The objective of the Risk Framework and associated programs of risk management activities is to support effective risk management across all ANAO operations.

ANAO risk management policy statement 2019–21

The effective management of risks plays an important role in shaping the ANAO’s strategic direction, contributes to evidence-based decision-making and is critical to the successful delivery of the ANAO’s purpose - to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament and thereby improve public sector performance.’

The ANAO’s Risk Management Framework is based on adherence to the International Standard on Risk Management, ISO 31000:2018. This standard defines risk as ‘the effect of uncertainty on objectives’. Within the ANAO context this is the possibility of an event or activity having an adverse impact to such an extent, that it prevents the ANAO from achieving its purpose and outcomes.

Recognising that the ANAO generally has a low risk appetite regarding its business critical activities, the ANAO will also look to increase its engagement with risk in order to support innovation and a more positive risk management culture within the office. The objective of the Risk Framework is to support effective risk management across all operations.

Effective risk management requires senior executives and staff to understand the business risks in their area and actively manage those risks as part of their day-to-day activities. All staff have a role in managing risk and it is important that all members of the ANAO are familiar with the Risk Framework. To provide for the maintenance of an effective risk management program the ANAO is committed to ensuring:

  • That risk management is an integral part of ANAO planning and decision-making processes.
  • There is a consistent approach to the management of risks across ANAO.
  • Clear roles, responsibilities and accountabilities are clearly defined.
  • All staff with risk management roles and responsibilities are provided with the necessary authority to undertake these responsibilities.
  • All staff with risk management roles and responsibilities are provided with the necessary skills to undertake these responsibilities.
  • The resources necessary to achieve the policy outcomes are allocated.
  • Communication within ANAO’s stakeholder community in relation to the identification and management of risk is promoted and encouraged.

The ANAO accepts that, on occasions, even with sound risk management practices, things may go wrong. On such occasions, we will take the opportunity to review the reasons for the failure and endeavour to further strengthen controls to reduce the likelihood of a reoccurrence.

Grant Hehir



Purpose and scope

The purpose and scope of the Risk Framework is to:

  • articulate the ANAO’s Risk Management Policy;
  • provide an overview of the risk management processes adopted by the ANAO;
  • define the key attributes and objectives for the ANAO’s risk culture;
  • describe roles and responsibilities for managing risk; and
  • outline the process for reporting on risk and ongoing monitoring and review.

The Enterprise Risk Register (ERR) identifies and assesses relevant strategic and operational risks and provides further details on the identified risks. The ERR is maintained by the Corporate Management Group (CMG) on behalf of the Executive Board of Management (EBOM).


The objective of the Risk Framework and associated programs of risk management activities is to support effective risk management across all ANAO operations. This will be achieved by working towards risk:

  • being an integral part of all planning and decision-making processes both in the strategic planning and operational review capabilities;
  • being consistently managed across all operations; and
  • management having clearly defined roles, responsibilities and accountabilities.

The ANAO’s purpose and objective

The purpose of the Australian National Audit Office (ANAO), as outlined in the ANAO’s 2017–18 Corporate Plan, is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

The effective management of risks plays an important role in shaping the ANAO’s strategic direction, and thereby the successful delivery of the ANAO’s purpose. Changes in the ANAO’s operating environment can impact the ANAO’s risk management approach and the risk rating or risk tolerance for specific risks, and may directly affect the ANAO’s ability to achieve its purpose. Damage to our reputation is the single most important consequence should our risk management fail in a significant way, as it goes to the core of the way we conduct our business and our integrity as a professional audit organisation.

Environment and context

Critical to delivering against the ANAO’s purpose is anticipating and responding to changes in a dynamic operating environment. The corporate plan provides context by setting out key aspects of the operating environment and should be consulted as part of the risk analysis process. Considering risk during the ANAO corporate and group business planning processes allows us to set realistic delivery timelines for strategies/activities or to choose to remove a strategy/activity if the associated risks are deemed to be at an unacceptable level. The ANAO governance committees manage enterprise level risks through the ERR and in accordance with the Risk Framework.

Risks in relation to audit are governed by audit standards that are incorporated into the ANAO Audit Manual. Financial statement audits are undertaken across an estimated 240 agencies annually and performance audits are conducted on selected agencies according to the ANAO’s annual audit work program.

The ANAO has a framework of policies supported by Auditor-General’s Instructions, processes and behaviours established to ensure it meets its intended purpose, conforms to legislative and other requirements, and meets expectations of probity, accountability and transparency. The ANAO’s commitment to high ethical and professional standards underpins the quality of its work.

For audit professionals, independence is an element central to the quality of each audit. It is the avoidance of circumstances that could compromise any member of the audit team’s ability to act with integrity and exercise objectivity and professional scepticism. The ANAO Auditing Standards and the ANAO Independence Policy require staff and contractors engaged in audits to comply with the relevant provisions of the Accounting Professional & Ethics Standard Board, APES 110 Code of Ethics for Professional Accountants relating to independence. Any threat to independence must be evaluated and safeguards applied to reduce the threat to an acceptable level. Situations where a threat cannot be reduced to an acceptable level are not entered into or allowed to continue.

Key terms

The following terminology applies throughout the Risk Framework and reflects both the ISO 31000:2018 Standards and ANAO vocabulary.


Business as usual operations in reference to all ongoing operational activities.

This term does not provide an assessment of the activities but refers to the ongoing regular or automated application of processes, guidance and instruction.


Outcome of an event affecting objectives (ISO 31000:2018).

A consequence can be certain or uncertain and can have positive or negative, direct or indirect effects on objectives.

Consequences can be expressed qualitatively or quantitatively.

Any consequence can escalate or decline in impact severity over time.


Measure that maintains and/or modifies risk (ISO 31000:2018).

Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions that maintain and/or modify risk.

Controls may not always exert the intended, or assumed, modifying effect.


Occurrence or change of a particular set of circumstances (ISO 31000:2018).

An event can have one or more occurrences, and can have several causes and several consequences.

An event can also be something that is expected which does not happen, or something that is not expected which does happen.

An event can be a risk source.

Enterprise risk

Overarching risks, derived from considerations associated with the ANAO's purpose, delivery expectations and resource requirements.

Risk assessment

The process of risk: identification analysis and evaluation.

Can be formal or informal. Informal are typically undertaken by subject matter experts and decision makers when considering the governance a decision may require. Involves an assessment of risk events to determine required response.


An event that has occurred that has taken the ANAO outside its tolerances/risk appetite.


Chance of something happening (ISO 31000:2018).

Likelihood is used to refer to the chance of something happening. It can be defined or measured objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).


Measures or actions that affect a change on the impact or the likelihood of a risk event.

Risk treatments are typically referred to as mitigations and may be interchanged with the same principle, ie: risk treatment plan and risk mitigation plan both aim to effect a change on the impact or likelihood.

When a treatment or mitigation has been deployed as planned it becomes a control.

Operational risk

A risk that may eventuate within the ANAO's operations and control.


The effect of uncertainty on objectives (ISO 31000:2018).

An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.

Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

Risk acceptance

An informed decision to accept the consequences and the likelihood of a particular risk.

Risk analysis

A process to comprehend the nature of risk and to determine the level of risk (AS/NZS ISO 31000:2009).

Risk avoidance

An informed decision to withdraw from, or to not become involved in, a risk situation.

Risk identification

Process of finding, recognising and describing risks (AS/NZS ISO 31000:2009).

Risk management

Coordinated activities to direct and control an organisation with regard to risk (ISO 31000:2018).

Risk owner

Person or entity with the accountability and authority to manage a risk (AS/NZS ISO 31000:2009).

Risk register

A risk register provides a repository for recording each risk and its attributes, evaluation and treatments.

Risk source

Element which alone or in combination has the intrinsic potential to give rise to risk (AS/NZS ISO 31000:2009).

Risk treatment

Process to modify risk (AS/NZS ISO 31000:2009).

See mitigation.

Shared risk

A risk with no single owner, where more than one entity is exposed to or can significantly influence the risk. (Commonwealth Risk Management Policy)


Person or organisation that can affect, be affected by, or perceive themselves to be affected by, a decision or activity (ISO 31000:2018).

Strategic risk

A risk that may eventuate outside of the ANAO's control with consequences for the ANAO achieving its purpose and objectives.


Risk Management Framework

The Risk Framework has been developed to assist the Auditor-General to meet the requirements of Section 16(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Commonwealth Risk Management Policy issued by the Department of Finance. It follows the International Standard on Risk Management ISO 31000:2018 (ISO 31000).

The methodologies applied in its creation are aligned with ISO 31000 and included:

  • consultative workshops;
  • control identification and verification;
  • targeted survey; and
  • direct staff engagement.

Staff and committees at all levels influence risk management. A visual representation of the relationship between the Risk Framework and the existing operational oversight structure is shown in Figure 1.

Figure 1: Integration of the Risk Framework and the ANAO operational oversight structure

Integration of the Risk Framework and the ANAO operational oversight structure, includes strategic planning, operational oversight and assurance measures

Strategic planning includes establishing the ANAO's appetite and tolerance for risk and setting the tone for risk management within all other policies and guidance material. In this manner, risk can be managed effectively by all staff within their delegated decision making capacity.

Risk is owned by a hierarchy of risk owners aligned to the urgency defined in the risk rating. The risk appetite and tolerance set at the strategic level determine what level of management intervention is required. The Risk Framework allows operational decision making based on a consistent application of the risk appetite and tolerance of the Auditor-General and the Executive Board of Management (EBOM).

The ANAO's enterprise level risks, ratings, appetite and tolerance are captured in the following table:

Enterprise Risk Register



Risk Rating

Risk Tolerance

Risk Accepted Y/N

Risk Mitigation Plan

1. The ANAO's capacity for independent reporting is reduced.






2. Parliament questioning the ANAO's ability to execute its mandate.

Strategic/Stakeholder relationship





3. ANAO not meeting the Auditing Standards.

Operational/Compliance & Quality





4. ANAO forming inaccurate audit opinions.

Operational/Compliance & Quality





5. Entities no longer cooperating with the ANAO.






6. ANAO's financial capacity for delivering audits is reduced.






7. Technology environment not capable of supporting the ANAO in working efficiently.

Operational/Business Continuity





8. ANAO unable to meet staff resourcing requirements.

Operational/Business Continuity





9. ANAO staff behave inconsistently with ANAO values and behaviours.






10. ANAO failing to protect sensitive information resulting in access by unauthorised parties. 






11. ANAO failing to protect sensitive information resulting in loss.






12. Operational transformation fails to deliver gains expected.






13. Fraud incident impacts on the ANAO.







Risk management guidance

The Risk Framework is the primary source of guidance on managing operational risk and is supported by the ERR. The register is a live document reflective of the current risk mitigation and control framework. Risk analysis tools are available from CMG. The procedural guidance material and policies endorsed by EBOM guide staff in proactively identifying and assessing risk in all activities.

Risk management in ANAO audits is governed by the ANAO Auditing Standards 2018. The associated guidance material for these standards is adopted into audit work through specific policies. For both performance audits and financial statement audits the ANAO Audit Manual contains risk guidance applicable to audit or assurance work. Figure 2 represents this intersection of guidance.

Figure 2: Informed decision making

Flow chart about informed decision making: Includes risk management framework; informed decision making; audit manual and business as usual guidance material

How risk management is currently embedded into existing business processes

Risk management is built into business as usual practices with the aim of using consistent language approaches and documentation across all levels of the organisation. The Risk Framework is supported by and developed having regard to the following documents:

  • ANAO Audit Manual and Auditing Standards, which includes the Independence Policy;
  • ANAO Quality Framework;
  • ANAO Parliamentary Engagement Strategy;
  • ANAO Procurement Policy;
  • ANAO Work Health and Safety Policies;
  • ANAO Protective Security Policy Framework; and
  • ANAO Business Continuity Management Planning Guidelines.

Risks need to be managed in the context of achieving organisational goals and objectives and should include consideration of positive aspects of risk management (opportunities) as well as negative ones (threats). While all staff contribute to the way risks are managed, senior staff in key positions are expected to have a clear view of the risk treatment (where applied) and its effectiveness in operation.

Roles and responsibilities

Key roles and responsibilities for the management of risk are shown in the table below.


Roles and responsibilities


Champion the Risk Management Program by overseeing reports on all risks with residual rating of ‘medium’ and above.

Endorse the Risk Framework and oversee its implementation.

Define risk appetite and tolerance every two years or as required.

Be the risk owner for ‘extreme’ risks and associated mitigation plans.

Consider risks as part of corporate planning processes.

Receive reporting on the control environment for enterprise risks and risk mitigation plans.

Demonstrate and promote a risk management culture.

Deputy Auditor-General


The risk owner for all risks below ‘extreme’.

Receive reporting on the control environment for enterprise risks and risk mitigation plans.

Regularly monitor risks as part of a standing agenda item for governance committees.

Demonstrate and promote a risk management culture.

Support the Executive and the Audit Committee in their risk management roles and responsibilities.

Senior Executive Director Corporate Management Group


Support the Executive and the Audit Committee in their risk management roles and responsibilities.

Conduct an annual review of all elements of the Risk Management Program for effectiveness.

Facilitate monitoring of control effectiveness.

Maintain the Enterprise Risk Register on behalf of EBOM.

Develop and maintain a risk reporting framework to enable regular reporting of key risks, and the management of those risks, to senior management.

Establish that risk management processes are applied consistently across groups.

Ensure risk management is incorporated into internal staff training programs.

Periodically update risk management guidance online via Audit Central.

Audit Committee

Review whether there is a current and comprehensive risk management system in place including associated procedures for effective identification and management of strategic and operational risks.

Assess the impact of the Risk Framework on its control environment and insurance arrangements.

Monitor implementation of risk management or mitigation plans.

Satisfy itself that risk assessments undertaken have applied the appropriate resources to the analysis and research supporting the assessments.

Determine whether a sound and effective approach has been followed in establishing business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested.

Group executive directors (GEDs) and senior executive directors (SEDs)

GEDs and SEDs endorse or prepare service group risk reports as required, which involve periodic monitoring and review of the risk environment.

Executive directors (EDs)

(Signing officers)

Ensure that appropriate risk management practice is an integral part of audit program activity and certify that requirements of the Risk Framework have been met in the conduct of the audit.

Ensure implementation of controls within their branch and/or areas of responsibility.

Audit managers

Promote a positive risk management culture within the service group/branch.

Professional Services and Relationships Group

Provide quality assurance services that ensures audits comply with risk requirements of the Audit Manual.

Assess emerging risks identified across audits in line with the Risk Framework.

Chief Finance Officer

Ensure that the appropriate level of insurance cover is maintained for all identified risks where there is an insurable consequence.

Review the Fraud Control Framework for compliance with PGPA Act requirements.

Director, Risk

Or Senior Director, Strategy and Change

Day to day management of risk on behalf of SED CMG.

Develop and maintain the Risk Framework and associated Enterprise Risk Register on an annual and as needs basis.

Coordinate reporting for governance committees on identified risks.

Deliver training and targeted support to areas with high risk exposure.

Champion risk management in all areas of operations.

Risk owners

The risk owner is the person assigned the responsibility for the day to day management of a risk, including completing a formal risk assessment on identified risks.

Risk owners are responsible for the overall coordination of the management of the risk including:

  • Providing assurance that controls are effective
  • Mitigation plans are progressing into controls.
  • Monitoring of the environment to identify if there are any indicators the risk might eventuate.
  • Reporting as required under the Risk Framework.

All staff

including contractors and outsourced service providers

Understand and adhere to all procedural and policy guidance relevant to the role they are performing.

Report incidents to managers as they become aware of them.

Understand the risks being managed in their area of operation either through direct identification and assessment, or by gaining an understanding of the relevance of activities to risk management from their manager.

Internal audit

Perform in-depth reviews on key controls mitigating enterprise level risks reporting to the Audit Committee and EBOM.

Include risk management focus into all audits where risks are being managed and assess the management of those risks against the Risk Framework.

Provide a means through which EBOM can monitor the application of the Risk Framework across major projects and procurements.


Risk governance

The Auditor-General takes advice from EBOM into account when approving the Risk Framework and ERR and determining the ANAO’s appetite and tolerance for risk. The Risk Framework identifies specific responsibilities for key personnel across the ANAO and the ERR assigns owners for each enterprise level risk. In addition, all ANAO staff have a general responsibility to practice active risk management.

The Professional Services and Relationships Group and the audit service groups have primary responsibility for managing audit risk. Each individual audit work plan assesses operational risks and mitigation strategies and risk is assessed at all audit review points. Responsibility for managing operational audit risk is assigned to responsible senior executives and audit managers.

ANAO governance committees

The ANAO has a clearly defined governance framework that supports and provides structure to the management of the Office and its resources. The corporate governance framework and related organisational capability support the ANAO’s:

  • achievement of its purpose;
  • compliance with relevant laws, standards and directions; and
  • ability to meet public expectations of probity, accountability and transparency.

EBOM ensure organisational accountability and transparency through oversight of the established standing committees. All standing committees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis. Committees report to EBOM through summary reports and meeting minutes. Figure 3 shows the committee structure in the ANAO.

The Audit Committee provides independent assurance and advice to the Auditor-General on topics including:

  • reviewing the appropriateness of the ANAO’s financial and performance reporting;
  • systems of risk oversight and management; and
  • systems of internal control.

Figure 3: ANAO governance committee framework

Includes the Auditor-General, the Executive Board of Management and various committees

ANAO’s risk identification and treatment process

Risk identification

The aim of risk identification is to develop a comprehensive list of events that may occur and, if they do, are likely to have an impact on the objectives of ANAO. The main objective of risk analysis is to separate the minor acceptable risks from the major ones, and to provide data to assist in the evaluation and treatment of the risk.

Risk assessments identify risks by using a combination of established methods consistent with ISO 31000, which is typically a combination of desk based review and stakeholder engagement. The ERR outlines and describes the ANAO’s enterprise level risks across all groups and is available on Audit Central.

The Risk Framework requires that risk assessments be undertaken in all key activities including when:

  • planning and conducting audits;
  • assessing specific work health and safety implications or concerns;
  • conducting significant procurement activities;
  • undertaking business continuity and disaster recovery planning; and
  • assessing protective security requirements.

All risk assessments and risk ratings will be documented consistently across all groups using the format on Audit Central. Controls embedded within current business processes are identified as part of the risk evaluation process.

Following a risk analysis the risk rating determines the risk owners and required reporting obligations. The risk owner is responsible for deciding if a formal assessment is required and if so, which methods and information will be relied on. The risk owner is also responsible for ensuring the assessment is captured, control owners identified and any mitigating risk treatments applied.

Table 1 identifies the risk owners and mitigation requirements based on the risk rating.

Table 1: Risk rating and actions

Risk rating

Action required

Risk owner


Unacceptable level of risk and activity should stop immediately while mitigation plan is developed. Requires immediate escalation to EBOM. A mitigation plan owner is assigned with weekly reporting to risk owner on control effectiveness and mitigation plan/s.



Acceptable level of risk, providing controls are in place to reduce risk to as low as reasonably possible. Allocated to a control owner with monthly reporting to EBOM on control assurance or mitigation plan/s.

Deputy Auditor-General


Risk managed by an established, tailored control regime and reported quarterly to EBOM

Group executive director or senior executive director


Risk managed by routine controls and reviewed annually or after significant change

All staff and contractors


Risk treatment

Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented it becomes a control. Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived.

Where risk treatment options impact stakeholders, those stakeholders will be involved in the decision. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented. Figure 4 shows the most common used treatment options in risk management.

Figure 4: Typical risk treatment options. Source ISO 31000

Includes avoid; remove the source; change probabilities; modify the consequences; increase to pursue an opportunity; retain via informed decision; and share the exposure

The ANAO’s risk appetite and tolerance

Risk appetite is the amount of risk that the ANAO is willing to accept or retain in order to achieve the ANAO’s objectives. Risk tolerance is the level of risk taking acceptable to EBOM to achieve a specific objective or manage a category of risk. The Auditor-General and EBOM have a low risk appetite. The ERR displays the risk tolerance for each identified risk rather than categories of risk. Activities that may result in a change to the existing assessment will be escalated in line with the Risk Framework.

As part of the risk evaluation process consideration should be given to risk tolerance, consequences and likelihood before selecting a risk treatment approach. Further information on the steps involved in evaluating identified risks is available through the risk analysis tools available from CMG.

Shared risks

The ANAO does not usually engage in activities that involve shared inter-entity or cross-jurisdictional risks. An exception to this is the ANAO’s capacity building activities to the Audit Board of the Republic of Indonesia (BPK) and the Auditor-General’s Office of Papua New Guinea (AGO). These activities are managed through a partnership agreement with the Department of Foreign Affairs and Trade (DFAT). Risks related to these activities are shared with DFAT and managed through regular meetings, joint committees, advice and updates on any potential security risks to the ANAO’s deployed staff and DFAT’s engagement of in-country security service providers.

The Auditor-General and the ANAO engage with other jurisdictions’ Auditors-General on risks in the public sector environment which may impact on the successful delivery of audit mandates. The ANAO identifies factors with potential to change its operating environment, preparing anticipatory responses where changes will affect the way the ANAO operates. These changes include those impacting accounting and audit standards. Being an active member of associations such as the Australasian Council of Auditors-General (ACAG) and the International Organization of Supreme Audit Institutions (INTOSAI) helps manage this risk in a shared manner, whilst providing many ancillary benefits for cross-jurisdictional learning and collaboration.

Risk culture

The ANAO aims to foster a positive risk culture. Risk culture refers to the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day to day activities. A positive risk culture promotes an open and proactive approach to managing risk that considers both threat and opportunity and is one where risk is appropriately identified, assessed, communicated and managed across all levels of the entity.

Senior management and other identified individuals are responsible for driving the risk culture through initiatives and processes. All senior staff should proactively provide feedback through normal reporting channels on external interactions with key stakeholders regarding areas of potential risk. Every employee also has a role to play in contributing positively to this culture.

It is important to note that risk influences the outcome of all work undertaken by the ANAO and that all staff understand, accept and manage risk as part of their everyday decision-making processes.

Figure 5 provides an overview of the attributes of a strong risk culture the initiatives undertaken by the ANAO to foster a strong risk culture and the associated responsibilities of all staff to contribute to this culture.

Figure 5: Attributes of a strong risk culture, and staff responsibilities

Includes commonality of purpose, values and ethics; universal adoption and application; a learning organisation; and timely, transparent and honest communications

Maintaining a culture of risk awareness

All staff and contractors should be familiar with the risks identified in the ERR, available through Audit Central, and how they apply to the decision being considered. The ERR addresses risk in relation to

  • Work health and safety;
  • Fraud;
  • Protective security;
  • other operational risk; and
  • strategic risks.

Staff and contractors should remain vigilant and continuously scan their environment for new risks and re-assess existing risks relative to their environment.

In the first instance staff should raise any suggestions relating to new or identified ANAO risks with their executive director and CMG, who will liaise with the appropriate risk owner as necessary.


All staff are required to complete a component of risk management training. A focus of this training is to improve awareness and identification of the differences between the risk to achieving the ANAO’s corporate plan objectives and the risks impacting the agencies being audited.

An eLearning module on risk management is available to all staff. This module can be accessed at any time as an introduction or refresher of the Risk Framework. All staff are required to complete this eLearning module annually.

The CMG will provide face to face training for staff undertaking risk management duties or performing a risk assessment (formal or informal). Additional training on audit specific risks will be mandatory for auditors upon commencement in the role and every year thereafter on a refresher basis.

Consultation and communication

The Risk Framework has been developed in consultation with:

  • senior executive leaders;
  • governance committees and the Audit Committee; and
  • representatives of all affected stakeholder groups including quality control, professional development, human resources and the agency security advisor.


Integration, monitoring and reporting

Reporting is a critical part of this Risk Framework and provides the Executive with an awareness of how the Office is progressing against the risk management objectives. It also provides the information necessary for managers to make risk informed decisions. ANAO governance committees monitor and review enterprise risks. These committees report to EBOM on a regular basis through committee meeting minutes and a quarterly review of the ERR.

Risks rated as ‘High’ or above and strategic category risks are monitored by EBOM and the Audit Committee. The risk owners have responsibility for monitoring reports and directing resources to risk mitigation strategies and integrating these into existing processes. CMG will provide advice and will coordinate the reporting on identified enterprise risk mitigation treatments.

The management of audit risk is governed by audit standards in the Audit Manual. Compliance with the ANAO audit standards and the Audit Manual is reviewed as part of regular quality assurance processes that are considered at the Quality Committee and through to EBOM. Internal Audit undertakes a rolling program of audits and provides insights into risk management within the audit reports prepared for the Audit Committee.

Monitoring and review process

To ensure that this Risk Framework is sustained in accordance with the Commonwealth Risk Management Framework, it requires ongoing monitoring and review to ensure:

1. The policy and register are reflective of the ANAO’s internal and external environment.

2. The risk management objectives have been achieved, or are progressing satisfactorily.

3. Reports provide the information necessary for decision making and continuous improvement.

4. Risk management contributes to the ANAO’s purpose.

Staff are expected to monitor risks. Training appropriate to the role supports staff to feel confident in escalating any perceived risks to their manager or an EBOM member. Audit risk is actively monitored and reviewed by audit teams on an ongoing basis and reported to the Executive at key milestones during audit delivery in accordance with the ANAO Audit Manual.

CMG coordinate monitoring of assessed risk by service groups. Monitoring includes capturing significant changes to the annual risk analysis and reporting to EBOM as appropriate.

EBOM and its sub-committees have formal roles in monitoring risks across the ANAO. Each sub-committee meets on a quarterly basis and has a standing agenda item to review relevant risks and identify any control issues. Monitoring is captured in the respective minutes and reported to EBOM.

Strategic and operational risks are reviewed annually.

The risk appetite and tolerance are reviewed every two years by the Executive to gain consensus across the Office and are translated through a tolerance (target) rating in the ERR.

Assessing risk management performance

The measurement of risk management performance will involve two activities:

1. Measuring compliance - this provides assurance that staff are complying with the Risk Management Policy directives.

2. Measuring maturity - this measures the maturity of the Risk Management Framework against the Comcover maturity survey and the APSC employee census results.

Evaluating the Risk Framework

The ANAO is committed to continuous improvement. Evaluating the Risk Framework will typically be undertaken after assessing performance through the annual reviews outlined above and will consider whether the Risk Framework is:

  • achieving its purpose;
  • being implemented as planned; and
  • changing the culture and behaviors expected.

Evaluation will be supported by data gathered through the ASPC employee survey, through reporting to ANAO governance committees and through reviewing the outcomes of internal audits.


When conducting the annual review of the risk register the ANAO insurance arrangements with Comcover are considered an integral part of the process. This includes consideration of any insurance claims made during the preceding period.

Contact Officer

Any queries about risk management in the ANAO should be directed to the Director, Risk in CMG.