of th
e ov
erar
chin
g go
al o
f the
Com
mon
wea
lth P
olic
y an
d its
po
licy
elem
ent f
ive—
deve
lopi
ng a
pos
itive
risk
cul
ture
—th
e AN
AO h
ad re
gard
to: e
ntiti
es’ i
mpl
emen
tatio
n of
the
Com
mon
wea
lth P
olic
y re
quire
men
ts; r
isk
man
agem
ent i
n a
sele
ctio
n of
bus
ines
s ac
tiviti
es in
eac
h en
tity;
and
th
e co
nsid
erat
ion
of ri
sk b
y se
nior
lead
ers.
H
ealth
met
10
and
mos
tly m
et 1
0 of
the
requ
irem
ents
(tot
al 2
0/22
or 9
1 pe
r cen
t).
The
ANAO
’s re
view
of a
sel
ectio
n of
bus
ines
s ac
tiviti
es (s
ee fo
otno
te 3
7) in
dica
tes
that
risk
man
agem
ent
info
rms
norm
al b
usin
ess
oper
atio
ns in
the
sele
cted
ent
ities
. Ris
k w
as c
onsi
dere
d w
hen
key
busi
ness
dec
isio
ns
wer
e m
ade
or a
dvic
e w
as p
rovi
ded
to s
enio
r man
agem
ent o
r gov
ernm
ent b
y th
e ar
eas
sele
cted
for r
evie
w.
Key
risks
wer
e re
gula
rly c
onsi
dere
d by
Hea
lth’s
exe
cutiv
e co
mm
ittee
in it
s co
nsid
erat
ion
of s
peci
fic
depa
rtmen
tal s
trate
gies
and
pla
ns. T
here
is s
cope
for a
mor
e st
ruct
ured
app
roac
h to
repo
rting
on
and
revi
ewin
g en
terp
rise-
leve
l ris
ks a
nd th
e st
atus
of r
isk
cont
rols
and
trea
tmen
ts. T
he th
ree
oper
atio
nal d
ivis
ions
ex
amin
ed b
y th
e AN
AO h
ad e
stab
lishe
d a
rang
e of
loca
l mec
hani
sms
to m
onito
r, re
port
on a
nd m
anag
e ris
k.
Elem
ent 6
: Has
Hea
lth im
plem
ente
d ar
rang
emen
ts to
com
mun
icat
e an
d co
nsul
t abo
ut ri
sk in
a ti
mel
y an
d ef
fect
ive
man
ner t
o bo
th in
tern
al a
nd
exte
rnal
sta
keho
lder
s?
M
ostly
met
Th
e H
ealth
Cap
abili
ty P
rogr
am w
as in
itiat
ed in
ear
ly 2
015
to a
ddre
ss th
e fin
ding
s of
the
2014
Hea
lth C
apab
ility
Rev
iew
, inc
ludi
ng th
e ne
ed to
fost
er a
cul
ture
that
app
ropr
iate
ly e
mbr
aces
and
man
ages
risk
s w
ithin
def
ined
to
lera
nces
. The
cap
abili
ty p
rogr
am c
ondu
cted
ext
ensi
ve in
tern
al c
onsu
ltatio
ns, i
nclu
ding
eng
agem
ent w
ith o
ver
1000
sta
ff th
roug
h th
e Se
nior
Man
agem
ent F
orum
(SE
S fo
rum
), a
serie
s of
exe
cutiv
e le
ader
ship
foru
ms
(EL
Foru
ms)
and
ove
r 30
focu
s gr
oups
. H
ealth
has
rece
ntly
intro
duce
d a
new
sta
keho
lder
man
agem
ent s
yste
m E
ngag
e fo
r the
iden
tific
atio
n an
d re
porti
ng o
f ris
ks. A
rran
gem
ents
for r
epor
ting
on ri
sk to
ext
erna
l sta
keho
lder
s ar
e un
clea
r.
Hea
lth a
dvis
ed th
e AN
AO th
at in
pra
ctic
e co
nsul
tatio
n on
risk
occ
urs
as p
art o
f the
rout
ine
cons
ulta
tion
and
inte
ract
ion
with
ext
erna
l sta
keho
lder
s an
d ot
her C
omm
onw
ealth
ent
ities
.
Dep
artm
ent o
f Hea
lth
Elem
ent 7
: Has
Hea
lth im
plem
ente
d ar
rang
emen
ts to
und
erst
and
and
cont
ribut
e to
the
man
agem
ent o
f sha
red
risks
?
Pa
rtly
met
Hea
lth’s
risk
man
agem
ent p
olic
y de
fines
sha
red
risks
and
the
depa
rtmen
t’s ri
sk re
gist
er te
mpl
ates
mak
e pr
ovis
ion
for r
ecor
ding
them
. The
AN
AO’s
revi
ew id
entif
ied
that
som
e of
the
assi
gned
sha
red
risks
wer
e in
tra-
entit
y—su
ch a
s ris
ks s
hare
d w
ith o
ther
are
as o
f the
dep
artm
ent—
whe
reas
the
Com
mon
wea
lth P
olic
y de
fines
a
shar
ed ri
sk a
s on
e ex
tend
ing
beyo
nd th
e en
tity.
See
als
o co
mm
ents
rega
rdin
g El
emen
t 2(f)
.
Elem
ent 8
: Has
Hea
lth m
aint
aine
d an
app
ropr
iate
leve
l of c
apab
ility
to b
oth
impl
emen
t the
ent
ity’s
risk
man
agem
ent f
ram
ewor
k an
d m
anag
e its
ris
ks?
M
ostly
met
H
ealth
’s ri
sk-re
late
d in
trane
t pag
e co
ntai
ns g
uida
nce,
FAQ
she
ets
and
cont
act d
etai
ls fo
r the
cor
pora
te ri
sk te
am.
As p
art o
f the
pro
gres
sive
enh
ance
men
t of t
he d
epar
tmen
t’s ri
sk m
anag
emen
t fra
mew
ork,
a R
isk
Tool
Kit
is b
eing
de
velo
ped
but h
ad n
ot b
een
final
ised
at t
he ti
me
of th
e au
dit.
All s
taff
can
acce
ss a
risk
man
agem
ent e
-lear
ning
mod
ule,
or a
ttend
two
heal
th-s
peci
fic fa
ce-to
-face
trai
ning
se
ssio
ns, w
hich
are
enc
oura
ged
thro
ugh
indi
vidu
al p
erfo
rman
ce d
evel
opm
ent p
lans
. The
e-le
arni
ng m
odul
e w
as
intro
duce
d in
Jan
uary
201
7, b
ut th
ere
has
been
lim
ited
upta
ke o
f the
se tr
aini
ng s
essi
ons,
and
as
at A
pril
2017
ap
prox
imat
ely
0.01
per
cen
t of H
ealth
em
ploy
ees
had
atte
nded
spe
cific
risk
man
agem
ent t
rain
ing.
H
ealth
sta
ff ca
n ac
cess
Ris
k M
anag
emen
t tra
inin
g in
oth
er c
ours
es, f
or e
xam
ple
the
APSC
Pro
cure
men
t and
C
ontra
cts
Man
agem
ent T
rain
ing.
Hea
lth a
lso
enco
urag
es S
ES to
atte
nd th
e C
omco
ver R
isk
Wor
ksho
ps, a
nd h
as
also
hel
d a
varie
ty o
f wor
ksho
ps fo
r SES
and
EL2
sta
ff on
risk
, con
trols
and
sha
red
risk
in 2
016
and
2017
. A
risk
regi
ster
tem
plat
e is
ava
ilabl
e to
div
isio
ns a
nd 2
0 of
the
21 d
ivis
ions
hav
e es
tabl
ishe
d a
risk
regi
ster
. At t
he
time
of th
e au
dit t
his
tem
plat
e ha
d no
t bee
n up
date
d to
refle
ct th
e ris
k ca
tego
ries
outli
ned
in th
e ne
w R
isk
Appe
tite
stat
emen
t. U
ntil
late
in 2
016
ther
e w
as li
ttle
or n
o co
rpor
ate
revi
ew o
r ove
rsig
ht o
f div
isio
nal r
isk
regi
ster
s an
d th
ere
wer
e no
arra
ngem
ents
in p
lace
for t
he d
epar
tmen
t’s E
xecu
tive
to b
e as
sure
d th
at ri
sk re
gist
ers
are
com
plet
e an
d up
-to-d
ate.
Th
e de
partm
ent h
as s
taff
reso
urce
s de
dica
ted
to ri
sk m
anag
emen
t of 3
.2 A
SL in
its
Ris
k an
d Bu
sine
ss A
ssur
ance
Se
ctio
n. T
here
is a
lso
a de
dica
ted
risk
man
agem
ent m
ailb
ox.
Dep
artm
ent o
f Hea
lth
Elem
ent 9
: Doe
s H
ealth
revi
ew it
s ris
ks, i
ts ri
sk m
anag
emen
t fra
mew
ork
and
the
appl
icat
ion
of it
s ris
k m
anag
emen
t pra
ctic
es o
n a
regu
lar b
asis
, an
d im
plem
ent i
mpr
ovem
ents
aris
ing
out o
f suc
h re
view
s?
Pa
rtly
met
Th
e cu
rrent
risk
man
agem
ent p
olic
y w
as a
ppro
ved
in O
ctob
er 2
014.
An
upda
ted
risk
appe
tite
stat
emen
t was
re
leas
ed in
Dec
embe
r 201
6. A
revi
sed
risk
man
agem
ent p
olic
y ha
d be
en d
rafte
d at
the
time
of th
is a
udit
but h
ad
yet t
o be
app
rove
d an
d is
sued
. The
re is
no
cons
olid
ated
repo
rting
to th
e de
partm
ent’s
exe
cutiv
e on
the
stat
e of
th
e de
partm
ent’s
risk
pro
file
and
risks
. Th
e R
isk
and
Busi
ness
Ass
uran
ce s
ectio
n co
mm
ence
d a
revi
ew o
f all
divi
sion
al ri
sk re
gist
ers
as a
qua
lity
assu
ranc
e pr
ojec
t in
late
201
6. P
rior t
o th
is in
itiat
ive,
the
sect
ion
had
very
littl
e vi
sibi
lity
of d
ivis
iona
l ris
k re
gist
ers
and
risk
man
agem
ent p
ract
ices
. Hea
lth a
dvis
ed th
e AN
AO in
Apr
il 20
17 th
at th
e re
view
was
com
plet
ed in
Fe
brua
ry 2
017.
Hea
lth p
rovi
ded
an u
pdat
e to
the
ANAO
in J
une
2017
that
the
Exec
utiv
e C
omm
ittee
was
pro
vide
d w
ith a
repo
rt on
risk
mat
urity
acr
oss
the
depa
rtmen
t, an
d as
sign
ed re
spon
sibi
lity
for t
he s
trate
gic
risks
to
indi
vidu
als.
Al
l div
isio
ns a
re re
quire
d to
cre
ate
and
upda
te ri
sk re
gist
ers,
to id
entif
y an
d as
sess
risk
s an
d as
sign
re
spon
sibi
litie
s fo
r man
agin
g ris
ks. M
ost d
ivis
ions
hav
e es
tabl
ishe
d th
ese
regi
ster
s, b
ut it
was
not
evi
dent
that
the
regi
ster
s w
ere
revi
ewed
qua
rterly
, as
requ
ired
by H
ealth
’s R
isk
Man
agem
ent P
olic
y, o
r tha
t the
regi
ster
s w
ere
used
to a
ctiv
ely
man
age
risks
with
in e
ach
divi
sion
. Fou
r div
isio
ns h
ad n
ot e
stab
lishe
d a
risk
regi
ster
at t
he ti
me
of
this
aud
it.
In J
une
2016
the
Exec
utiv
e C
omm
ittee
was
adv
ised
that
it w
as in
tend
ed th
at e
ach
divi
sion
dev
elop
a ri
sk
regi
ster
, and
that
all
regi
ster
s w
ould
be
colla
ted
into
an
Ente
rpris
e R
isk
Prof
ile a
nd re
porte
d to
the
Exec
utiv
e C
omm
ittee
. At t
he ti
me
of th
is a
udit
this
repo
rting
had
not
com
men
ced.
At
the
time
of th
e au
dit,
ther
e w
as li
mite
d m
anag
emen
t rep
ortin
g to
the
exec
utiv
e co
mm
ittee
on
the
stat
us o
f en
terp
rise-
leve
l ris
ks, a
s pa
rt of
a s
truct
ured
pro
cess
of r
egul
ar re
view
of e
nter
pris
e-le
vel r
isks
, con
trols
and
tre
atm
ents
. Th
e de
partm
ent d
oes
not s
yste
mat
ical
ly re
cord
and
ana
lyse
inci
dent
s an
d ris
k ev
ents
to in
form
any
revi
ew o
f ris
k pr
actic
es a
nd th
e ris
k fra
mew
ork.
Sta
ff re
spon
sibl
e fo
r man
agin
g gr
ants
are
requ
ired
to m
aint
ain
a re
cord
of
risk
eve
nts
and
to e
scal
ate
high
risk
s im
med
iate
ly.
One
of t
he a
ims
of th
e H
ealth
Cap
abilit
y Pr
ogra
m is
to d
evel
op a
com
mon
und
erst
andi
ng a
nd a
ppro
ach
to
reco
gnis
ing
and
man
agin
g ris
k. A
t the
tim
e of
this
aud
it, th
e ris
k-re
late
d as
pect
of t
he P
rogr
am re
mai
ned
a w
ork
in p
rogr
ess.
Aust
ralia
n C
omm
unic
atio
ns a
nd M
edia
Aut
horit
y (A
CM
A)
Polic
y el
emen
ts
AN
AO
ass
essm
ent
Elem
ent 1
: Has
AC
MA
est
ablis
hed
and
mai
ntai
ned
an e
ntity
-spe
cific
risk
man
agem
ent p
olic
y th
at:
a) d
efin
es th
e en
tity’
s ap
proa
ch to
the
man
agem
ent o
f ris
k an
d ho
w th
is
appr
oach
sup
ports
its
stra
tegi
c pl
ans
and
obje
ctiv
es
Mos
tly m
et
ACM
A is
sued
a re
vise
d ris
k m
anag
emen
t gui
de a
nd m
anag
emen
t ins
truct
ion
in J
uly
2015
, 12
mon
ths
afte
r th
e re
leas
e of
the
Com
mon
wea
lth P
olic
y.
ACM
A’s
risk
man
agem
ent g
uide
out
lines
the
Auth
ority
’s o
vera
ll ap
proa
ch to
risk
man
agem
ent,
but i
s lim
ited
to d
efin
ition
s of
con
cept
s an
d ge
neric
sta
tem
ents
in a
ccor
danc
e w
ith A
S/N
ZS IS
O 3
1000
:200
9 R
isk
Man
agem
ent P
rinci
ples
. It p
rovi
des
a hi
gh-le
vel d
escr
iptio
n of
risk
man
agem
ent b
ut li
mite
d pr
actic
al
guid
ance
on
how
sta
ff sh
ould
man
age
risk.
b) d
efin
es th
e en
tity’
s ris
k ap
petit
e an
d ris
k to
lera
nce
Part
ly m
et
In J
uly
2015
, AC
MA
issu
ed a
risk
tole
ranc
e st
atem
ent b
ut d
id n
ot d
efin
e its
risk
app
etite
sta
tem
ent.
AC
MA’
s ris
k to
lera
nce
is d
escr
ibed
as
bein
g ‘a
s lo
w a
s re
ason
ably
pra
ctic
able
’ (AL
ARP)
. AC
MA
was
not
ab
le to
dem
onst
rate
to th
e AN
AO h
ow th
e AL
ARP
appr
oach
was
use
d in
pra
ctic
e. F
urth
er, A
CM
A do
es n
ot
prov
ide
any
guid
ance
on
asse
ssin
g th
e co
st-b
enef
its o
f ris
k m
itiga
tion
activ
ities
, a re
quire
men
t of t
he A
LAR
P ap
proa
ch.
c) c
onta
ins
an o
utlin
e of
key
ac
coun
tabi
litie
s an
d re
spon
sibi
litie
s fo
r m
anag
ing
and
impl
emen
ting
the
entit
y’s
risk
man
agem
ent f
ram
ewor
k
Met
AC
MA’
s ris
k m
anag
emen
t gui
de o
utlin
es th
e as
sign
ed k
ey ro
les
and
resp
onsi
bilit
ies
for t
he g
over
nanc
e of
risk
.
d) i
s en
dors
ed b
y th
e en
tity’
s ac
coun
tabl
e au
thor
ity.
Mos
tly m
et
The
Cha
ir of
AC
MA
endo
rsed
the
risk
man
agem
ent i
nstru
ctio
n, a
nd th
e G
over
nanc
e an
d S
ecur
ity M
anag
er
auth
oris
ed th
e ris
k m
anag
emen
t gui
de.
Elem
ent 2
: Has
AC
MA
est
ablis
hed
a ris
k m
anag
emen
t fra
mew
ork
whi
ch in
clud
es:
a) t
he o
vera
rchi
ng ri
sk m
anag
emen
t pol
icy
(Ele
men
t 1)
Mos
tly M
et
See
com
men
ts re
gard
ing
Ele
men
t 1 (a
).
b) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
m
anag
ing
risk
Met
AC
MA’
s ris
k m
anag
emen
t gui
de o
utlin
es th
e Au
thor
ity’s
ove
rall
appr
oach
to ri
sk m
anag
emen
t.
ACM
A’s
risk
man
agem
ent g
uide
and
inst
ruct
ion
also
refe
r to
the
resp
onsi
bilit
ies
of th
e Ac
coun
tabl
e Au
thor
ity, t
he A
udit
and
Ris
k C
omm
ittee
and
the
Gov
erna
nce
and
Secu
rity
Man
ager
for m
anag
ing
risks
.
Aust
ralia
n C
omm
unic
atio
ns a
nd M
edia
Aut
horit
y (A
CM
A)
c) h
ow th
e en
tity
will
repo
rt ris
ks to
bot
h in
tern
al a
nd e
xter
nal s
take
hold
ers
Part
ly m
et
ACM
A’s
risk
man
agem
ent f
ram
ewor
k w
as d
evel
oped
with
ext
ensi
ve in
tern
al c
onsu
ltatio
n, in
clud
ing
with
the
audi
t com
mitt
ee. T
he fr
amew
ork
does
not
exp
licitl
y ou
tline
arr
ange
men
ts fo
r com
mun
icat
ing,
con
sulti
ng a
nd
repo
rting
abo
ut ri
sk w
ith in
tern
al s
take
hold
ers.
The
inte
rnal
repo
rting
of r
isks
is d
iscu
ssed
in b
road
term
s in
th
e G
uide
. The
Gui
de d
oes
not o
utlin
e ho
w A
CM
A in
tend
s to
con
sult
or re
port
on ri
sks
to e
ither
inte
rnal
or
exte
rnal
sta
keho
lder
s.
d) t
he a
ttrib
utes
of t
he ri
sk m
anag
emen
t cu
lture
that
the
entit
y se
eks
to d
evel
op,
and
the
mec
hani
sms
empl
oyed
to
enco
urag
e th
is
Part
ly m
et
ACM
A’s
risk
man
agem
ent g
uide
sta
tes
that
“the
Age
ncy
striv
es to
hav
e a
robu
stly
stru
ctur
ed ri
sk
man
agem
ent c
ultu
re”,
and
if a
pers
on’s
wor
k se
amle
ssly
con
side
rs ri
sk, o
r ris
k m
anag
emen
t is
inte
grat
ed
into
day
-to-d
ay a
ctiv
ities
, the
n a
heal
thy
risk
man
agem
ent c
ultu
re e
xist
s.
ACM
A co
uld
outli
ne in
mor
e de
tail
the
attri
bute
s of
the
risk
man
agem
ent c
ultu
re th
at it
see
ks to
dev
elop
.
e) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
em
bedd
ing
risk
man
agem
ent i
nto
its
exis
ting
busi
ness
pro
cess
es
Met
AC
MA’
s ris
k m
anag
emen
t gui
de s
ets
out a
risk
man
agem
ent f
ram
ewor
k an
d ris
k m
anag
emen
t pro
cess
es,
incl
udin
g a
set o
f ins
truct
ions
to a
ssis
t sta
ff to
iden
tify,
doc
umen
t and
ass
ess
risk
with
in th
e st
ated
tole
ranc
e le
vels
. AC
MA
’s ri
sk m
anag
emen
t gui
danc
e pr
ovid
es a
hig
h-le
vel d
escr
iptio
n of
risk
man
agem
ent,
but l
imite
d pr
actic
al g
uida
nce
on h
ow s
taff
shou
ld m
anag
e ris
k. T
hat s
aid,
tem
plat
es a
re p
rovi
ded
to th
e di
visi
ons
and
supp
ort i
s pr
ovid
ed w
hen
requ
ired
to a
ssis
t with
the
risk
man
agem
ent p
roce
ss.
f) ho
w th
e en
tity
cont
ribut
es to
man
agin
g an
y sh
ared
or c
ross
juris
dict
iona
l ris
ks
Not
met
AC
MA
does
not
refe
r to
shar
ed ri
sk in
its
risk
guid
ance
and
inst
ruct
ion,
and
ther
e is
no
expl
anat
ion
of h
ow
shar
ed ri
sks
shou
ld b
e id
entif
ied
and
man
aged
.
g) t
he a
ppro
ach
for m
easu
ring
risk
man
agem
ent p
erfo
rman
ce
Part
ly m
et
The
perfo
rman
ce s
ectio
n of
the
guid
e is
gen
eric
in n
atur
e, a
nd a
s su
ch d
oes
not s
peci
fical
ly re
late
to
mea
surin
g pe
rform
ance
of r
isk
at A
CM
A.
The
guid
e st
ates
that
: ris
k tre
atm
ent p
lans
sho
uld
incl
ude
perfo
rman
ce m
easu
res;
miti
gatio
n m
easu
res
shou
ld b
e m
easu
red
for e
ffect
iven
ess;
and
hig
her l
evel
org
anis
atio
nal p
erfo
rman
ce in
dica
tors
and
mea
sure
s sh
ould
be
used
to ju
dge
the
perfo
rman
ce o
f ris
k m
anag
emen
t.
h) h
ow th
e ris
k m
anag
emen
t fra
mew
ork
and
entit
y ris
k pr
ofile
will
be
perio
dica
lly
revi
ewed
and
impr
oved
.
Mos
tly m
et
ACM
A’s
2015
risk
man
agem
ent g
uida
nce
stat
es th
at th
e po
licy
shou
ld b
e re
view
ed a
nd u
pdat
ed a
nnua
lly.
The
guid
e w
as d
ue to
be
revi
ewed
in th
e se
cond
hal
f of 2
016.
AC
MA
advi
sed
the
ANAO
that
it h
as d
ecid
ed
to a
wai
t the
out
com
es o
f thi
s au
dit b
efor
e fin
alis
ing
its re
view
.
Aust
ralia
n C
omm
unic
atio
ns a
nd M
edia
Aut
horit
y (A
CM
A)
i) Th
e ris
k m
anag
emen
t fra
mew
ork
is
endo
rsed
by
the
entit
y’s
acco
unta
ble
auth
ority
.
Mos
tly m
et
See
com
men
ts re
gard
ing
Ele
men
t 1 (d
).
Elem
ent 3
: Has
the
acco
unta
ble
auth
ority
of A
CM
A d
efin
ed th
e re
spon
sibi
lity
for m
anag
ing
risk,
by:
a) d
efin
ing
who
is re
spon
sibl
e fo
r de
term
inin
g th
e en
tity’
s ap
petit
e an
d to
lera
nce
for r
isk
Mos
tly m
et
Ther
e is
a b
road
sta
tem
ent i
n AC
MA’
s ris
k m
anag
emen
t gui
de o
f the
Acc
ount
able
Aut
horit
y’s
resp
onsi
bilit
ies,
but
the
stat
emen
t doe
s no
t exp
licitl
y de
fine
who
is re
spon
sibl
e fo
r det
erm
inin
g th
e ris
k ap
petit
e an
d to
lera
nce.
b) a
lloca
ting
resp
onsi
bilit
y fo
r im
plem
entin
g th
e en
tity’
s ris
k m
anag
emen
t fra
mew
ork
Met
AC
MA’
s G
over
nanc
e an
d S
ecur
ity M
anag
er is
resp
onsi
ble
for t
he d
ay-to
-day
mai
nten
ance
and
pro
mot
ion
of
ACM
A’s
risk
man
agem
ent f
ram
ewor
k. A
CM
A ha
ve re
cent
ly e
ngag
ed a
Ris
k M
anag
er.
c) d
efin
ing
entit
y ro
les
and
resp
onsi
bilit
ies
in m
anag
ing
indi
vidu
al ri
sks
Met
Th
e G
uide
out
lines
resp
onsi
bilit
ies
for s
trate
gic,
Div
isio
nal a
nd p
rogr
am/p
roje
ct ri
sks.
The
Gui
de a
lso
stat
es
that
risk
s ne
ed to
be
allo
cate
d to
a ri
sk o
wne
r, to
ens
ure
ther
e is
acc
ount
abili
ty fo
r, an
d ow
ners
hip
of, t
he
risks
.
Elem
ent 4
: Has
AC
MA
ens
ured
that
the
syst
emat
ic m
anag
emen
t of r
isk
is e
mbe
dded
in k
ey b
usin
ess
proc
esse
s?
M
et
ACM
A’s
key
risks
wer
e re
view
ed q
uarte
rly b
y th
e se
nior
exe
cutiv
e as
par
t of a
regu
lar c
ycle
. Sta
ff w
ere
able
to
sho
w th
at a
n as
sess
men
t of r
isk
info
rmed
loca
l dec
isio
n m
akin
g pr
oces
ses,
and
that
risk
con
vers
atio
ns a
t th
e se
nior
and
mid
dle
man
agem
ent l
evel
s to
ok p
lace
. At a
n op
erat
iona
l lev
el, d
eleg
atio
ns fo
r dec
isio
n m
akin
g re
latin
g to
bro
adca
stin
g an
d da
taca
stin
g in
vest
igat
ions
are
bas
ed o
n th
e as
sess
ed le
vel o
f ris
k of
ea
ch in
vest
igat
ion.
Aust
ralia
n C
omm
unic
atio
ns a
nd M
edia
Aut
horit
y (A
CM
A)
Elem
ent 5
: Doe
s A
CM
A’s
risk
man
agem
ent f
ram
ewor
k su
ppor
t the
dev
elop
men
t of a
pos
itive
risk
cul
ture
?
M
ostly
met
To
ass
ess
the
sele
cted
ent
ities
’ im
plem
enta
tion
of th
e ov
erar
chin
g go
al o
f the
Com
mon
wea
lth P
olic
y an
d its
po
licy
elem
ent f
ive—
deve
lopi
ng a
pos
itive
risk
cul
ture
—th
e AN
AO h
ad re
gard
to: e
ntiti
es’ i
mpl
emen
tatio
n of
th
e C
omm
onw
ealth
Pol
icy
requ
irem
ents
; ris
k m
anag
emen
t in
a se
lect
ion
of b
usin
ess
activ
ities
in e
ach
entit
y;
and
the
cons
ider
atio
n of
risk
by
seni
or le
ader
s.
ACM
A m
et s
ix a
nd m
ostly
met
10
of th
e re
quire
men
ts (t
otal
16/
22 o
r 73
per c
ent).
Th
e AN
AO’s
revi
ew o
f a s
elec
tion
of b
usin
ess
activ
ities
(see
foot
note
37)
indi
cate
s th
at ri
sk m
anag
emen
t in
form
s no
rmal
bus
ines
s op
erat
ions
in th
e se
lect
ed e
ntiti
es. R
isk
was
con
side
red
whe
n ke
y bu
sine
ss d
ecis
ions
w
ere
mad
e or
adv
ice
was
pro
vide
d to
sen
ior m
anag
emen
t or g
over
nmen
t by
the
area
s se
lect
ed fo
r rev
iew
.
The
risk
man
agem
ent f
ram
ewor
k an
d ke
y ris
ks w
ere
regu
larly
con
side
red
at s
enio
r lev
els
(see
com
men
ts
rega
rdin
g El
emen
t 4 a
bove
).
Elem
ent 6
: Has
AC
MA
impl
emen
ted
arra
ngem
ents
to c
omm
unic
ate
and
cons
ult a
bout
risk
in a
tim
ely
and
effe
ctiv
e m
anne
r to
both
inte
rnal
and
ex
tern
al s
take
hold
ers?
M
ostly
met
ACM
A ha
s: ri
sk m
anag
emen
t gui
danc
e av
aila
ble
on it
s In
trane
t; pr
ovid
es a
ssis
tanc
e on
risk
man
agem
ent
thro
ugh
a de
dica
ted
Ris
k O
ffice
r; an
d m
anag
emen
t rep
ortin
g ar
rang
emen
ts th
at re
info
rce
the
impo
rtanc
e of
ris
k m
anag
emen
t.
ACM
A’s
Audi
t and
Ris
k C
omm
ittee
rece
ives
qua
rterly
upd
ates
on
the
risk
man
agem
ent f
ram
ewor
k, in
clud
ing
new
and
em
ergi
ng ri
sks.
ACM
A di
d no
t com
mun
icat
e or
con
sult
with
its
exte
rnal
sta
keho
lder
s in
the
deve
lopm
ent o
f its
risk
fra
mew
ork
but t
he A
NAO
was
adv
ised
that
risk
is ro
utin
ely
disc
usse
d w
ith e
xter
nal s
take
hold
ers
and
othe
r en
titie
s in
the
cond
uct o
f its
regu
lato
ry a
ctiv
ities
. AC
MA
was
abl
e to
pro
vide
exa
mpl
es w
here
pro
ject
s an
d is
sues
wer
e di
scus
sed
betw
een
ACM
A an
d D
efen
ce, a
nd b
etw
een
ACM
A an
d th
e D
epar
tmen
t of F
inan
ce.
Elem
ent 7
: Has
AC
MA
impl
emen
ted
arra
ngem
ents
to u
nder
stan
d an
d co
ntrib
ute
to th
e m
anag
emen
t of s
hare
d ris
ks?
Pa
rtly
met
AC
MA
does
not
refe
r to
shar
ed ri
sk in
its
risk
guid
ance
and
inst
ruct
ion,
and
ther
e is
no
expl
anat
ion
of h
ow
shar
ed ri
sks
shou
ld b
e id
entif
ied
and
man
aged
. In
prac
tice,
AC
MA
and
its p
ortfo
lio d
epar
tmen
t hav
e cr
eate
d a
shar
ed ri
sk re
gist
er fo
r the
ir jo
int s
teer
ing
com
mitt
ee. A
CM
A ad
vise
d th
e AN
AO th
at a
rran
gem
ents
for
iden
tifyi
ng a
nd m
anag
ing
shar
ed ri
sks
will
be
deve
lope
d as
par
t of a
pla
nned
revi
ew o
f the
risk
fram
ewor
k.
Aust
ralia
n C
omm
unic
atio
ns a
nd M
edia
Aut
horit
y (A
CM
A)
Elem
ent 8
: Has
AC
MA
mai
ntai
ned
an a
ppro
pria
te le
vel o
f cap
abili
ty to
bot
h im
plem
ent t
he e
ntity
’s ri
sk m
anag
emen
t fra
mew
ork
and
man
age
its
risks
?
M
ostly
met
AC
MA
has
deve
lope
d ris
k te
mpl
ates
and
gui
danc
e to
ass
ist s
taff
in th
e m
anag
emen
t of r
isks
. AC
MA
also
ha
s a
varie
ty o
f tra
inin
g m
ater
ial a
vaila
ble
to s
taff.
As
at 1
4 D
ecem
ber 2
016,
79
per c
ent o
f AC
MA
empl
oyee
s ha
d co
mpl
eted
the
com
puls
ory
risk
man
agem
ent e
-lear
ning
mod
ule.
AC
MA
has
rece
ntly
hire
d a
Ris
k O
ffice
r, an
d fil
led
the
posi
tion
of M
anag
er, G
over
nanc
e an
d Se
curit
y w
hich
has
resp
onsi
bilit
y fo
r ris
k at
a
corp
orat
e le
vel.
Elem
ent 9
: Doe
s AC
MA
revi
ew it
s ris
ks, i
ts ri
sk m
anag
emen
t fra
mew
ork
and
the
appl
icat
ion
of it
s ris
k m
anag
emen
t pra
ctic
es o
n a
regu
lar b
asis
, an
d im
plem
ent i
mpr
ovem
ents
aris
ing
out o
f suc
h re
view
s?
M
ostly
met
AC
MA’
s ris
k re
gist
ers
are
revi
ewed
and
upd
ated
eve
ry q
uarte
r. D
ivis
ion
man
ager
s pr
ovid
e a
writ
ten
conf
irmat
ion
to th
e Ex
ecut
ive
Gro
up c
onfir
min
g th
at th
e re
gist
ers
have
bee
n re
view
ed, a
nd th
at th
e co
ntro
ls
are
adeq
uate
and
ope
ratio
nal.
In a
dditi
on, t
he ri
sk o
ffice
r rev
iew
s th
e ac
tive
cont
rols
in th
e ris
k re
gist
ers
and
advi
ses
each
div
isio
n ho
w to
mak
e im
prov
emen
ts.
The
mor
e tim
ely
revi
ew a
nd u
pdat
ing
of A
CM
A’s
risk
man
agem
ent f
ram
ewor
k w
ould
pro
vide
con
sist
ent
corp
orat
e m
essa
ging
on
AC
MA
’s a
ppet
ite fo
r, an
d m
anag
emen
t of,
risk.
The
re is
als
o sc
ope
for r
isk
even
ts
and
inci
dent
s to
be
reco
rded
and
ana
lyse
d. T
his
coul
d be
con
side
red
as p
art o
f the
revi
ew o
f ris
k m
anag
emen
t pra
ctic
es.
ACM
A’s
Gui
de a
nd In
stru
ctio
n w
ere
due
to b
e re
view
ed in
Jul
y 20
16, b
ut th
is h
ad n
ot o
ccur
red
at th
e tim
e of
th
e au
dit.
See
com
men
ts re
gard
ing
Elem
ent 2
(h).
Aust
ralia
n Fi
sher
ies
Man
agem
ent A
utho
rity
(AFM
A)
Polic
y el
emen
ts
AN
AO
ass
essm
ent
Elem
ent 1
: Has
AFM
A e
stab
lishe
d an
d m
aint
aine
d an
ent
ity-s
peci
fic ri
sk m
anag
emen
t pol
icy
that
:
a) d
efin
es th
e en
tity’
s ap
proa
ch to
the
man
agem
ent o
f ris
k an
d ho
w th
is
appr
oach
sup
ports
its
stra
tegi
c pl
ans
and
obje
ctiv
es
Met
AFM
A’s
2016
risk
man
agem
ent p
olic
y ou
tline
s th
e Au
thor
ity’s
ove
rall
appr
oach
to ri
sk m
anag
emen
t. AF
MA
issu
ed a
revi
sed
risk
man
agem
ent f
ram
ewor
k in
Feb
ruar
y 20
15 s
even
mon
ths
afte
r the
rele
ase
of
the
Com
mon
wea
lth P
olic
y. T
he a
utho
rity
rele
ased
an
upda
ted
risk
man
agem
ent p
olic
y, w
hich
incl
uded
a
risk
appe
tite
stat
emen
t, in
Nov
embe
r 201
6. A
FMA
issu
ed ri
sk m
anag
emen
t ope
ratio
nal g
uide
lines
in
Febr
uary
201
7.
b) d
efin
es th
e en
tity’
s ris
k ap
petit
e an
d ris
k to
lera
nce
Met
In
Nov
embe
r 201
6, A
FMA
issu
ed a
n en
terp
rise
risk
appe
tite
and
tole
ranc
e st
atem
ent t
hat d
etai
led
the
Auth
ority
’s o
vera
ll ris
k ap
petit
e an
d to
lera
nce
in th
e m
anag
emen
t of r
isks
in a
num
ber o
f key
risk
are
as.
c) c
onta
ins
an o
utlin
e of
key
ac
coun
tabi
litie
s an
d re
spon
sibi
litie
s fo
r m
anag
ing
and
impl
emen
ting
the
entit
y’s
risk
man
agem
ent f
ram
ewor
k
Met
AF
MA’
s ris
k m
anag
emen
t pol
icy
outli
nes
the
assi
gned
key
role
s an
d re
spon
sibi
litie
s fo
r the
gov
erna
nce
of
risk.
The
pol
icy
inco
rpor
ates
a ta
ble
that
link
s co
rpor
ate
goal
s to
risk
are
as a
nd th
e Au
thor
ity’s
risk
m
anag
emen
t res
pons
e.
d) i
s en
dors
ed b
y th
e en
tity’
s ac
coun
tabl
e au
thor
ity.
Met
Th
e N
ovem
ber 2
016
risk
man
agem
ent p
olic
y an
d Fe
brua
ry 2
107
risk
man
agem
ent g
uide
lines
wer
e en
dors
ed b
y th
e C
hief
Exe
cutiv
e.
Elem
ent 2
: Has
AFM
A e
stab
lishe
d a
risk
man
agem
ent f
ram
ewor
k w
hich
incl
udes
:
a) t
he o
vera
rchi
ng ri
sk m
anag
emen
t pol
icy
(Ele
men
t 1)
Met
Se
e co
mm
ents
rega
rdin
g E
lem
ent 1
(a).
b) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
m
anag
ing
risk
Met
Th
e ris
k m
anag
emen
t fra
mew
ork
refe
rs to
the
risk
man
agem
ent p
olic
y an
d gu
idel
ines
whi
ch o
utlin
e th
e Au
thor
ity’s
app
roac
h to
the
man
agem
ent o
f ris
k, in
clud
ing
key
role
s an
d re
spon
sibi
litie
s in
man
agin
g ris
ks,
inte
rnal
(but
not
ext
erna
l) co
nsul
tatio
n ar
rang
emen
ts, a
nd a
rran
gem
ents
for m
onito
ring
the
perfo
rman
ce o
f st
aff i
n ris
k m
anag
emen
t act
iviti
es.
Aust
ralia
n Fi
sher
ies
Man
agem
ent A
utho
rity
(AFM
A)
c) h
ow th
e en
tity
will
repo
rt ris
ks to
bot
h in
tern
al a
nd e
xter
nal s
take
hold
ers
Part
ly m
et
AFM
A’s
risk
man
agem
ent g
uide
lines
add
ress
inte
rnal
and
ext
erna
l con
sulta
tion
arra
ngem
ents
, as
an in
put
to a
n or
gani
satio
nal r
isk
regi
ster
that
sup
ports
the
inte
rnal
repo
rting
of r
isks
to th
e C
EO, C
omm
issi
on a
nd
the
Audi
t and
Ris
k C
omm
ittee
. The
se a
rran
gem
ents
had
not
bee
n im
plem
ente
d at
the
time
of th
is a
udit,
an
d an
ent
erpr
ise-
leve
l ris
k re
gist
er h
ad y
et to
be
crea
ted.
Th
e gu
idel
ines
do
not r
efer
to a
rran
gem
ents
for r
epor
ting
risks
to e
xter
nal s
take
hold
ers.
d) t
he a
ttrib
utes
of t
he ri
sk m
anag
emen
t cu
lture
that
the
entit
y se
eks
to d
evel
op,
and
the
mec
hani
sms
empl
oyed
to
enco
urag
e th
is
Part
ly m
et
The
polic
y an
d gu
idel
ines
do
not s
peci
fical
ly o
utlin
e th
e at
tribu
tes
of a
risk
man
agem
ent c
ultu
re th
at th
e Au
thor
ity s
eeks
to d
evel
op. T
he ri
sk m
anag
emen
t pol
icy
outli
nes
arra
ngem
ents
for s
taff-
dire
cted
as
sess
men
ts to
be
unde
rtake
n an
d fo
r rev
iew
s of
risk
s an
d tre
atm
ents
out
lined
in p
ositi
on d
escr
iptio
ns to
be
und
erta
ken
ever
y 12
mon
ths.
The
fram
ewor
k an
d po
licy
do n
ot o
ther
wis
e de
scrib
e th
e m
echa
nism
s fo
r en
cour
agin
g th
e ac
hiev
emen
t of a
risk
man
agem
ent c
ultu
re.
e) a
n ov
ervi
ew o
f the
ent
ity’s
app
roac
h to
em
bedd
ing
risk
man
agem
ent i
nto
its
exis
ting
busi
ness
pro
cess
es
Met
Th
e gu
idel
ines
out
line
the
proc
edur
es fo
r ide
ntify
ing,
ana
lysi
ng a
nd tr
eatin
g ris
k; s
et o
ut th
e A
utho
rity’
s ex
pect
atio
ns th
at a
ll st
aff h
ave
an a
war
enes
s of
, and
be
enga
ged
with
, man
agin
g ris
ks, i
nclu
ding
trai
ning
, st
aff-d
irect
ed a
sses
smen
ts, a
nd re
porti
ng a
rran
gem
ents
and
resp
onsi
bilit
ies.
f) ho
w th
e en
tity
cont
ribut
es to
man
agin
g an
y sh
ared
or c
ross
juris
dict
iona
l ris
ks
Met
AF
MA’
s Fe
brua
ry 2
017
risk
man
agem
ent g
uide
lines
add
ress
ed th
e is
sue
of e
stab
lishi
ng s
hare
d ris
ks
thro
ugh
exte
rnal
con
sulta
tion
proc
esse
s:
Ext
erna
l con
sulta
tion
will
est
ablis
h sh
ared
risk
s th
roug
h en
gage
men
t with
oth
er C
omm
onw
ealth
age
ncie
s,
cros
s-ju
risdi
ctio
nal e
ntiti
es, i
ndus
try a
nd in
tere
st g
roup
s. O
nce
ever
y 12
mon
ths
AFM
A’s
Ris
k M
anag
er w
ill
enga
ge w
ith e
xter
nal s
take
hold
ers
to e
stab
lish
the
regi
ster
of s
hare
d ris
ks a
nd re
port
the
findi
ngs
to th
e A
udit
and
Ris
k C
omm
ittee
and
the
AFM
A C
omm
issi
on.
g) t
he a
ppro
ach
for m
easu
ring
risk
man
agem
ent p
erfo
rman
ce
Part
ly m
et
The
polic
y an
d gu
idel
ines
indi
cate
that
man
ager
s an
d se
nior
man
ager
s sh
ould
mon
itor t
he p
erfo
rman
ce o
f st
aff i
n ris
k m
anag
emen
t act
iviti
es, i
nclu
ding
the
mai
nten
ance
of c
ontro
ls, i
mpl
emen
tatio
n of
new
trea
tmen
ts
and
the
iden
tific
atio
n of
new
risk
s. T
here
is, h
owev
er, n
o ex
plic
it ap
proa
ch o
utlin
ed fo
r mea
surin
g ris
k m
anag
emen
t per
form
ance
. AF
MA
advi
sed
that
it h
as re
lied
on C
omco
ver’s
ann
ual b
ench
mar
king
sur
vey
and
rene
wal
que
stio
nnai
re o
n ris
k m
anag
emen
t pro
cess
es to
ass
ess
risk
man
agem
ent p
erfo
rman
ce.
Aust
ralia
n Fi
sher
ies
Man
agem
ent A
utho
rity
(AFM
A)
h) h
ow th
e ris
k m
anag
emen
t fra
mew
ork
and
entit
y ris
k pr
ofile
will
be
perio
dica
lly
revi
ewed
and
impr
oved
.
Met
AF
MA’
s N
ovem
ber 2
016
risk
man
agem
ent p
olic
y st
ates
that
the
Ris
k M
anag
er is
resp
onsi
ble
for t
he
ongo
ing
mai
nten
ance
of r
isk
regi
ster
s an
d re
porti
ng to
the
CEO
, AFM
A C
omm
issi
on, R
isk
Man
agem
ent
Com
mitt
ee a
nd th
e Au
dit a
nd R
isk
Com
mitt
ee. T
he p
olic
y an
d gu
idel
ines
task
the
Ris
k M
anag
emen
t C
omm
ittee
with
resp
onsi
bilit
y fo
r rev
iew
ing
AFM
A’s
risk
man
agem
ent f
ram
ewor
k on
ce e
ach
year
, inc
ludi
ng
the
risk
regi
ster
and
risk
man
agem
ent p
lans
. The
se a
rran
gem
ents
wer
e no
t ful
ly im
plem
ente
d at
the
time
of
this
aud
it.
i) Th
e ris
k m
anag
emen
t fra
mew
ork
is
endo
rsed
by
the
entit
y’s
acco
unta
ble
auth
ority
.
Met
Se
e co
mm
ents
rega
rdin
g E
lem
ent 1
(d).
Elem
ent 3
: Has
the
acco
unta
ble
auth
ority
of A
FMA
def
ined
the
resp
onsi
bilit
y fo
r man
agin
g ris
k, b
y:
a) d
efin
ing
who
is re
spon
sibl
e fo
r de
term
inin
g th
e en
tity’
s ap
petit
e an
d to
lera
nce
for r
isk
Met
AF
MA’
s N
ovem
ber 2
016
risk
man
agem
ent p
olic
y st
ates
that
the
Chi
ef E
xecu
tive
is re
spon
sibl
e fo
r ap
prov
ing
the
Auth
ority
’s ri
sk a
ppet
ite a
nd to
lera
nce
as p
art o
f app
rovi
ng th
e R
isk
Man
agem
ent P
olic
y.
b) a
lloca
ting
resp
onsi
bilit
y fo
r im
plem
entin
g th
e en
tity’
s ris
k m
anag
emen
t fra
mew
ork
Met
Th
e C
EO h
as e
stab
lishe
d a
risk
man
agem
ent c
omm
ittee
with
spe
cifie
d re
spon
sibi
litie
s. T
he ri
sk
man
agem
ent c
omm
ittee
is in
tend
ed to
pro
vide
an
intra
-ent
ity p
ersp
ectiv
e, re
view
the
risk
man
agem
ent
fram
ewor
k on
ce e
ach
year
and
mon
itor a
dher
ence
of s
taff
to th
e gu
idel
ines
. The
risk
man
ager
is
resp
onsi
ble
for m
aint
enan
ce o
f the
org
anis
atio
nal r
isk
regi
ster
and
coo
rdin
atio
n of
repo
rting
to th
e Ex
ecut
ive
and
audi
t and
risk
com
mitt
ee.
c) d
efin
ing
entit
y ro
les
and
resp
onsi
bilit
ies
in m
anag
ing
indi
vidu
al ri
sks.
M
et
AFM
A gu
idan
ce o
utlin
es ro
les
and
resp
onsi
bilit
ies
for m
anag
ing
risks
. The
re is
sco
pe to
revi
ew A
FMA
’s
cons
olid
ated
risk
regi
ster
, whi
ch is
use
d to
col
late
risk
s fro
m a
cros
s th
e en
tity,
as
the
maj
ority
of r
isks
in th
e re
gist
er w
ere
assi
gned
to a
wor
k ar
ea ra
ther
than
an
indi
vidu
al o
r pos
ition
and
in s
ome
case
s ce
rtain
risk
s w
ere
not a
ssig
ned.
Aust
ralia
n Fi
sher
ies
Man
agem
ent A
utho
rity
(AFM
A)
Elem
ent 4
: Has
AFM
A e
nsur
ed th
at th
e sy
stem
atic
man
agem
ent o
f ris
k is
em
bedd
ed in
key
bus
ines
s pr
oces
ses?
M
ostly
met
Su
stai
nabi
lity
risks
wer
e re
gula
rly c
onsi
dere
d by
the
AFM
A C
omm
issi
on in
its
cons
ider
atio
n of
spe
cific
fis
herie
s m
anag
emen
t stra
tegi
es a
nd p
lans
. Ava
ilabl
e re
cord
s in
dica
ted
that
the
oper
atio
nal b
ranc
h se
lect
ed fo
r rev
iew
had
pro
duce
d a
rang
e of
risk
ass
essm
ents
and
gui
danc
e on
risk
man
agem
ent.
Ther
e is
sc
ope
for a
mor
e st
ruct
ured
app
roac
h to
repo
rting
on
and
revi
ewin
g en
terp
rise-
leve
l ris
ks, c
ontro
ls a
nd
treat
men
ts.
Elem
ent 5
: Doe
s A
FMA’
s ris
k m
anag
emen
t fra
mew
ork
supp
ort t
he d
evel
opm
ent o
f a p
ositi
ve ri
sk c
ultu
re?
Pa
rtly
met
To
ass
ess
the
sele
cted
ent
ities
’ im
plem
enta
tion
of th
e ov
erar
chin
g go
al o
f the
Com
mon
wea
lth P
olic
y an
d its
po
licy
elem
ent f
ive—
deve
lopi
ng a
pos
itive
risk
cul
ture
—th
e AN
AO h
ad re
gard
to: e
ntiti
es’ i
mpl
emen
tatio
n of
th
e C
omm
onw
ealth
Pol
icy
requ
irem
ents
; ris
k m
anag
emen
t in
a se
lect
ion
of b
usin
ess
activ
ities
in e
ach
entit
y;
and
the
cons
ider
atio
n of
risk
by
seni
or le
ader
s.
AFM
A m
et 1
3 an
d m
ostly
met
two
of th
e re
quire
men
ts (t
otal
15/
22 o
r 68
per c
ent).
Th
e AN
AO’s
revi
ew o
f a s
elec
tion
of b
usin
ess
activ
ities
(see
foot
note
37)
indi
cate
s th
at ri
sk m
anag
emen
t in
form
s no
rmal
bus
ines
s op
erat
ions
in th
e se
lect
ed e
ntiti
es. R
isk
was
con
side
red
whe
n ke
y bu
sine
ss
deci
sion
s w
ere
mad
e or
adv
ice
was
pro
vide
d to
sen
ior m
anag
emen
t or g
over
nmen
t by
the
area
s se
lect
ed
for r
evie
w. F
or e
xam
ple,
the
Fish
erie
s M
anag
emen
t Bra
nch
had
risk
man
agem
ent p
ract
ices
em
bedd
ed a
s pa
rt of
its
core
dec
isio
n m
akin
g pr
oces
ses
unde
r the
Eco
logi
cal R
isk
Man
agem
ent F
ram
ewor
k.
The
risk
man
agem
ent f
ram
ewor
k an
d ke
y ris
ks w
ere
regu
larly
con
side
red
at s
enio
r lev
els
(see
com
men
ts
rega
rdin
g El
emen
t 4 a
bove
).
Aust
ralia
n Fi
sher
ies
Man
agem
ent A
utho
rity
(AFM
A)
Elem
ent 6
: Has
AFM
A im
plem
ente
d ar
rang
emen
ts to
com
mun
icat
e an
d co
nsul
t abo
ut ri
sk in
a ti
mel
y an
d ef
fect
ive
man
ner t
o bo
th in
tern
al a
nd
exte
rnal
sta
keho
lder
s?
M
ostly
met
The
deve
lopm
ent o
f the
risk
pol
icy
and
guid
elin
es in
volv
ed c
onsu
ltatio
n w
ith s
enio
r man
agem
ent,
the
Audi
t C
omm
ittee
and
the
Com
mis
sion
, whi
ch c
ompr
omis
es s
ix e
xter
nal m
embe
rs. T
he d
evel
opm
ent o
f the
pol
icy,
in
clud
ing
the
risk
appe
tite
and
tole
ranc
e, d
id n
ot in
volv
e co
nsul
tatio
n w
ith o
ther
ext
erna
l sta
keho
lder
s.
The
cons
ulta
tion
arra
ngem
ents
out
lined
in th
e po
licy
and
guid
elin
es h
ad n
ot b
een
fully
impl
emen
ted
at th
e tim
e of
the
audi
t.
The
Fish
erie
s M
anag
emen
t Bra
nch
risk
asse
ssm
ent p
roce
sses
incl
ude
com
mun
icat
ing
and
cons
ultin
g w
ith
reso
urce
ass
essm
ent g
roup
s, te
chni
cal s
uppo
rt gr
oups
and
man
agem
ent a
dvis
ory
com
mitt
ees.
The
se g
roup
s an
d co
mm
ittee
s ar
e co
mpr
ised
of r
epre
sent
ativ
es fr
om th
e sc
ient
ific
com
mun
ity a
nd s
take
hold
er g
roup
s.
Elem
ent 7
: Has
AFM
A im
plem
ente
d ar
rang
emen
ts to
und
erst
and
and
cont
ribut
e to
the
man
agem
ent o
f sha
red
risks
?
Pa
rtly
met
AFM
A is
in th
e ea
rly s
tage
s of
impl
emen
ting
its ri
sk g
uide
lines
and
its
appr
oach
to e
xter
nal c
onsu
ltatio
n an
d sh
ared
risk
s. A
FMA
’s F
ebru
ary
2017
risk
man
agem
ent g
uide
lines
add
ress
ed th
e is
sue
of e
stab
lishi
ng
shar
ed ri
sks
thro
ugh
exte
rnal
con
sulta
tion
proc
esse
s:
Ext
erna
l con
sulta
tion
will
est
ablis
h sh
ared
risk
s th
roug
h en
gage
men
t with
oth
er C
omm
onw
ealth
age
ncie
s,
cros
s-ju
risdi
ctio
nal e
ntiti
es, i
ndus
try a
nd in
tere
st g
roup
s. O
nce
ever
y 12
mon
ths
AFM
A’s
Ris
k M
anag
er w
ill
enga
ge w
ith e
xter
nal s
take
hold
ers
to e
stab
lish
the
regi
ster
of s
hare
d ris
ks a
nd re
port
the
findi
ngs
to th
e A
udit
and
Ris
k C
omm
ittee
and
the
AFM
A C
omm
issi
on.
Thes
e ar
rang
emen
ts w
ere
not i
mpl
emen
ted
and
no s
hare
d ris
ks h
ad b
een
iden
tifie
d at
the
time
of th
is
audi
t.
Aust
ralia
n Fi
sher
ies
Man
agem
ent A
utho
rity
(AFM
A)
Elem
ent 8
: Has
AFM
A m
aint
aine
d an
app
ropr
iate
leve
l of c
apab
ility
to b
oth
impl
emen
t the
ent
ity’s
risk
man
agem
ent f
ram
ewor
k an
d m
anag
e its
ris
ks?
Pa
rtly
met
R
isk
man
agem
ent g
uida
nce
avai
labl
e on
AFM
A’s
Intra
net w
as m
inim
al a
nd n
ot u
p to
dat
e. O
ther
risk
-re
late
d gu
idan
ce a
vaila
ble
on th
e In
trane
t foc
usse
d on
pro
ject
man
agem
ent,
and
did
not i
nclu
de g
uida
nce
for b
usin
ess
as u
sual
act
iviti
es. P
roje
ct m
anag
emen
t tem
plat
es, i
nclu
ding
a re
gist
er, w
ere
avai
labl
e to
id
entif
y, m
onito
r and
repo
rt on
pro
ject
risk
s.
AFM
A do
es n
ot h
ave
form
al le
arni
ng a
nd d
evel
opm
ent p
rogr
ams
in ri
sk m
anag
emen
t for
sta
ff. T
he A
NAO
w
as a
dvis
ed b
y AF
MA
that
wor
k ha
d co
mm
ence
d to
impl
emen
t a tr
aini
ng p
acka
ge fo
r sta
ff on
the
Pub
lic
Gov
erna
nce,
Per
form
ance
and
Acc
ount
abili
ty (P
GP
A) A
ct 2
013,
incl
udin
g a
risk
man
agem
ent m
odul
e.
Elem
ent 9
: Doe
s AF
MA
revi
ew it
s ris
ks, i
ts ri
sk m
anag
emen
t fra
mew
ork
and
the
appl
icat
ion
of it
s ris
k m
anag
emen
t pra
ctic
es o
n a
regu
lar b
asis
, an
d im
plem
ent i
mpr
ovem
ents
aris
ing
out o
f suc
h re
view
s?
Pa
rtly
met
AF
MA
cond
ucte
d a
revi
ew o
f its
risk
man
agem
ent f
ram
ewor
k in
Jun
e 20
15 b
ut w
as s
low
in a
ddre
ssin
g th
e fin
ding
s an
d re
com
men
datio
ns o
f the
revi
ew. T
he c
onso
lidat
ed ri
sk re
gist
er b
ecam
e no
n-op
erat
iona
l, re
sulti
ng
in a
lack
of r
ecor
ding
, rep
ortin
g an
d re
view
of r
isks
at a
cor
pora
te a
nd s
trate
gic
leve
l. Th
e ris
k m
anag
emen
t co
mm
ittee
resp
onsi
ble
for o
vers
ight
and
revi
ew o
f the
fram
ewor
k di
d no
t mee
t for
ove
r tw
o ye
ars
and
reco
nven
ed fo
r the
firs
t tim
e in
Dec
embe
r 201
6.
With
rega
rd to
the
Fish
erie
s M
anag
emen
t Bra
nch,
the
Ecol
ogic
al R
isk
Man
agem
ent G
uide
was
bei
ng re
vise
d du
ring
2016
in re
spon
se to
a re
view
that
was
con
duct
ed b
etw
een
2012
and
201
4. A
FMA
advi
sed
the
ANAO
in
June
201
7 th
at th
e re
vise
d G
uide
was
app
rove
d by
the
Com
mis
sion
in M
arch
201
7.
At th
e tim
e of
the
audi
t, th
ere
was
lim
ited
man
agem
ent r
epor
ting
to th
e C
omm
issi
on o
n th
e st
atus
of
ente
rpris
e-le
vel r
isks
, as
part
of a
stru
ctur
ed p
roce
ss o
f reg
ular
revi
ew o
f ent
erpr
ise-
leve
l ris
ks, c
ontro
ls a
nd
treat
men
ts.
Appendix 4 Health’s Enterprise Risk Appetite statement
ANAO Report No.6 2017–18 The Management of Risk by Public Sector Entities 89