The objective of the Risk Framework and associated programs of risk management activities is to support effective risk management across all ANAO operations.

I. ANAO Risk Management Policy 2022–24

The purpose of the Australian National Audit Office is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

Understanding, adapting and responding to changes in our operating environment is critical to delivering on the ANAO’s purpose. To respond to these changes within our environment, and enable considered decision-making, we must identify, assess and manage emerging risks. Effective risk management is fundamental to achieving our purpose and improving our performance — and is a responsibility of all ANAO employees.

Risk management plays an important role in shaping the ANAO’s strategic direction, contributes to evidence-based decision-making and is embedded into business-as-usual practices. The ANAO also recognises the fundamental link between the nature of auditing and risk management — where auditing is about applying risk thinking to what is being presented, to guide risk allocation appropriately. To support risk management across the organisation, the ANAO has established a Risk Management Framework.

The ANAO’s Risk Management Framework is based on adherence to the International Standard on Risk Management, ISO 31000:2018. This standard defines risk as ‘the effect of uncertainty on objectives’. In the context of the ANAO, this is the possibility of an event or activity having an adverse impact to such an extent, that it prevents the ANAO from achieving its purpose and outcomes.

The framework is also consistent with the Commonwealth Risk Management Policy. The Commonwealth Risk Management Policy supports the requirements of section 16 of the Public Governance, Performance and Accountability Act 2013 which requires accountable authorities of entities to establish and maintain systems and appropriate internal controls for the oversight and management of risk.

The ANAO’s approach to managing risk (the Risk Management Framework) identifies why we undertake risk management and how ANAO employees are expected to do so. The framework integrates risk management practices into governance practices; informal and formal decision making; business-as-usual and audit activities; and within the ANAO’s strategic business planning, policy advice and project management.

Overall, the ANAO has a low-risk appetite in its business-critical activities. The ANAO Risk Management Framework is reviewed biennially, while our Enterprise Risk Register acts as a ‘live’ document that is continually updated to reflect our risks and operating environment. The framework and register are regularly reported on within ANAO subcommittees, and to the Executive Board of Management (EBOM) and Audit Committee. The ANAO’s ongoing approach to monitoring risk enables the Executive to implement mitigation plans and introduce additional controls to bring enterprise risks rated above our tolerance levels back to an acceptable level.

The Risk Management Framework allows the ANAO to proactively engage with enterprise and operational risk. Proactive and open engagement with risk assists to foster a positive risk culture. A positive risk culture — which encourages experimentation, risk, trial and error — is supported by our workplace behaviours and the ANAO’s values of excellence, integrity and respect.

Grant Hehir
Auditor-General

II. Overview of ANAO Risk Management Documents

ANAO Risk Management Policy

The ANAO Risk Management Policy (the policy) is a key element required within the Commonwealth Risk Management Policy and is important to ensuring a shared understanding of risk across the ANAO.

The policy defines our organisational approach to risk management and links the ANAO’s Risk Management Framework to our purpose, strategic planning framework and objectives. In addition, the policy defines the ANAO’s risk appetite and risk tolerance; and contains an outline of the key accountabilities and responsibilities for managing and implementing the ANAO’s Risk Management Framework. The policy is endorsed by the Auditor-General.

The policy also recognises the fundamental link between the nature of auditing and risk management — where auditing is about applying risk thinking to what is being presented, to guide risk allocation appropriately.

ANAO Risk Management Framework

The purpose of the ANAO Risk Management Framework (the framework) is to set out how risk management is embedded across the ANAO for all business operations and decision-making. The framework outlines the relevant components and arrangements that enable the ANAO to design, implement, monitor, review and continually improve risk management across the organisation. The framework has been developed to assist the Auditor-General to meet the requirements set out in section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Commonwealth Risk Management Policy (issued by the Department of Finance).

The Commonwealth Risk Management Policy supports the requirements of section 16 of the PGPA Act, which requires accountable authorities of entities to establish and maintain an appropriate system of risk oversight and an appropriate system of internal control for the entity. Under the Commonwealth Risk Management Policy, non-corporate Commonwealth entities must comply with several elements, which reflect the fundamentals of effective risk management. The framework has been designed to reflect these requirements and in addition, to meet the standards set out in the International Standard on Risk Management — ISO 31000:2018 (ISO 31000).

ANAO Enterprise Risk Register

The framework is supported by the Enterprise Risk Register (ERR). The ERR identifies, outlines and assesses relevant strategic and operational risks of the ANAO. The ERR is a ‘live document’ — reflective of the current risk mitigation and control framework. The ERR is maintained by the Corporate Management Group (CMG) on behalf of EBOM. The latest, endorsed version of the ERR can be found on the ANAO website.

ANAO Risk Analysis Tools

The ERR is supported by the ANAO’s Risk Analysis Tools. The tools outline a Risk Evaluation Matrix, that uses two additional assessment tools (consequence rating scale and likelihood analysis scale) to assist in the classification of the assigned risk rating of each risk within the ERR. The risk evaluation matrix applies a rating based on the analysis of likelihood and consequence. 

1. ANAO Risk Management Framework

The ANAO Risk Management Framework (the framework) — including the ANAO Risk Management Policy and the ANAO Enterprise Risk Register — enables the ANAO to identify, respond to, and manage risk.

The framework sets out how risk management is embedded across the ANAO for all business operations and decision-making — across all levels of staff. It outlines the relevant components and arrangements that enable the ANAO to design, implement, monitor, review and continually improve risk management across the organisation. In accordance with the Commonwealth Risk Management Policy, the framework includes:

  • a summary of the ANAO’s approach to risk management;
  • details on the application of the framework (including the ANAO’s risk appetite and tolerance);
  • details on how the ANAO manages shared risks;
  • details on the ANAO’s strong and positive risk culture;
  • details on the management of the framework; and
  • a summary of the key roles and responsibilities in managing risk.

1.1 Legislation and Resources

The framework has been designed in accordance with:

1.2 Consultation

The ANAO Risk Management Policy, Risk Management Framework and Enterprise Risk Register have been developed in consultation with: EBOM members and other ANAO Senior Executive Staff; ANAO governance committees (see Figure 1); ANAO Audit Committee; and key representatives from stakeholder groups representing quality control, professional development, human resources, and the agency security advisor. The consultation methodologies applied within this framework align with the requirements as set out in ISO31000.

The ANAO Risk Management Framework is endorsed by the Auditor-General.

1.3 Contact Officer

Any queries about ANAO risk management should be directed to the Senior Executive Director, Corporate Management Group (CMG).

2. ANAO Approach to Risk Management

2.1 Purpose, environment and context

The purpose of the Australian National Audit Office is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

Risk management within the ANAO is one of our core strengths, supported by multi-level and independent review across all major audits, procurements, and projects. Risk is integrated into our governance structure through our subcommittees. The chair of each subcommittee ensures that risks are sufficiently managed, analysed, captured, reported, and efficiently escalated (as required) to the Auditor-General.

EBOM continually monitors the environment in which the ANAO operates, adjusting the ANAO’s appetite and tolerance as necessary. The ANAO’s ongoing approach to monitoring risk enables EBOM to implement mitigation plans. Risk mitigation plans strengthen existing controls and introduce additional controls to bring enterprise risks rated above our tolerance levels back to an acceptable level.

The Audit Committee, supported by the ANAO’s internal audit function, receives all internal audit reports and directs senior leaders to provide information (as necessary) to ensure and satisfy itself that risk is being actively managed. The committee provides advice, assurance and reports directly to the Auditor-General.

The Auditor-General takes the advice of EBOM and the Audit Committee and establishes the ANAO’s appetite and tolerance for risk and oversees the implementation of the framework. Operational risk management occurs in line with the defined roles and responsibilities outlined in this framework, while the Enterprise Risk Register assigns owners and tolerances for identified enterprise-level risks. All ANAO staff have a general responsibility to practise active risk management — a responsibility that staff are prepared for through ongoing training.

The importance of risk management to good governance is underpinned by the accountability provisions applying to the ANAO under the PGPA Act. Key aspects of the ANAO’s governance and risk management environment are:

  • section 16 of the PGPA Act, which requires the ANAO to establish and maintain appropriate governance systems and internal controls for the oversight and management of risk within the ANAO;
  • the Commonwealth Risk Management Policy (2014) and RMG 211 — Implementing the Commonwealth Risk Management Policy;
  • Protective Security Policy Framework;
  • the ANAO’s Corporate Plan and Annual Performance Statements (sections 35 and 39 of the PGPA Act);
  • the Auditor-General Instruction’s and Procedural Guidance (section 110 of the PGPA Act);
  • organisation-wide (enterprise/strategic) plans (i.e., ANAO Audit Manual, Business Continuity Plan, Workforce Plan, WHS Plan, COVID-Safe Plan Fraud Control Plan, Group Plans and Project Plans etc.); and
  • individual performance agreements.

2.2 Risk management and the strategic planning framework

The ANAO considers that effective management of risk is integral to achieving its purpose. Risk management is embedded within the ANAO’s strategic planning framework.

Figure 1: ANAO’s strategic planning framework

    All elements of the ANAO’s strategic planning framework include a consideration of the ANAO’s appetite and tolerance for risk. Understanding the ANAO’s appetite and tolerance for risk is critical to setting the risk management tone within ANAO enabling frameworks (i.e., policies, procedures and guidance materials). The ANAO uses a clear and consistent tone to support staff to understand the relationship between the strategic planning framework and their individual roles and responsibilities in managing risk through effective decision making.

    2.3 ANAO governance structure and other risk-related documents

    The Auditor-General takes advice from EBOM when establishing the Risk Management Framework, the ERR and determining the ANAO’s appetite and tolerance for risk. The framework identifies specific responsibilities for key positions (primarily senior executive staff) across the ANAO, while the ERR assigns control owners for each enterprise risk. In addition, all ANAO staff have a general responsibility to practice active risk management and support a positive risk culture.

    The Professional Services and Relationships Group and the audit service groups have primary responsibility for managing audit risk. Each individual audit work plan assesses operational risks and mitigation strategies, and risk is assessed at all audit review points. Responsibility for managing operational audit risk is assigned to responsible engagement executive.

    ANAO governance committees

    The ANAO’s governance structure and practices support the Auditor-General in the effective oversight of the organisation in delivering its purpose.

    In practice, EBOM ensures organisational accountability and transparency through oversight of its subcommittees. All subcommittees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis (as outlined within subcommittee terms of reference). ANAO subcommittees are required to be aware of and consider enterprise level risks through the ANAO’s ERR, in accordance with the Risk Management Framework. Committees report to EBOM through summary reports and meeting minutes.

    All ANAO business-as-usual procedural guidance materials and policies are endorsed by EBOM. Procedural guidance materials assist staff to proactively identify and assess risk in all activities, supporting informed decision-making.

    Audit Committee

    The Audit Committee provides independent assurance and advice to the Auditor-General, including reviewing the appropriateness of the ANAO’s financial and performance reporting, systems of risk oversight and management, and systems of internal control.

    Corporate plan and annual report

    The corporate plan is the ANAO’s primary planning document and sets out how we will achieve our purpose over a four-year period. The corporate plan is complemented by the annual audit work program, which reflects the ANAO’s audit strategy and deliverables for the coming financial year.

    The corporate plan articulates the purpose of the ANAO and the environment within which the ANAO expects to operate. It outlines our intended capability investments, including the plans and strategies we will implement to achieve our purpose. The plan also details the planned activities and performance of the ANAO, including the measures we use to assess our performance. It also provides an overview of the ANAO’s risk oversight and management systems.

    The corporate plan is regularly considered as a part of the risk analysis process. Consulting the corporate plan allows the setting of realistic delivery timelines for strategies and key deliverables against the broader view of our operating environment. The ANAO reports on its performance through its annual report.

    ANAO Audit Manual and policies

    Risk management within ANAO audits is governed by the ANAO Auditing Standards. The associated guidance material for these standards is adopted into audit work through specific policies. For performance audits, financial statement audits and performance statement audits, the ANAO Audit Manual contains risk guidance applicable to audit and assurance work.

    For the ANAO, independence is an element central to the quality of each audit. Independence is both institutional and individual. It reflects the position of the Auditor-General (and the ANAO) as set out in the Auditor-General Act 1997. It requires the avoidance of circumstances that could compromise any member of the audit team’s ability to act with integrity and exercise objectivity and professional scepticism. The ANAO Auditing Standards and the ANAO Independence Policy require staff and contractors engaged in audits to comply with the relevant provisions of the Accounting Professional & Ethics Standard Board, APES 110 Code of Ethics for Professional Accountants relating to independence.

    The ANAO’s commitment to high ethical and professional standards underpins the quality of its work. Any threat to independence must be evaluated and safeguards applied to reduce the threat to an acceptable level.

    2.4 Embedding risk management

    The ANAO’s management of risk is embedded into existing business processes (including business-as-usual practices) by using consistent language, approaches, and documentation. The application and embedding of risk management across the ANAO is supported by the following documents:

    • ANAO Audit Manual and Auditing Standards, including the Independence Policy;
    • ANAO Quality Framework and plan;
    • ANAO Parliamentary Engagement Strategy;
    • ANAO Procurement Policy;
    • ANAO Work Health and Safety Policies;
    • ANAO Protective Security Policy Framework;
    • ANAO Integrity Framework;
    • ANAO Business Continuity Management Planning Guidelines; and
    • ANAO Pandemic Action Plan.

    3. Application of the Framework

    3.1 Applying the framework

    Risks need to be managed in the context of achieving organisational objectives and should include consideration of positive aspects of risk management (opportunities) as well as negative aspects (threats).

    The framework is the primary source of guidance for staff in managing operational risk. The framework has been designed to support staff to:

    • understand how the ANAO identifies, responds to, and manages risk;
    • understand the connection between the Risk Management Policy and Framework, Enterprise Risk Register and Risk Analysis Tools; and
    • understand, accept, and manage risk as part of their everyday decision-making processes.

    3.1.1 Defining the ANAO’s risk appetite and tolerance (including Risk Appetite Statement)

    Risk appetite is the amount of risk an entity is willing to accept or retain to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude towards risk taking. The ANAO’s risk appetite is captured within the ANAO’s Risk Management Policy and the ANAO’s Risk Appetite Statement. Both elements capture what the ANAO’s Executive consider to be acceptable risk-taking.

    The ANAO has a low-risk appetite.

    Risk tolerance is the level (or levels) of risk taking acceptable to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite and is typically aligned to categories of risk such as strategy, financial, people or reputation.

    While risk appetite usually involves qualitative statements, risk tolerance operationalises the statements by using quantitative measures where possible, to better enable monitoring and review. Risk appetite sets the tone for risk taking in general, whilst tolerance informs:

    • expectations for mitigating, accepting and pursuing specific types of risk;
    • boundaries and thresholds of acceptable risk taking; and
    • actions to be taken or consequence for acting beyond approved tolerances.

    The ANAO’s risk tolerance is captured within our Enterprise Risk Register, against our strategic and operational risks.

    3.1.2 Variations in risk rating and risk tolerance within the Enterprise Risk Register

    EBOM recognises that, in some instances, within the Enterprise Risk Register there may be overall risk evaluations that result in the risk rating being higher than the established risk tolerance.

    Where the risk rating is higher than the risk tolerance within the Enterprise Risk Register — the EBOM must consider this variation and, if accepted, both the agreement and risk treatment documented within the EBOM minutes.

    ANAO Risk Appetite Statement

    The purpose of the Australian National Audit Office is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance. The Parliament and public sector have high expectations of us. Effectively engaging with and managing risk is central to achieving our purpose, and key to meeting parliamentary and community expectations.

    At the ANAO, we have determined that our appetite for risk is low. We recognise that in some circumstances it is not possible or desirable to eliminate all risk and through accepting some degree of risk we can seize opportunities, promote efficiencies and support innovation. Our risk appetite is the level and type of risk we are willing to accept to achieve our objectives. It describes our attitude towards risk taking and helps us to understand what constitutes acceptable risk taking in our day-to-day work and in achieving our strategic priorities.

    Grant Hehir
    Auditor-General

    3.2 Understanding the Enterprise Risk Register and Risk Analysis Tools

    The framework is supported by the Enterprise Risk Register (ERR). The ERR outlines relevant strategic and operational risks of the ANAO. The ERR displays the risk; category of risk (i.e., strategic, operational, legislative, etc); causes; controls; control owner; likelihood rating; consequence rating; risk rating; risk tolerance; risk acceptance — and where necessary, risk mitigation plan and risk mitigation plan owner. The ERR is supported by the ANAO Risk Analysis Tools. The tools provide:

    • a five-by-five assessment risk evaluation matrix (aligned to the ANAO’s operating environment);
    • a consequence rating scale (qualitative tool), likelihood analysis (quantitative tool) and control effectiveness analysis; and
    • a guide to determine the appropriate action required (including reporting requirements) based on risk evaluation matrix.

    The ERR assigns control owners who are responsible for reporting to EBOM, the Chief Risk Officer and the Auditor-General on a schedule determined by the severity of the risk rating.

    3.3 Identifying and treating risk

    Risk identification

    The aim of risk identification is to develop a comprehensive list of events that may occur and, if they do, are likely to have an impact on the objectives of ANAO. Risk identification includes an initial risk assessment, followed by an initial risk analysis.

    Risk assessments identify risks by using a combination of established methods, which may include (but are not exclusive to) environmental scanning, consultation, and root cause analysis. The framework requires that risk assessments be undertaken in all key activities including when:

    • planning and conducting audits including reporting to the Parliament;
    • assessing specific work health and safety implications or concerns;
    • conducting significant procurement activities;
    • major or significant projects;
    • undertaking business continuity and disaster recovery planning; and
    • assessing protective security requirements.

    The main objective of risk analysis is to separate the minor acceptable risks from the major ones, and to provide data to assist in the assessment, evaluation, and treatment of the risk. Controls are embedded within current business processes are identified as part of the risk evaluation process. Controls should evidence their ability to effectively modify the risk.

    Following a risk analysis, the risk rating determines the risk owners and required reporting obligations (Table 1). The risk owner is then responsible for deciding if a formal assessment is required and if so, which methods and information will be relied on. The risk owner is also responsible for ensuring the assessment is documented, control owners identified, and any mitigating risk treatments applied.

    Risk treatment

    Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented it becomes a control. Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits.

    Where risk treatment options impact stakeholders, those stakeholders will be involved in the decision-making process. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented. The most common used treatment options in risk management include avoid; remove the source; change probabilities; modify the consequences; increase to pursue an opportunity; retain via informed decision and share the exposure.

    While all staff contribute to the way risks are managed, senior staff in key positions are expected to have a clear view of the risk treatment (where applied) and its effectiveness in operation.

    Table 1: Risk rating, actions, and risk owners

    Risk rating

    Action required

    Risk owner

    Extreme

    Unacceptable level of risk and activity should stop immediately while mitigation plan is developed. Requires immediate escalation to EBOM. A mitigation plan owner is assigned with weekly reporting to risk owner on control effectiveness and mitigation plan/s.

    Auditor-General

    High

    Acceptable level of risk, providing controls are in place to reduce risk to as low as reasonably possible. Allocated to a control owner with monthly reporting to EBOM on control assurance or mitigation plan/s. This reporting is also supplied to the Audit Committee for noting.

    Deputy Auditor- General

    Medium

    Risk managed by an established, tailored control regime and reported quarterly to EBOM.

    Group Executive Directors or Senior Executive Directors (SADA and CMG)

    Low

    Risk managed by routine controls and reviewed annually or after significant change.

    All staff and contractors

       

    4. Shared Risks

    The ANAO does not engage in activities that involve shared inter-entity or cross-jurisdictional risks. An exception to this is the ANAO’s capacity building activities to the Audit Board of the Republic of Indonesia (BPK) and the Auditor General’s Office of Papua New Guinea (AGO). These activities are managed through a partnership agreement with the Department of Foreign Affairs and Trade (DFAT). Risks related to these activities are shared with DFAT and managed through regular meetings; joint committees; advice and updates on any potential security risks to the ANAO’s deployed staff; and DFAT’s engagement of in-country security service providers.

    The Auditor-General and the ANAO engage with other jurisdictions’ Auditors-General on risks in the public sector environment which may impact on the successful delivery of audit mandates. The ANAO identifies factors with potential to change its operating environment, preparing anticipatory responses where changes will affect the way the ANAO operates. These changes include those impacting accounting and audit standards. Being an active member of associations such as the Australasian Council of Auditors-General (ACAG) and the International Organisation of Supreme Audit Institutions (INTOSAI) helps manage this risk in a shared manner, whilst providing many ancillary benefits for cross-jurisdictional learning and collaboration.

    5. Risk Culture

    Risk culture refers to the shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities. The ANAO aims to foster a positive risk culture. A positive risk culture promotes an open and active approach to managing risk — it considers both ‘threat’ and ‘opportunity’ and enables all staff across the entity to appropriately identify, assess, communicate and manage risk.

    Senior management and other identified individuals are responsible for supporting a positive risk culture through initiatives and processes. All senior staff should actively provide feedback through normal reporting channels on external interactions with key stakeholders regarding areas of potential risk. It is important that all staff (including contractors) understand, accept, and manage risk as part of their everyday decision-making processes. Initiatives

    Figure 1 outlines the initiatives undertaken by the ANAO to foster a strong and positive risk culture and the associated responsibilities of all staff in supporting this culture.

    5.1 Maintaining a culture of risk awareness

    All staff and contractors should be familiar with the ANAO’s approach to risk management — including the risks identified in the ERR. All staff and contractors should continuously scan their environment for new risks and reassess existing risks relative to their environment. In the first instance, staff should raise any suggestions relating to new or identified risks with their executive director and/or CMG — who will liaise with the appropriate risk owner as necessary.

    5.2 Mandatory and refresher training

    All staff are required to complete mandatory risk management training. A focus of this training is to improve awareness and identification of the differences between the risk to achieving the ANAO’s corporate plan objectives and the risks impacting the agencies being audited. An eLearning module on risk management is available to all staff and must be completed annually. This module can be accessed at any time as an introduction or refresher of the ANAO Risk Management Framework.

    CMG can provide face-to-face training for staff undertaking risk management duties or performing a risk assessment (formal or informal). Additional training on audit specific risks will be mandatory for auditors upon commencement in the role and every year thereafter on a refresher basis.

    Figure 2: Attributes of a strong and positive risk culture

    A matrix explaining the four main elements of a strong and positive risk culture.

    6. Managing the Framework

    6.1 Reporting processes

    Reporting is a critical part of the framework. Reporting provides EBOM with awareness of how the ANAO is progressing against risk management objectives and supports managers to make informed decisions. Reporting on enterprise risks primarily occurs through EBOM subcommittees. All EBOM subcommittees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis. ANAO subcommittees manage enterprise level risks through the ANAO’s ERR and in accordance with the framework. Subcommittees report to EBOM through summary reports and meeting minutes. This reporting is supported by regular reviews of the ERR.

    Risks rated as ‘High’ or above and strategic category risks are monitored by EBOM and the Audit Committee. The risk owners have responsibility for monitoring reports and directing resources to risk mitigation strategies and integrating these into existing processes. CMG coordinates high-level reporting on the ERR and the progress of risk mitigation strategies.

    The management of audit risk is governed by audit standards in the Audit Manual. Compliance with the ANAO audit standards and the Audit Manual is reviewed as part of regular quality assurance processes that are considered at the Quality Committee and through to the EBOM. The ANAO Quality Report is published annually on the ANAO website — the report’s purpose is to demonstrate the ANAO assessment of the implementation and operating effectiveness of the elements of the ANAO Quality Assurance Framework and plan.

    Internal Audit undertakes a rolling program of audits and provides insights into risk management within the audit reports prepared for the Audit Committee.

    6.2 Monitoring processes

    The ANAO takes an integrated approach to the monitoring of risks across the organisation, the monitoring of risks into existing business processes and ANAO enabling frameworks (i.e., policies, procedures and guidance materials). Risks are continually monitored by EBOM, the Audit Committee, governance subcommittees and ANAO staff — in alignment with the ANAO governance structure and with the key roles and responsibilities outlined within the framework.

    6.3 Review and evaluation processes

    To ensure that this framework is maintained in accordance with the Commonwealth Risk Management Framework, it requires ongoing monitoring and review.

    Reviews of the framework ensure that:

    • the policy and register are reflective of the ANAO’s internal and external environment;
    • the risk management practices are effective;
    • reports provide the information necessary for decision making and continuous improvement; and
    • risk management continues to effectively contribute to achieving the ANAO’s purpose.

    A full review of the framework (including risk appetite and tolerance) is conducted every two years — and includes a review of the ANAO Risk Management Policy, ANAO Risk Management Framework and the ANAO Risk Analysis Tools. The Enterprise Risk Register (including strategic and operational risks) is reviewed annually. There is a mid-year review by EBOM of the effectiveness of controls implementation.

    Review processes related to risk are coordinated by CMG, in consultation with Senior Executive Staff — including the Executive Board of Management (EBOM); Chief Risk Officer; ANAO governance committees; Audit Committee; and key representatives from stakeholder groups representing quality control, professional development, human resources, and the agency security advisor.

    6.3.1 Evaluating the ANAO Risk Management Framework

    The ANAO is committed to continuous improvement. Evaluating the Risk Management Framework (and related documents such as the Risk Management Policy, Risk Analysis Tools and Enterprise Risk Register) is a key component of the review process.

    Evaluations focus on whether the documents are:

    • achieving their intended purpose;
    • being implemented as planned; and
    • changing the culture and behaviors as expected.

    Evaluations are supported by data gathered through the ASPC Employee Census, reporting to EBOM, governance subcommittees and through the reviewing of internal audit outcomes.

    6.3.2 Assessing risk management performance

    The measurement of risk management performance involves two key activities — measuring compliance and measuring maturity.

    • Measuring Compliance: This provides assurance that staff are complying with the Risk Management Policy directives (assisted by internal audits into compliance). A report on the percentage of staff who have completed mandatory training is generated by CMG at the end of each month and is provided to the SED CMG, all GED/SEDs and the Learning & Development Working Group. The completion of all mandatory training by staff is also a requirement of the ANAO Performance and Career Development Policy and Procedures. Staff are required to confirm they have completed all mandatory training when recording the outcomes of their end of cycle discussions with their manager. Staff who have not completed all mandatory training are not able to complete the annual performance cycle.
    • Measuring Maturity: This measures the maturity of the Risk Management Framework against the Comcover Benchmarking Survey and the APSC Employee Census results.

    6.3.3 Insurance

    When conducting the annual review of the ERR, the ANAO also reviews organisational insurance arrangements with Comcover. This is an integral part of the review process and includes consideration of any insurance claims made during the preceding period.

    7. Roles and responsibilities

    Key roles and responsibilities for the management of risk are shown in the table below.

    Position

    Roles and Responsibilities

    Auditor-General

    • Overall responsibility for establishing and maintaining the ANAO’s risk management framework.
    • Endorses the Risk Management Framework.
    • Defines risk appetite and tolerance every two years or as required. Be the risk owner for ‘extreme’ risks and associated mitigation plans.
    • Considers risks as part of corporate planning processes.
    • Receives reporting on the control environment for enterprise risks and risk mitigation plans.
    • Demonstrates and promotes a risk management culture.

    Deputy Auditor-General

    (Chief Risk Officer)

    • The risk owner for all risks below ‘extreme’.
    • Receives reporting on the control environment for enterprise risks and risk mitigation plans.
    • Regularly monitors risks as part of a standing agenda item for governance committees.
    • Supports the Auditor-General and the Audit Committee in their risk management roles and responsibilities.
    • Leads the design, implementation and embedding of risk policies and frameworks within the ANAO.
    • Demonstrates and promotes a positive risk management culture through communication and consultation.
    • Oversees the continuous improvement of risk management capability and awareness across the ANAO.
    •  

    Senior Executive Director Corporate Management Group

    (SED CMG)

     

    • Supports the Executive (including Auditor-General, Deputy Auditor-General and EBOM) in their risk management roles and responsibilities.
    • Facilitates the monitoring of control effectiveness.
    • Maintains the Enterprise Risk Register on behalf of EBOM.
    • Maintains a risk reporting framework to enable regular reporting of key risks, and the management of those risks, to senior management.
    • Ensures risk management is incorporated into internal staff training programs.
    • Monitors the completion of mandatory training for all staff.
    • Ensures that the appropriate level of insurance cover is maintained for all identified risks where there is an insurable consequence.

    Group Executive Directors (GEDs) and Senior Executive Directors (SEDs)

    • Supports the review of the ANAO Risk Management documents including: ANAO Risk Policy, Risk Management Framework, Enterprise Risk Register and Risk Analysis Tools.
    • Maintains key responsibilities in the ‘controls’ which are detailed within the Enterprise Risk Register.
    • Supports the implementation and embedding of risk policies and frameworks within the ANAO through leadership.
    • Promotes a positive risk management culture throughout the ANAO.
    • Oversees the continuous improvement of risk management capability and awareness across the ANAO.

    Executive Directors (EDs)

    (Signing officers)

    • Ensures that appropriate risk management practice is an integral part of audit program activity and certifies that requirements of the Risk Management Framework have been met in the conduct of the audit.
    • Ensures implementation of controls within their branch and/or areas of responsibility.

    Audit Managers

    • Promotes a positive risk management culture within the service group/branch.

    Professional Services and Relationships Group

    • Provides quality assurance services that ensure audits comply with risk requirements of the Audit Manual.
    • Assesses emerging risks identified across audits in line with the Risk Management Framework.

    Chief Finance Officer

    • Supports SED CMG to ensure that the appropriate level of insurance cover is maintained for all identified risks where there is an insurable consequence.
    • Reviews the Fraud Control Framework for compliance with PGPA Act requirements.

    Senior Director, Corporate Strategy and Change

    • Day-to-day management of risk on behalf of SED CMG.
    • Develops and maintains the key documents associated with risk including the Risk Management Policy, Risk Management Framework, Enterprise Risk Register and Risk Analysis tools.
    • Conducts a bi-annual review of the Risk Management Framework and an annual (or as-needs-basis) review of the Enterprise Risk Register.
    • Coordinates reporting for governance committees on identified risks.
    • Provides targeted support (including training options) to areas with high-risk exposure.
    •  

    Risk owners

    • The risk owner is the person assigned the responsibility for the day-to-day management of a risk, including completing a formal risk assessment on identified risks.
    • Risk owners are responsible for the overall coordination of the management of the risk including:
    • Providing assurance that controls are effective
    • Mitigation plans are progressing into controls.
    • Monitoring of the environment to identify if there are any indicators the risk might eventuate.
    • Reporting as required under the Risk Management Framework.

    All staff

    (including contractors and outsourced service providers)

    • Understands and adheres to all procedural and policy guidance relevant to the role they are performing.
    • Reports incidents to managers as they become aware of them.
    • Understands the risks being managed in their area of operation either through direct identification and assessment, or by gaining an understanding of the relevance of activities to risk management from their manager.
    • Required to undertake and complete all mandatory training as determined by the ANAO.

    Audit Committee

    • Reviews whether there is a current and comprehensive risk management system in place including associated procedures for effective identification and management of strategic and operational risks.
    • Determines whether a sound and effective approach has been followed in establishing business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested.

    Internal Audit

    • Performs in-depth reviews on key controls mitigating enterprise level risks reporting to the Audit Committee and EBOM.
    • Includes risk management focus into all audits, where risks are being managed and assess the management of those risks against the Risk Management Framework.
    • Provides a means through which EBOM can monitor the application of the Risk Management Framework across major projects and procurements.
       

    8. Key Terms

    The following terminology applies throughout the Risk Management Framework and reflects both the ISO 31000:2018 Standards and ANAO vocabulary.

    Term

    Definition

    BAU

    Business as usual operations in reference to all ongoing operational activities.

    • This term does not provide an assessment of the activities but refers to the ongoing regular or automated application of processes, guidance, and instruction.

    Consequences

    Outcome of an event affecting objectives (ISO 31000:2018).

    • A consequence can be certain or uncertain and can have positive or negative, direct, or indirect effects on objectives.
    • Consequences can be expressed qualitatively or quantitatively.
    • Any consequence can escalate or decline in impact severity over time.

    Control

    Measure that maintains and/or modifies risk (ISO 31000:2018).

    • Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions that maintain and/or modify risk.
    • Controls may not always exert the intended, or assumed, modifying effect.

    Event

    Occurrence or change of a particular set of circumstances (ISO 31000:2018).

    • An event can have one or more occurrences and can have several causes and several consequences.
    • An event can also be something that is expected which does not happen, or something that is not expected which does happen.
    • An event can be a risk source.

    Enterprise Risk

    Overarching risks, derived from considerations associated with the ANAO’s purpose, delivery expectations and resource requirements.

    Risk Assessment

    The process of risk: identification analysis and evaluation.

    • Can be formal or informal. Informal are typically undertaken by subject matter experts and decision makers when considering the governance, a decision may require.
    • Involves an assessment of risk events to determine required response.

    Issue/Incident

    An event that has occurred that has taken the ANAO outside its tolerances/risk appetite.

    Likelihood

    Chance of something happening (ISO 31000:2018).

    • Likelihood is used to refer to the chance of something happening. It can be defined or measured objectively or subjectively, qualitatively, or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

    Mitigation

    Measures or actions that affect a change on the impact or the likelihood of a risk event.

    • Risk treatments are typically referred to as mitigations and may be interchanged with the same principle, i.e.: risk treatment plan and risk mitigation plan both aim to effect a change on the impact or likelihood.
    • When a treatment or mitigation has been deployed as planned it becomes a control.

    Operational Risk

    A risk that may eventuate within the ANAO’s operations and control.

    Risk

    The effect of uncertainty on objectives (ISO 31000:2018).

    • An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats.
    • Risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood.

    Risk Acceptance

    An informed decision to accept the consequences and the likelihood of a particular risk.

    Risk Analysis

    A process to comprehend the nature of risk and to determine the level of risk (AS/NZS ISO 31000:2009).

    Risk Avoidance

    An informed decision to withdraw from, or to not become involved in, a risk situation.

    Risk Identification

    Process of finding, recognising and describing risks (AS/NZS ISO 31000:2009).

    Risk Management

    Coordinated activities to direct and control an organisation with regard to risk (ISO 31000:2018).

    Risk Owner

    Person or entity with the accountability and authority to manage a risk (AS/NZS ISO 31000:2009).

    Risk Register

    A Risk Register provides a repository for recording each risk and its attributes, evaluation, and treatments.

    Risk Source

    Element which alone or in combination has the intrinsic potential to give rise to risk (AS/NZS ISO 31000:2009).

    Risk Treatment

    Process to modify risk (AS/NZS ISO 31000:2009).

    • See Mitigation.

    Shared Risk

    A risk with no single owner, where more than one entity is exposed to or can significantly influence the risk. (Commonwealth Risk Management Policy)

    Stakeholder

    Person or organisation that can affect, be affected by, or perceive themselves to be affected by, a decision or activity (ISO 31000:2018).

    Strategic Risk

    A risk that may eventuate outside of the ANAO’s control with consequences for the ANAO achieving its purpose and objectives.

       

    Appendices

    Appendix 1 Enterprise Risk Register

    Table A.1: Enterprise Risk Register

    Risk

    Category

    Risk rating

    Risk tolerance

    Risk accepted Y/N

    Risk Mitigation Plan

    1. The ANAO’s capacity for independent reporting is reduced.

    Strategic/Legislative

    Low

    Low

    Yes

     

    2. Parliament questioning the ANAO’s ability to execute its mandate.

    Strategic/Stakeholder relationship

    Medium

    Medium

    Yes

     

    3. The ANAO is unable to deliver expected targets (in accordance with Parliament’s expectation and established performance measures).

    Strategic/Stakeholders

    Medium

    Medium

    Yes

     

    4. The ANAO issues an incorrect audit opinion or an audit opinion not supported by sufficient evidence.

    Operational/Compliance/Quality

    Medium

    Low

    No

     

    5. Entities not fully cooperating with the ANAO.

    Operational/Compliance

    Low

    Low

    Yes

     

    6. ANAO unable to meet resourcing requirements.

    Operational/Business Continuity

    Medium

    Low

    Yes

     

    7. ANAO staff behave inconsistently with ANAO values and behaviours.

    Operational/Compliance

    Low

    Low

    Yes

     

    8. ANAO failing to protect sensitive information resulting in access by unauthorised parties and/or loss of data.

    Operational/Security

    Low

    Low

    Yes