The objective of this document is to communicate the ANAO’s risk management framework and the ANAO’s approach to effective risk management with the aim that the implementation of a single framework will contribute to strengthening management practices and decision making associated with the ANAO’s business operations.

ANAO risk management policy statement

Managing risk effectively is critical to the success of the ANAO in meeting its responsibilities to provide a professional and independent audit view of the performance and accountability of the Australian Government public sector agencies and entities.

The ANAO’s formal Risk Management Policy and Framework is based on adherence to the International Standard on Risk Management, AS/NZS ISO 31000:2009 Risk management — Principles and guidelines. This standard defines risk as ‘the effect of uncertainty on objectives’, which, for the ANAO, is the possibility of an event or activity having an adverse impact to such an extent that it prevents the ANAO from achieving its purpose and outcomes.

The objective of the ANAO’s Risk Management Policy is to communicate the ANAO’s approach to effective risk management and to implement a single framework that will contribute to strong management practices and decision-making associated with the ANAO’s business operations and ultimately contribute to the achievement of the ANAO’s purpose.

Damage to our reputation is the single most important consequence should our risk management fail in a significant way, as it goes to the core of the way we conduct our business and our integrity as a professional audit organisation. This document communicates the ANAO’s approach to risk management, which includes: articulating our risk management policy; defining our risk appetite and risk tolerance; outlining key accountabilities and responsibilities; supporting the integration of risk management into business planning; reviewing and monitoring risk; assessing risk management performance; and developing a positive risk culture where risks are discussed regularly and either accepted or actively managed.

Recognising that the ANAO generally has a low risk appetite regarding its business critical activities, the ANAO will also look to increase its engagement with risk in order to support innovation and a more positive risk management culture within the office.

Effective risk management requires Senior Executives and all ANAO staff to understand the business risks in their area and actively manage those risks as part of their day-to-day activities. All staff have a role in managing risk and therefore it is important that all members of the ANAO are familiar with the ANAO Risk Management Framework.

The ANAO is committed to the effective management of risks and ensuring that sufficient resources are available to manage risks within the organisation. Those allocated responsibility for managing particular risks or being accountable for critical controls must ensure appropriate monitoring and reporting occurs through the ANAO’s existing management reporting and governance framework.

The effective management of risks plays an important role in shaping the ANAO’s strategic direction as outlined in the ANAO Corporate Plan and thereby contributes to evidence-based decision-making and the successful delivery of the ANAO’s purpose.

Grant Hehir

Auditor-General

Glossary

Risk

The effect of uncertainty on objectives. An effect is a deviation from the expected — positive and/or negative. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances or knowledge) and the associated likelihood of occurrence.

Risk appetite

The amount of risk an entity is willing to accept or retain in order to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude toward risk taking.

Risk assessment

The overall process of risk identification, risk analysis and risk evaluation.

Risk management

The coordinated activities to direct and control an organisation with regard to risk.

Risk tolerance

The levels of risk taking that are acceptable in order to achieve a specific objective or manage a category of risk.

Shared risk

A risk with no single owner, where more than one entity is exposed to or can significantly influence the risk.

   

ANAO Risk Management Framework 2017-18

Introduction

Section 16(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires that the Accountable Authority of a Commonwealth entity establish and maintain an appropriate system of risk oversight and management for the entity.

The ANAO’s Risk Management Framework has been developed to assist the Auditor-General to meet these responsibilities as well as those outlined in the Commonwealth Risk Management Policy, issued by the Department of Finance, and the International Standard on Risk Management, AS/NZS ISO 31000:2009 Risk management — Principles and guidelines.

The intention of this document is to communicate the ANAO’s Risk Management Framework and the ANAO’s approach to effective risk management with the aim that the implementation of a single framework will contribute to strengthening management practices and decision-making associated with the ANAO’s operations.

The ANAO’s purpose and objective

The purpose of the Australian National Audit Office (ANAO), as outlined in the ANAO’s 2017–18 Corporate Plan, is to improve public sector performance and support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, the Executive and the public.

The objective of the ANAO is to continue to provide independent assurance to the Parliament on the use of public resources and the administration of legislation, with quality evidence-based audit services and independent and unbiased reporting.

Environment and context

Critical to delivering against the ANAO’s purpose is anticipating and responding to changes in a dynamic operating environment. The environment section of the ANAO’s Corporate Plan provides context by setting out key aspects of the ANAO’s operating environment.

Definition of risk and risk management

The Implementing the Commonwealth Risk Management Policy Guidance (Resource Management Guide 211) states that risk is the effect of uncertainty on objectives1 — the possibility of an event or activity preventing an organisation from achieving its outcomes or objectives.

Risk management is the activities and actions taken to ensure that an organisation is conscious of the risk it faces, makes coordinated and informed decisions in managing those risks and identifies potential opportunities,

The benefits of risk management include:

  • improved ability to identify, evaluate, and manage threats and opportunities;
  • improved accountability and better governance;
  • better management of complex and shared risks;
  • improved financial management;
  • improved organisational performance and resilience;
  • confidence to make difficult decisions; and
  • decreased potential for unacceptable or undesirable behaviours such as fraud and harassment.

Objectives of the risk management framework

The purpose and scope of this framework is to:

  • articulate the ANAO’s risk management policy;
  • provide an overview of the risk management processes adopted by the ANAO;
  • define the key attributes and objectives for the ANAO’s risk culture;
  • describe roles and responsibilities for managing risk; and
  • outline the process for reporting on risk and ongoing monitoring and review.

It is not the purpose or scope of this framework to identify and list the treatment of ANAO’s identified strategic or operational risks. The ANAO Risk Register identifies and assesses relevant strategic and operational risks and should be referred to for further details on the identified risks.

Relationship to other ANAO policies

The ANAO takes an integrated approach to managing risk and consideration and management of risk forms part of both our operational and audit work. The ANAO Risk Framework and Risk Register is supported by, and developed having regard to the following documents:

  • ANAO Audit Manual and Auditing Standards, which includes the Independence Policy;
  • ANAO Quality Framework;
  • ANAO Parliamentary Communication Strategy;
  • ANAO Fraud Control Policy;
  • ANAO Fraud Control Plan (which includes the Fraud Risk Assessment and Fraud Risk Register);
  • ANAO Procurement Policy;
  • ANAO Work Health and Safety Policies;
  • ANAO Protective Security Risk Review; and
  • ANAO Business Continuity Management Planning Guidelines.

Risk management processes adopted by the ANAO

ANAO’s risk identification and treatment process

The ANAO Risk Register outlines and describes the ANAO’s five strategic risks:

  • Loss of confidence by Parliament in the ANAO;
  • ANAO recommendations and findings do not lead to improvements in public sector performance and accountability;
  • The ANAO does not keep pace, in a contestable environment, with reliable, efficient and professional business practices;
  • The ANAO does not achieve the quality standards required to support its work; and
  • The ANAO duplicates effort by not effectively leveraging the data and information it collects.

The ANAO’s strategic risks have been identified and treated through a multi-step process that is based on the guidance contained in the International Standard on Risk Management, ISO 31000:2009 Risk management — Principles and guidelines, and is outlined in Figure 1 below.

Figure 1. Overview of the ANAO’s risk identification and treatment process

The ANAO’s strategic risks are overarching risks and are derived from considerations associated with the ANAO’s purpose, delivery expectations and resource requirements as encompassed within the ANAO’s outcome statement. Appendix A details the link between the ANAO’s business objectives and identification of strategic and operational risks.

Operational risks are risks associated with the ANAO’s business processes. Specific operational risks are identified and treated through the same multi-step process outlined above.

How and when to apply the ANAO’s risk identification and treatment process

If tasked with the performance of a formal risk assessment, the steps and processes outlined in Appendix B should be undertaken. These steps are in line with the risk management process used for the identification and treatment of strategic and operational risks.

The ANAO requires that formal risk assessments be undertaken in all key areas, including:

  • when planning and conducting audits;
  • when assessing specific work health and safety implications or concerns;
  • when conducting significant procurement activities;
  • when undertaking business continuity and disaster recovery planning; and
  • when assessing protective security requirements.

Benefits of applying effective risk management practices

A number of benefits can be achieved through the application of the ANAO’s risk management process to identify, assess and treat risks. A listing of the potential benefits is outlined in Figure 2 below:

Figure 2. Overview of the benefits of effective risk management

The ANAO’s risk appetite and tolerances for different types of risks

The treatment of all ANAO risks should take into the account the ANAO’s risk appetite and tolerances for the type of risk. Risk appetite is the amount of risk that the ANAO is willing to accept or retain in order to achieve our objectives. Risk tolerance is the levels of risk taking acceptable to the ANAO to achieve a specific objective or manage a category of risk. In general, the ANAO has a low risk appetite when undertaking its core responsibilities. The ANAO’s risks to delivery are managed through processes that emphasise the importance of independence, integrity, intelligent inquiry, maintaining high quality, and public accountability. As outlined in Table 2 below, there are some risks where the ANAO has identified an increased willingness to accept risk.

Table 1.1: Risk appetite and tolerances

Key to risk tolerance

Low

Minimising uncertainty is a key organisational objective.

Medium

Willing to engage with some risk to pursue opportunities.

High

Willing to consider all options and increase risk for an acceptable level of reward and value for money.

   

As part of the ongoing evaluation process of identified risks, it is important to consider the ANAO’s risk tolerance for particular risks along with the consequences and likelihood of such risks before deciding on the treatment for each risk.

Further information on the steps involved in evaluating identified risks is included in Appendix B.

Shared risks

Given the nature of the ANAO’s role in the public sector and the need for the Auditor-General to maintain independence, the ANAO does not usually engage in activities that involve shared inter-entity or cross-jurisdictional risks. The ANAO considers its environment and stakeholders in the assessment and management of risk, but it does not generally jointly or collaboratively manage risks.

An exception is in relation to the ANAO’s capacity-building activities to the Audit Board of the Republic of Indonesia (BPK) and the Auditor-General’s Office of Papua New Guinea (AGO). These activities are managed through a partnership agreement with the Department of Foreign Affairs and Trade (DFAT). The ANAO contributes to strengthening the financial statements audit and performance audit capacity and the joint sharing of auditing knowledge and practice through activities such as the deployment of senior ANAO staff and twinning arrangements. Risks related to these activities are shared with DFAT and managed through regular meetings with DFAT, inter-entity committees, regular advice and updates on any potential security risks to our deployees and DFAT’s engagement of in-country security service providers.

Further, the ANAO engages with other jurisdictions’ Auditors-General on risks in the public sector environment which may impact on successful delivery of Auditors-Generals’ mandates. The ANAO will respond to changes in its operating environment (e.g., changes to accounting standards), and the related risks, in a shared way—through its participation in associations such as the Australasian Council of AuditorsGeneral (ACAG) and the International Organisation of Supreme Audit Institutions (INTOSAI).

Risk management guidance

The ANAO Risk Management Framework is the primary source of guidance on managing risk in the ANAO. Additional guidance can also be obtained from the ANAO Risk Register and e-learning modules, which can be found on the ANAO intranet and the Commonwealth Risk Management Policy, which is available on the Department of Finance website (www.finance.gov.au).

Risk culture

Attributes of the risk culture the ANAO wishes to adopt

The ANAO aims to foster a positive risk culture. Risk culture refers to the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities.2 A positive risk culture promotes an open and proactive approach to managing risk that considers both threat and opportunity and is one where risk is appropriately identified, assessed, communicated and managed across all levels of the entity.

Elements that contribute to a strong foundation for effective risk management are illustrated in Appendix C. Collectively these elements establish an approach to risk management that allows for adaptation to changing circumstances and contributes to an environment of ongoing improvement.

Senior management and other identified individuals are responsible for driving the risk culture through initiatives and processes. All senior staff should proactively provide feedback through normal reporting channels on external interactions with key stakeholders regarding areas of potential risk. Every employee also has a role to play in contributing positively to this culture.

It is important to note that risk influences the outcome of all work undertaken by the ANAO and that all staff understand, accept and manage risk as part of their everyday decision-making processes.

Figure 3 provides an overview of the attributes of a strong risk culture3 the initiatives undertaken by the ANAO to foster a strong risk culture and the associated responsibilities of all staff to contribute to this culture.

Figure 3. Attributes of a strong risk culture, and staff responsibilities

How risk management is currently embedded into existing ANAO business processes

The ANAO’s management of risk is designed to be built into business-as-usual practices with the aim of using consistent language, approaches and documentation across all levels of the organisation.

Risks need to be managed in the context of achieving organisational goals and objectives. Consideration should be given to positive aspects of risk management (opportunities) as well as negative ones (threats). While all staff contribute to the way risks are managed, senior staff in key positions are expected to have a clear view of the risk treatment (where applied) and its effectiveness in operation.

The ANAO has adopted an integrated approach to managing risk, whereby risks are considered and assessed at different levels within the organisation. The identification and assessment of risks do not occur in isolation, but requires the consideration of risks identified and treated at other levels. Any significant risks are to be escalated to ensure that these are appropriately treated and the residual risk reduced to an acceptable level. All risk assessments, including their identification, controls, likelihood, consequence, and residual risk rating should be documented consistently across the ANAO. Controls embedded within the ANAO’s current business processes are identified as part of the risk evaluation process.

Maintaining a culture of risk awareness

All staff should be familiar with the identified ANAO risks. ANAO staff should remain vigilant and continuously scan the ANAO’s environment for new risks and be alerted to the possibility of recalibrating previously identified risk to ensure that controls that are in place to reduce the risk to an acceptable level remain adequate and in line with the ANAO’s identified risk appetite and tolerances. In the first instance, staff should raise any suggestions relating to new or identified ANAO risks with their Executive Director.

Fostering innovation

Innovation has been defined as the “creation and implementation of new processes, products, services and methods of delivery which result in significant improvements in the efficiency, effectiveness or quality of outcomes”.4 Risk management is fundamental to the innovation process as innovation necessary involves a degree of risk taking. In this respect, risk avoidance is an impediment to innovation and to moving from the present to the future.

The ANAO encourages staff to give due consideration to a range of options beyond a default or safe approach during the application of the ANAO’s risk management processes, particularly as this relates to the conduct of an audit. Where appropriately managed, the introduction of innovation to existing approaches can increase the beneficial outcomes for the organisation as a whole.

Roles and responsibilities

All staff have a general responsibility to bring the key principles outlined in this framework to life and practice active risk management by remaining vigilant to changes in the ANAO’s operating environment that could result in new risks or changes to the ANAO’s exposure to current identified risks.

The Auditor-General, taking into account the advice of the Executive Board of Management (EBOM), approves our Risk Management Framework and Risk Register and determines the ANAO’s appetite and tolerance for risk. The Assurance Audit Services Group (AASG) and Performance Audit Services Group (PASG) (Service Groups), Senior Executives and staff have a role in managing risk and therefore it is important that all members of the ANAO are familiar with the ANAO Risk Management Framework and associated risk register.

Specific responsibilities in relation to risk management are set out below.

  • The Senior Executive Director CMG (SED, CMG), in consultation with the Service Groups and the Professional Services and Relationships Group (PSRG), is responsible for the preparation of the ANAO Risk Register, which involves periodic review of the ANAO risk environment. These tasks will normally be coordinated by the Director, Governance;
  • Group Executive Directors are responsible for the preparation of Service Group risk management assessments, which involves periodic monitoring and review of the Service Group risk environment;
  • Group Executive Directors, signing officers (AASG), Executive Directors (PASG) and Audit Managers are responsible for ensuring that appropriate risk management practice is an integral part of audit program activity;
  • Governance committees are responsible for monitoring assigned risks. These include: the People and Change Committee, IT Strategic Committee, Weekly Operations Committee and Finance Committee; and
  • Staff with key responsibilities such as IT project work, protective security, work health and safety, financial management and business continuity planning are responsible to ensure that appropriate risk management practice is an integral part of routine business management.

The SED, CMG is also responsible for the coordination of:

  • incorporating risk management into internal staff training programs;
  • periodic updates to risk management guidance online via Audit Central; and
  • regular reviews of the ANAO’s overarching risks, the integration of emerging risks and the issues arising from the identified operational risks.

Internal Audit has a role, in its rolling program of audits, to comment on and provide insights into risk management.

The ANAO Audit Committee also reviews the draft Risk Management Framework and ANAO Risk Register at least annually. In addition, under its Charter, the Audit Committee is responsible for satisfying itself about the systems of risk oversight and management put in place by ANAO management.

Reporting

Strategic and operational risks are monitored and reviewed by the relevant ANAO governance committees.5 These committees report to EBOM on a regular basis through meeting minutes. Risks assessed as “high” or above, or any risk of particular concern to the Auditor-General, are monitored by EBOM and the Audit Committee through reports that provide status updates on those particular identified risks. Reporting to EBOM on the status against the ANAO Corporate Plan initiatives and performance measures, including a summarised strategic risk review and any risks assessed as high, occurs quarterly.

Internal Audit also undertakes a rolling program of audits and provides relevant comments and insights into risk management within their audit reports prepared for the Audit Committee.

Monitoring and review

Monitoring and review process

Risks are to be monitored by all staff who should feel confident to escalate any perceived risk areas with their SES supervisor, for timely consideration by relevant committees.

EBOM and its sub-committees have a formal role in monitoring risks across the ANAO. Each sub-committee has a standing agenda item to review relevant risks and raise control issues. The results of this process are reported to EBOM. The sub-committees meet on a quarterly basis.6

Significant changes to the ANAO’s exposure to specific or emerging risks should be escalated to the appropriate level of management to ensure that appropriate risk treatments are implemented. This process is supported by ongoing discussions at the Weekly Operational Meetings attended by EBOM members.

An annual review of strategic and operational risks, are conducted in consultation with Service Groups and PSRG to ensure that they reflect current business risks. This review is completed in time for promulgation of the ANAO Risk Register by 30 June each year. The ANAO Risk Management Framework and the ANAO Risk Register are to be formally reviewed and approved by EBOM at least once annually, unless circumstances require more frequent review.

Any risks assessed as “high” or above, or of particular concern to the Auditor-General, are to be monitored by EBOM quarterly and advised to the ANAO Audit Committee.

The SED, CMG/Director, Governance, in consultation with Service Groups and Support Branches are to monitor assessed risks in light of business operations to ensure that there are no significant changes to the annual risk analysis. Emerging risks are to be brought to the attention of the Executive.

Assessing risk management performance

The ANAO assesses risk management performance through the regular risk monitoring and review activities (outlined above) and through reviewing the outcomes of our internal audits.

Training

Those with responsibility for coordinating risk management within the ANAO are to be technically competent for their role, either through formal training or experience. It is important that these people maintain their currency through appropriate courses/seminars at least annually. An e-learning module on risk management is also available to ANAO staff and can be accessed at any time as an introduction or refresher of ANAO’s Risk Management Framework. Deficiencies in expertise are to be covered by supervised on-the-job training or the use of appropriately trained service providers.

Insurance

When conducting the annual review of the risk register, the ANAO insurance arrangements with Comcover are considered an integral part of the process. This includes consideration of any insurance claims made during the preceding period.

Communication and consultation

This framework has been developed in consultation with Service Groups and support areas within the ANAO, and is also based on our knowledge and discussions with stakeholders and auditees.

Contact officer

Any queries about risk management in the ANAO should be directed to the SED, CMG or to the Director, Governance.

Appendices

Appendix A Overview of the link between the ANAO business objectives and strategic and operational risks

Appendix B ANAO risk assessment and treatment process

The following procedures are to be undertaken in line with the risk management process outlined for the identification and treatment of strategic and operational risks when tasked with the performance of an ANAO risk assessment.

Identifying the risk

Identifying the risk involves generating a list of risks that could impact the ANAO’s objectives regardless of their source and whether these risks are under the control of the ANAO. This often requires thinking “outside of the box” to avoid missing potential threats or opportunities.

Analysing risk

Analysis includes:

  1. Identifying whether the risks are immediate, medium or long term as this can assist in planning for the appropriate treatment, setting priorities and allocating resources.
  2. Categorising the risk according to common types as this may allow for similar risk areas to be considered simultaneous and similar treatments or monitoring to be developed as a means of consolidating resources and effort.

    Common types of risks are described in the table below:

    Table A.1: Common types of risks7

    Type of risk

    Description

    Reputational

    Risks to the ANAO’s reputation, or to the reputation of the Australian government as a whole.

    People

    Risks associated with engaging and managing human resources.

    Financial and systems

    Risks associated with financial controls and systems.

    Security/Privacy

    Risks to the ANAO’s security and the privacy of information resources maintained by the ANAO.

    Technical

    Risks associated with managing assets.

    Compliance/Legislation

    Risks associated with meeting legal and regulatory obligations.

    Business continuity

    Risks to the ANAO continuing its business activities in an emergency.

    Fraud

    Risks associated with preventing or detecting fraudulent activity.

       

    Establishing the ANAO’s likelihood and consequences of each risk.

    Each identified risk is to be analysed against two criteria: the likelihood of the risk happening and the consequence of the risk occurring without existing controls in place; and establishing the likelihood of the risk happening, and the consequence of the risk occurring, with existing controls in place.

    Reviewing management strategies for each risk before considering the likelihood and consequences of each risk provides clarity around:

    • when the risk is likely to occur and when would the impact eventuate;
    • what possible courses of action are available to manage the risk;
    • what pre-planning can be undertaken ahead of the risk occurring; and
    • should a contingency plan to manage the risk be developed?

    Understanding the existing controls in place and analysing this together with the likelihood and consequences of risks enables informed decisions to be made about which risks require treatment and their relative priorities.

    The ANAO uses the following five categories to analyse the likelihood and impact of its strategic and operational risks:

    Figure A.1: Categories used for analysing the likelihood of risks

    The ANAO uses the following five categories to analyse the consequences of its strategic and operational risks:

    Figure A.2: Categories used for analysing the consequence of risks

    The above definitions should be used for the likelihood and consequence analysis of all risk analysis.

    Evaluating risk

    Once the likelihood and consequences of a particular risk have been established, the strategic and operational risks are evaluated through the use of the ANAO’s Risk Rating Matrix. The Matrix enables the ANAO to evaluate and manage risks. This matrix can be utilised by all Service Groups to evaluate and determine the management of those risks.

    Figure A.3: ANAO risk rating matrix

     

    Evaluating risks should not only consider the likelihood of the risk occurring and consequences associated with the risk, but should also give due consideration to the ANAO’s risk appetite and tolerance for particular categories of risks and the uncertainties associated with the risk.

    Risk appetite is the amount of risk an entity is willing to accept or retain in order to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude toward risk taking.8. The ANAO’s risk appetite and tolerances for its strategic and operational risks are summarised on page 8 of this document.

    Risk is defined as the ‘effect of uncertainty on objectives’9. Uncertainty, as with the likelihood and consequence of the risk needs, to be factored into the evaluation process. Uncertainty associated with the risk relates to what we don’t know (“gaps”) that affects the actual risk.

    Key considerations to note with regard to uncertainty include10:

    • that uncertainty may be the most significant factor associated with risk;
    • determining whether the amount of uncertainty can be “calculated” … or specified in more general terms; and
    • that some uncertainties can be reduced or eliminated with additional information, whilst others will need to be accepted as identified gaps.

    The objective of assessing the amount of uncertainty associated with the risk is to identify as much of what we don’t know as possible, noting that the uncertainties we don’t know about could inadvertently increase the risk rating to “unacceptable” without the appropriate risk treatment strategies put in place.

    Risk response strategy

    Risk response strategy involves selecting one or more options to modify or manage the identified risks. Options can include:

    • Reducing the likelihood of a risk event occurring through mitigation strategies;
    • Monitoring the risk after informed consideration ‘removing the source of the risk; and
    • Accepting the risk and putting in place mitigating strategies in order to pursue an opportunity.

    In selecting risk response strategy, consideration needs to be given to balancing the costs and efforts of implementation against the potential benefits derived.

    Risk monitoring and review

    The aim is to maintain visibility of the significant business risks to ensure they receive appropriate attention to prevent an adverse outcome. The risk that remains after all controls are in place (including EBOM scrutiny) is the residual risk. Residual risk, for all risks needs, to be acceptable to the Auditor-General. An acceptable risk is one where the Auditor-General considers the controls are adequate and reasonable to prevent an adverse outcome.

    Monitoring and review of identified risks and implemented treatments include:

    • assessing whether conditions associated with a risk has changed and whether these changes have impacted the likelihood and consequence and therefore the risk rating of a particular risk, from a prior review of the risk;
    • ensuring identified controls and mitigation strategies remain effective and efficient;
    • lessons learnt from recent risk events, organisational changes, trends, successes and failures are incorporated into implemented treatments;
    • taking account of organisational changes and the impact on existing risks including their controls and treatments; and
    • identifying emerging risks.

    Footnotes

    1 The Standard also defines risk as the ‘effect of uncertainty on objectives’. It also notes that: an effect is a deviation from the expected — positive and/or negative; objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organisation-wide, project, product and process); risk is often characterised by reference to potential events and consequences, or a combination of these; and risk is often expressed in term of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

    2 Commonwealth Risk Management Policy, Department of Finance, July 2014, p. 15.

    3 Deloitte Insights, Risk Culture: Three Stages of Continuous Improvement, http://deloitte.wsj.com/riskandcompliance/2013/05/21/risk-culture-three-...

    4 Mulgan, G and Albury, D. Innovation in the Public Sector: Enabling Better Performance, Driving New Directions, December 2009.

    5 People and Change Committee; IT Strategic Committee; Quality Committee, Security Committee, Work, Health and Safety Committee, Weekly Operations Committee; and the Finance Committee

    6 The Committees monitor and review the risk response strategy (with options to: Reduce; Monitor; or Accept) and the residual risk trend (see below key) and keep a record of the current status in the risk register:

    7 Adapted from the ANAO Better Practice Guide: Public Sector Governance, June 2014.

    8 Commonwealth Risk Management Policy, Department of Finance, July 2014

    9 Commonwealth Risk Management Policy, Department of Finance, July 2014, pg 8

    10 John Schmidt presentation to the APS forum, December 2014